-
-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passport strategy broken with iss in authentication request #564
Comments
Exactly, because this is an authorization response parameter it makes
Why? |
Because |
Thanks for the quick response! I didn't see that you'd made a patch so quickly when this closed. 😃 |
5.0.0 introduced OAuth 2.0 authorization server issuer checking which has a side effect of causing the passport strategy to process authentication requests with
iss
in them as if they were responses instead of requests.This errors with a
did not find expected authorization request details in session, req.session['foo'] is undefined
I believe this is happening because
iss
is (as of 5.0.0) listed here:https://github.com/panva/node-openid-client/blob/363c2152d125580897b394841bfc785b0cdcb054/lib/client.js#L53
which causes the
if
here always fails and we pass into authentication response.https://github.com/panva/node-openid-client/blob/363c2152d125580897b394841bfc785b0cdcb054/lib/passport_strategy.js#L88
To Reproduce
Steps to reproduce the behaviour:
iss
property presentExpected behaviour
I'm currently working around this by doing a
delete req.body.iss
in my authentication request route before callingpassport.authenticate
. Then it behaves like the 4.9.1 version and processes the authentication request properly.Environment:
Additional context
The draft, now RFC9207 doesn't talk about authentication requests, only responses. That leads me to believe this is a bug.
The LTI 1.3 security framework is an example of a spec that says
iss
is required in the third-party initiated login authentication request.The text was updated successfully, but these errors were encountered: