What does "state mismatch" mean? And what causes it?

[morungos]

I'm struggling to get this component to work, using it with passport and express. Basically, I'm getting a backtrace from deep in the innards of the system, and I can't find how to pin down the issue.

It's likely it's something interacting with passport, but I've had to piece it together as there isn't a example for either express or passport, and I'm not sure what I'm doing. I only got this far with luck because authentication was running a redirect loop as well.

Any help or guidance would be very welcome.

Backtrace is as follows:

Error: state mismatch
    at Client.authorizationCallback (/mnt/data/git/turalt-demo/node_modules/openid-client/lib/client.js:279:29)
    at OpenIDConnectStrategy.authenticate (/mnt/data/git/turalt-demo/node_modules/openid-client/lib/passport_strategy.js:93:27)
    at attempt (/mnt/data/git/turalt-demo/node_modules/passport/lib/middleware/authenticate.js:361:16)
    at authenticate (/mnt/data/git/turalt-demo/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/mnt/data/git/turalt-demo/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:317:13)
    at /mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:335:12)
    at next (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:275:10)
    at Function.handle (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:174:3)
    at router (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:47:12)
    at Layer.handle [as handle_request] (/mnt/data/git/turalt-demo/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:317:13)
    at /mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:335:12)
    at next (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:275:10)

[morungos]

There may be a further clue. I also get an error back from the RESTful API, as follows. this is slightly different but might be closer to the origin of the issue.

TypeError: Cannot read property 'then' of undefined
    at OpenIDConnectStrategy.authenticate (/mnt/data/git/turalt-demo/node_modules/openid-client/lib/passport_strategy.js:94:7)
    at attempt (/mnt/data/git/turalt-demo/node_modules/passport/lib/middleware/authenticate.js:361:16)
    at authenticate (/mnt/data/git/turalt-demo/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/mnt/data/git/turalt-demo/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:317:13)
    at /mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:335:12)
    at next (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:275:10)
    at Function.handle (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:174:3)
    at router (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:47:12)
    at Layer.handle [as handle_request] (/mnt/data/git/turalt-demo/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:317:13)
    at /mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:335:12)
    at next (/mnt/data/git/turalt-demo/node_modules/express/lib/router/index.js:275:10)
    at SessionStrategy.strategy.pass (/mnt/data/git/turalt-demo/node_modules/passport/lib/middleware/authenticate.js:338:9)

[morungos]

Attached is an example which replicates this: attempting to /api/auth does redirect, but on return you get the state mismatch error.

test-redacted.js.txt

[panva]

First things first, you can read about the state parameter and why when it mismatches an error should be thrown in the specification. The library pushes a state and nonce into the requests whenever appropriate and relies on the session storage to persist them between the request and callback.

The reason why a mismatch happens is because on the callback pass the session data is missing, hence a received state does not match provided state (since its not loaded from the session).

Reason for that is that you explicitly set cookie option to { secure: true} but aren't on a secure connection so the browser does not send the cookie values to the server. Remove this option for local environments and you should be good to go with the rest of passport usage.