OIDC session key fails to serialize for certain session middleware options

[yangchristian]

Version: v3.0.4
Setup (not specific to these deps though):

• Session middleware: express-session v1.10.4
• Session store: connect-mongo v0.8.2

Repro:

• Set the connect-mongo option stringify: false (details)

Result:
The dotted field 'OIDC: {redirectUrl}' in 'session.OIDC: {redirectUrl}' is not valid for storage

I believe the default value for the session key here is at fault
(https://github.com/AzureAD/passport-azure-ad/blob/master/lib/oidcstrategy.js#L382):

this._key = options.sessionKey || ('OIDC: ' + options.redirectUrl);

Depending on your setup, there's a decent chance that the key will have invalid characters and fail to serialize since we're using a raw URL. It just happens that for default Mongo setups you're ok since it will stringify the entire object.

Might I suggest using the clientId instead since that is more serializable? That's basically what we're doing in application code as a workaround (passing the option sessionKey: 'OIDC: {clientId}'). Alternatively, could do some escaping of the redirect url.

[lovemaths]

@yangchristian I can reproduce this issue. Yes, clientId is better choice, we will include this change in the next release. Thank you!

[faradayfan]

I have the same issue with v3.0.7
I just added oidcStrategy.sessionKey: clientID as a temporary work around.

[lovemaths]

@yangchristian @faradayfan We just shipped v3.0.8 with the change. Closing the issue.