Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to disable session for Strategy? #190

Closed
TwistTheNeil opened this issue Sep 13, 2019 · 2 comments
Closed

Is it possible to disable session for Strategy? #190

TwistTheNeil opened this issue Sep 13, 2019 · 2 comments

Comments

@TwistTheNeil
Copy link

I'm trying to not use session with the openid connect strategy but I run into the error:

TypeError: authentication requires session support

However, I see in the readme that it might be possible to not use session:

// store the code_verifier in your framework's session mechanism, if it is a cookie based solution

I plan on not using cookies so is there an option that I am missing?

Snippets of code:


let opts = {};

const initOIDC = async () => {
  const googleIssuer = await Issuer.discover('https://accounts.google.com');
  console.log('Discovered issuer %s %O', googleIssuer.issuer, googleIssuer.metadata);

  /* Authorize Code Flow */
  /* client object */
  const client = new googleIssuer.Client({
    client_id: process.env.GOOGLE_CLIENT_ID,
    client_secret: process.env.GOOGLE_CLIENT_SECRET,
    redirect_uris: ['http://localhost:3001/oidc/callback'],
    response_types: ['code'],
  });

  /* params object */
  const params = {
    client_id: process.env.GOOGLE_CLIENT_ID,
    response_type: 'code',
    scope: 'openid email profile',
    nonce: generators.nonce(),
    redirect_uri: 'http://localhost:3001/oidc/callback',
  };

  opts.client = client;
  opts.params = params;
  opts.passReqToCallback = true;
};

passport.use('openid', new OIDCStrategy(opts, (tokenset, userinfo, done) => {
  console.log("-----tokenset: ")
  console.log(tokenset);
  console.log("userinfo");
  console.log(userinfo);
}))

/* Endpoints */
app.get('//oidc', passport.authenticate('openid', { session: false, scope: 'profile email openid' }));
app.get('/oidc/callback', passport.authenticate('openid', { session: false, failureRedirect: '/login' }), (req, res) => {
  console.log('i am getting here oh yay or nay');
});
@panva
Copy link
Owner

panva commented Sep 13, 2019

Is it possible to disable session for Strategy?

It is not. Binding the state/nonce and other transaction details is a prerequisite for a csrf protected client.

@panva panva closed this as completed Sep 13, 2019
@TwistTheNeil
Copy link
Author

Alright, thanks for the quick response!

@TwistTheNeil TwistTheNeil mentioned this issue Feb 24, 2020
Open
@github-actions github-actions bot locked and limited conversation to collaborators Apr 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @TwistTheNeil