Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing custom state #4

Open
adamreisnz opened this issue Feb 14, 2019 · 5 comments
Open

Passing custom state #4

adamreisnz opened this issue Feb 14, 2019 · 5 comments
Labels
help wanted Extra attention is needed

Comments

@adamreisnz
Copy link

Hi, there is some kind of state implementation which relies on a store of some sort, but I'm wondering if we can add support for a custom state string, that we can choose to send from the app and which then will be returned again in the query string parameters when the request returns from the oAuth provider.

As we have a multi tenanted app, we require it to identify which of the accounts the user is trying to authenticate to (they can be member of more than one). We use the state parameter for that in most other integrations, so I was surprised to see that this doesn't appear to be supported by passport-oauth2.

Any thoughts?
@adamhathcock
Copy link

I don't personally use this (I have a provider and not a client for passport) but this oauth2 library should support the state query parameter. I'm also surprised this doesn't support it. It doesn't look like the openid client strategy doesn't either.

@adamreisnz
Copy link
Author

adamreisnz commented Feb 14, 2019
edited
Loading

I have dug deeper, and actually it is possible to send a custom state parameter back and verify it again, but it happens on the server side. So in the end, we had to implement a temporary store for these tokens, but we are able to transfer state from the client.

It works something like this:

  1. Client sends query parameters (state) to our server along with the oAuth request
  2. Server stores state in database using a custom state store implementation (this is passed to the store option of the strategy)
  3. The store generates a random nonce, links it to the state and this gets sent to the oAuth provider
  4. Request is validated on return, the nonce comes back, we look it up in the database and restore the state
  5. We append this state to the query params of the return URL when we redirect back to the client.

In the end, it's a bit convoluted, but it works as a mechanism to pass state through the request from end to end.

It would still be nice if the state and store properties could be simplified and decoupled from the storage mechanism, and simply pass (and process on return) a custom state parameter.

@rwky
Copy link

rwky commented Feb 14, 2019
edited
Loading

I'll be happy to review a PR which implements this, it's not something I'd use personally at the moment so it's best if someone else implements it that's actually going to use it since they'll be able to work out the kinks. @adamreisnz feel free to go at it!

This repo hasn't been updated to use eslint yet so I'll do that asap so we don't need to deal with conflicts later. #5

@rwky rwky added the help wanted Extra attention is needed label Feb 14, 2019
@adamreisnz
Copy link
Author

Thanks, if we'll still end up needing this I'll give it a go.

@rwky
Copy link

rwky commented Feb 27, 2019

I've linted the code so feel free to make a PR if you need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rwky @adamreisnz @adamhathcock