passport
passport copied to clipboard
jaredhanson
req.session variables set in OIDCStrategy function not persistent in session
Using [email protected] with OIDC strategy from [email protected] and [email protected] for session state
in the strategy config I have e.g.
function (req, iss, sub, profile, msAccessToken, msRefreshToken, done) {
....
req.session.msAccessToken = msAccessToken
req.session.msRefreshToken = msRefreshToken
....
This worked fine in old version of passport ie 0.4.1. Session variables set in the strategy function persist
Actual behavior
After upgrade to 0.6.0, the req.session variables set in the OIDCstrategy function are not persisting after login. Only the the cookie and passport objects are available in req.session
Looking at the release notes I noted the changes re session fixation and tried the authenticate parameter
keepSessionInfo: true
This resolved the issue, but note that this is not recommended due to the vulnerability.
Expected behavior
I would expect on a new session that the session variables set in the strategy function at login (new session) would continue to persist without needing to use the keepSessionInfo: true parameter.
Is this a bug in 0.6.0, a misunderstanding of the change or an issue with the strategy passport-azure-ad?
Environment
- Operating System: Windows
- Node version: v18.1.0
- passport version: v0.6.0
- passport-azure-ad: v4.3.4
- connect-mongodb-session: v3.1.1
