Strategy callback never called

[malinosqui]

I have this code

const express = require('express');
const app = express();
const passport = require('passport');
const Strategy = require('openid-client').Strategy;
const Issuer = require('openid-client').Issuer;
var cookieSession = require('cookie-session');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var session = require('express-session');

const issuer = new Issuer({
  issuer: 'http://localhost:5000',
  authorization_endpoint: 'http://localhost:5000/connect/authorize',
  token_endpoint: 'http://localhost:5000/connect/token',
  userinfo_endpoint: 'http://localhost:5000/connect/userinfo',
  jwks_uri: 'http://localhost:5000/.well-known/openid-configuration/jwks'
});

const client = new issuer.Client({
  client_id: 'xxx',
  client_secret: 'xxx'
});

const params = {
  "redirect_uri": "http://localhost:3000/users",
  "response_type": "code id_token token",
  "scope": "xxx openid profile",
  "authentication_type": "xxx"
};

passport.use('oidc', new Strategy({ client, params }, function (tokenset, userinfo, done) {
  console.log('tokenset', tokenset);
  console.log('access_token', tokenset.access_token);
  console.log('id_token', tokenset.id_token);
  console.log('claims', tokenset.claims);
  console.log('userinfo', userinfo);

  return done(null, false);
}));

app.use(cookieParser());
app.use(bodyParser());
app.use(session({ secret: 'xxx', key: 'user', cookie: { maxAge: 60000, secure: false } }));
app.use(passport.initialize());
app.use(passport.session());

app.get('/', function (req, res) {
  res.send('Hello World!');
});

app.get('/login', function (req, res) {
  console.log(req.isAuthenticated());
  res.send('Login');
});

app.get('/users', (req, res) => {
  console.log(req.isAuthenticated());
  res.send('aeae');
});

app.get('/auth',
  passport.authenticate('oidc'));

app.listen(3000, function () {
  console.log('Example app listening on port 3000!');
})]

everthing works fine, but my Strategy Callback is never called, so the code console.log(req.isAuthenticated()); always returns false!

[panva]

First off, your redirect_uri route handler /users doesn't have a call to passport.authenticate (i.e. consume the callback). Second, your verify function alwayrs returns done(null, false), so this code will never work for you. Please see the usage of openid-client passport strategy

[malinosqui]

Thanks for the answer @panva, but if I put passport.authenticate in my route handle /users, I have a loop of redirect. And still not firing callback

[panva]

heh, ok i see now. You're using a code id_token token response_type, which means response_mode=fragment. The backend service has no clue about the return parameters. Just use response_type=code. You still need the passport.authenticate with success and failure routes in the callback handler

[panva]

Alternatively change your response_mode to form_post if your OP supports it.