passport-oauth2 icon indicating copy to clipboard operation
passport-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Undocumented Strategy constructor options

Open kara-ryli opened this issue 10 years ago • 7 comments
trafficstars

Looking through the code trying to figure out how to do CSRF state values, I noticed a bunch of undocumented options in the Strategy constructor:

customHeaders
scope
scopeSeparator
state
sessionKey
proxy
skipUserProfile

Any reason they're not documented? state seems particularly important.

kara-ryli avatar Apr 10 '15 22:04 kara-ryli

state and scope should be documented. The rest are not documented simply because they are not generally useful, and I tend to favor explaining less options in order to reduce confusion.

All the options are usable and supported however, and I tend to comment on them only when discussing specific use cases where they are needed.

jaredhanson avatar Apr 10 '15 22:04 jaredhanson

So how is someone to implement logic that requires setup of application state prior to the oauth login and take action based on the state after successful authentication?

bertramn avatar Aug 06 '16 03:08 bertramn

I would as well really appreciate the full documentation of how to use the state paramenter.

joh-klein avatar Oct 04 '16 11:10 joh-klein

Implementation with the examples from the Readme:

// add 'state: true' to enable state parameter inclusion
passport.use(new OAuth2Strategy({
    authorizationURL: 'https://www.example.com/oauth2/authorize',
    tokenURL: 'https://www.example.com/oauth2/token',
    clientID: EXAMPLE_CLIENT_ID,
    clientSecret: EXAMPLE_CLIENT_SECRET,
    callbackURL: "http://localhost:3000/auth/example/callback",
    state: true
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ exampleId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }
));

app.get('/auth/example',
  passport.authenticate('oauth2'));

// This is where the state parameter is checked. 
// If it fails, users will be redirected to '/login' (value from failureRedirect)
app.get('/auth/example/callback',
  passport.authenticate('oauth2', { failureRedirect: '/login' }),
  function(req, res) {
    // Successful authentication, redirect home.
    res.redirect('/');
  });

joh-klein avatar Oct 05 '16 07:10 joh-klein

Shouldn't I be able to pass any string with state parameter?

infoGraphMT avatar Oct 06 '16 15:10 infoGraphMT

No. It is implemented in a way that generating, sending and response checking is done in the background.

See https://github.com/jaredhanson/passport-oauth2/pull/24 and https://github.com/jaredhanson/passport-oauth2/pull/49 for reference

joh-klein avatar Oct 07 '16 08:10 joh-klein

Just spent far too long trying to figure out why a redirect was switching from https to http. stumbled upon https://github.com/strongloop/loopback-component-passport/issues/120 and then ended up figuring out proxy by stepping through the module. The issue I referenced shows that this causes problems with more devs than myself. Not sure why you would not document usable options.

tmarshall avatar Mar 17 '17 14:03 tmarshall