Grant does not work when cookies are blocked

simov / grant

OAuth Proxy

MIT License

4.09k stars 257 forks source link

Grant does not work when cookies are blocked #216

Closed ArvindhMangoleap closed 3 years ago

ArvindhMangoleap commented 3 years ago

This is my config object.

const config = {
    defaults: { origin: ORGIN, state: true, prefix: "/api/account/:accountId",  },
    google: { key: GOOGLE_CLIENT_ID, secret: GOOGLE_CLIENT_SECRET, scope: ["openid"], nonce: true },
};

I am getting dynamic accountId and I need to send that in state rather than having a random state.

simov commented 3 years ago

No that's not possible. But why not send the account ID as state in this case:

/connect/:provider?state=accountId

Another way is hide the Grant connect endpoint behind yours.

ArvindhMangoleap commented 3 years ago

Thank you for the quick reply.

ArvindhMangoleap commented 3 years ago

I am getting this error

error=Grant%3A%20missing%20session%20or%20misconfigured%20provider#

{
    defaults: { origin: ORGIN },
    google: {
        key: GOOGLE_CLIENT_ID,
        secret: GOOGLE_CLIENT_SECRET,
        scope: ["openid", "https://mail.google.com/"],
        nonce: true,
        dynamic: ["state"],
        custom_params: { access_type: "offline", prompt: "consent" },
    },
}

Am I missing something in my config?

ArvindhMangoleap commented 3 years ago

Update: The problem seems to appear only when I block the cookies. It works fine when I allow cookies.

Is there a way to solve this without using cookies or session storage.

simov commented 3 years ago

No, cookies are required in order to execute the OAuth flow. After you receive the access token you are free to destroy the session if you want.

You can read about different cookie configuration options here https://github.com/simov/grant/issues/199