You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
auth({session: {store: newRedisStore({client: redisClient}),},// I manually specify which endpoints need auth when defining themauthRequired: false,issuerBaseURL: process.env.ISSUER_BASE_URL,baseURL: process.env.BASE_URL,clientID: process.env.CLIENT_ID,clientSecret: process.env.CLIENT_SECRET,secret: process.env.SESSION_SECRET,idpLogout: true,errorOnRequiredAuth: true,routes: {postLogoutRedirect: '/logged-out',},authorizationParams: {response_type: 'code',audience: process.env.EXTERNAL_API_AUDIENCE,scope: process.env.EXTERNAL_API_SCOPE,},})
Locally this works fine. I've been using Serverless Framework to simulate lambdas on my machine, and the auth flow works correctly:
I hit /login
Middleware redirects to my issuer url
Auth0 redirects back to /callback
The middleware saves info to session, redirects back to /
In production, I also go through the auth flow all the way to step 4, and I even see a Success Login log entry in the Auth0 logs. However, I am not authenticated despite a session being persisted (in redis) with an access token.
Observations
Locally the /callback endpoint sets an appSession cookie when it gets a code back. This doesn't seem to be happening in production. Another cookie is present on the final requests instead: auth_verification
Despite not having attemptSilentLogin set to true, in production, I can see the skipSilentLogin cookie being set indicating it is being attempted. Locally, I have to login every time I logout, but in production I don't. This seems to indicate my config is not being respected in production, and yet, response_type is respected.
Locally the sessions stored only have two keys present: id_token and state. In prod there are more keys: id_token, scope, access_token, refresh_token, expires_at and token_type.
When I removed the response_type so the default is used (id_token), again this works fine locally, but in production I get a 400 (Bad Request) on my /callback route. I can see an id_token and state as part of the request, indicating the call from my tenant is correct. However, I get the following error:
BadRequestError: checks.state argument is missing
at ResponseContext.callback (/var/task/node_modules/express-openid-connect/lib/context.js:354:15)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
My naive understanding of this code is that references to requests are being stored in memory. If that is correct, this middleware cannot be used in lambdas. However, another github comment seems to indicate it did work for them.
Reproduction
Create a simple app using the connect sample app
Export a handler using serverless-http as described here
Deploy to AWS lambda and try and hit /login
express-openid-connect version
2.16.0
Express version
4.17
Node.js version
16
The text was updated successfully, but these errors were encountered:
Checklist
Description
This is my configuration:
Locally this works fine. I've been using Serverless Framework to simulate lambdas on my machine, and the auth flow works correctly:
/login
/callback
/
In production, I also go through the auth flow all the way to step 4, and I even see a
Success Login
log entry in the Auth0 logs. However, I am not authenticated despite a session being persisted (in redis) with an access token.Observations
/callback
endpoint sets anappSession
cookie when it gets acode
back. This doesn't seem to be happening in production. Another cookie is present on the final requests instead:auth_verification
attemptSilentLogin
set totrue
, in production, I can see theskipSilentLogin
cookie being set indicating it is being attempted. Locally, I have to login every time I logout, but in production I don't. This seems to indicate my config is not being respected in production, and yet,response_type
is respected.id_token
andstate
. In prod there are more keys:id_token
,scope
,access_token
,refresh_token
,expires_at
andtoken_type
.response_type
so the default is used (id_token
), again this works fine locally, but in production I get a400
(Bad Request) on my/callback
route. I can see anid_token
andstate
as part of the request, indicating the call from my tenant is correct. However, I get the following error:My naive understanding of this code is that references to requests are being stored in memory. If that is correct, this middleware cannot be used in lambdas. However, another github comment seems to indicate it did work for them.
Reproduction
serverless-http
as described here/login
express-openid-connect version
2.16.0
Express version
4.17
Node.js version
16
The text was updated successfully, but these errors were encountered: