Regression: LinkedIn login broken in 3.1.6

stormpath / express-stormpath

Build simple, secure web applications with Stormpath and Express!

http://docs.stormpath.com/nodejs/express/

Apache License 2.0

325 stars 111 forks source link

Regression: LinkedIn login broken in 3.1.6 #551

Closed edjiang closed 7 years ago

edjiang commented 7 years ago

Seems like we switched to using signed cookies in 3.1.6 for the OAuth State token, but are not decoding them as signed cookies. So the OAuth state doesn't match, and thus gets rejected with Invalid state token provided

Two questions:

Why'd we switch to signed cookies? I'm not sure if I see the benefit here.
We need to be decoding these cookies as signed cookies, or revert this change, as currently LinkedIn (and I'm guessing GitHub) login is broken with the authorization_code flow.

robertjd commented 7 years ago

Thanks @edjiang , we'll get this fixed. No specific reason for the signed cookies, just something we decided to to.

edjiang commented 7 years ago

No problem =] Then should be an easy find/replace for req.cookie to req.signedCookies in some specific scenarios =]