Menu
I'm using Passport.js to do authentication, and per Google's OAuth2 documentation, I'm passing in a state variable:
app.get('/authenticate/googleOAuth', function(request, response) {
passport.authenticate('google', {
scope:
[
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/userinfo.email'
],
state: { blah: 'test' }
})(request, response);
});
However, I can't seem to access that variable at a later date:
passport.use(new googleStrategy(
{
clientID: '...',
clientSecret: '...',
callbackURL: '...',
passReqToCallback: true
},
function(request, accessToken, refreshToken, profile, done) {
console.log('state: ' + request.query.state);
login(profile, done);
}));
request.query.state is undefined. request.param("state") doesn't work, either.
How can I get at that variable after the authentication callback?
983
Authorization is performed by calling passport. authorize() . If authorization is granted, the result provided by the strategy's verify callback will be assigned to req.account . The existing login session and req.
In this route, passport. authenticate() is middleware which will authenticate the request. By default, when authentication succeeds, the req. user property is set to the authenticated user, a login session is established, and the next function in the stack is called.
The state parameter is a string so you can encode any other information in it. You send a random value when starting an authentication request and validate the received value when processing the response.
The reason this doesn't work is because you're passing state as an object instead of a string. Seems like passport doesn't stringify that value for you. If you want to pass an object through the state param, you could do something like this:
passport.authenticate("google", { scope: [ 'https://www.googleapis.com/auth/userinfo.profile', 'https://www.googleapis.com/auth/userinfo.email' ], state: base64url(JSON.stringify(blah: 'test')) })(request, response); As Rob DiMarco noted in his answer, you can access the state param in the callback req.query object.
I'm not sure encoding application state and passing it in the state param is a great idea though. The OAuth 2.0 RFC Section 4.1.1 defines state as "an opaque value". It's intended to be used for CSRF protection. A better way to preserve application state in between the authorization request and the callback might be to:
state parameter value (hash of cookie, for example)state as an identifier before initiating the authorization requeststate param passed back from Google
136
Testing this briefly, using Node.js v0.8.9, the runtime-configured parameters for the Google OAuth 2.0 authorization request are eventually formatted via the getAuthorizeUrl method in the node-auth library. This method relies upon querystring.stringify to format the redirect URL:
exports.OAuth2.prototype.getAuthorizeUrl= function( params ) { var params= params || {}; params['client_id'] = this._clientId; params['type'] = 'web_server'; return this._baseSite + this._authorizeUrl + "?" + querystring.stringify(params); } (Above copied from https://github.com/ciaranj/node-oauth/blob/efbce5bd682424a3cb22fd89ab9d82c6e8d68caa/lib/oauth2.js#L123).
Testing in the console using the state parameter you specified:
querystring.stringify({ state: { blah: 'test' }}) => 'state='
As a workaround, you can try JSON-encoding your object, or use a single string, which should resolve your issue. You can then access the state, in your callback request handler, via req.query.state. Remember to JSON.parse(req.query.state) when accessing it.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
