auth0
after login, req.oidc.accessToken is undefined
Describe the problem
after authentication, the accessToken is undefined. Here's my code:
const express = require("express");
const { auth } = require('express-openid-connect');
const app = express();
app.use(
auth({
issuerBaseURL: '***',
baseURL: '***',
clientID: '***',
secret: '***',
clientSecret: '***',
idpLogout: true,
authorizationParams: {
response_type: 'code',
scope: 'openid'
},
afterCallback: async (req, res, session, decodedState) => {
console.log('session: ', session); //here I can see the token in session
return {
...session
};
}
})
);
app.get('/', (req, res) => {
console.log('accessToken:', req.oidc.accessToken); //here accessToken is undefined
res.send('page content');
});
What was the expected behavior?
I expected to find in req.oidc.accessToken initialized after authentication
Environment
- Version of this library used: 2.8.0
- Other modules/plugins/libraries that might be involved: express@^4.18.1
Hi @fabsev - thanks for raising this
I'm not able to reproduce your issue on the basic app against the default oidc-provider, see https://github.com/auth0/express-openid-connect/compare/test-at
If you provide a reproducible example and I could try debugging it for you
I encountered a similar issue. Here is my case and solution:
const { auth, requiresAuth } = require('express-openid-connect');
...
app.use({
...
authRequired: false,
...
});
...
app.use(requiresAuth(), async (req, res, next) => {
try {
let { token_type, access_token, isExpired, refresh } = req.oidc.accessToken;
if (isExpired()) {
({ access_token } = await refresh());
req.appSession.access_token = access_token;
console.log("Refreshing expired token");
}
} catch (err) {
console.error("Refreshing expired token failed", err);
}
next();
});
...
My issue was that I specified authRequired: false so adding requiresAuth() before my middleware did the trick: oidc is now present when that middleware gets called.
I see you don't have the authRequired: false but you could give it a try.
@d3vv3 - thanks for your suggestion
My issue was that I specified authRequired: false so adding requiresAuth() before my middleware did the trick: oidc is now present when that middleware gets called.
You should get the oidc property as long as you use the auth middleware (it shouldn't matter what you set for authRequired)
app.use({ ... authRequired: false, ... });
This should be:
app.use(auth({
...
authRequired: false,
...
}));
I was not getting anything on req.oidc other than ResponseSomething {} (emty), so I did that as a workaround and it works.
If it should work, then I would leave this issue open.
Thanks for the info @d3vv3
I was not getting anything on req.oidc other than ResponseSomething {} (emty), so I did that as a workaround and it works.
I'm not able to reproduce this on the example app, could you provide a reproducible example?
Using example access-an-api.js
I have added console.log(req.oidc) on the first line in the / path. It prints RequestContext {}
Full run (error on access to http://localhost:3000
λ express-openid-connect master ✗ npm run start:example -- access-an-api.js
> [email protected] start:example
> node ./examples/run_example.js "access-an-api.js"
WARNING: configuration cookies.keys is missing, this option is critical to detect and ignore tampered cookies
WARNING: a quick start development-only in-memory adapter is used, you MUST change it in order to not lose all stateful provider data upon restart and to be able to share these between processes
WARNING: a quick start development-only signing keys are used, you are expected to provide your own in configuration "jwks" property
WARNING: a quick start development-only feature devInteractions is enabled, you are expected to disable these interactions and provide your own
Starting a mock authorization server. You can login with any credentials.
Authorization server started at http://localhost:3001
API started at http://localhost:3002
Example app started at http://localhost:3000
RequestContext {}
/tmp/express-openid-connect/node_modules/openid-client/lib/helpers/process_response.js:45
throw new OPError(response.body, response);
^
OPError: invalid_grant (grant request is invalid)
at processResponse (/tmp/express-openid-connect/node_modules/openid-client/lib/helpers/process_response.js:45:13)
at Client.grant (/tmp/express-openid-connect/node_modules/openid-client/lib/client.js:1249:26)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.refresh (/tmp/express-openid-connect/node_modules/openid-client/lib/client.js:995:22)
at async RequestContext.refresh (/tmp/express-openid-connect/lib/context.js:30:23)
at async /tmp/express-openid-connect/examples/access-an-api.js:24:25 {
error: 'invalid_grant',
error_description: 'grant request is invalid'
}
Node.js v18.0.0
During npm install got this, but I switched to 16.14.0, did new npm install with no issues and still had the same output.
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '[email protected]',
npm WARN EBADENGINE required: { node: '12.19.0 || ^14.15.0 || ^16.13.0' },
npm WARN EBADENGINE current: { node: 'v18.0.0', npm: '8.6.0' }
npm WARN EBADENGINE }
I have added console.log(req.oidc) on the first line in the / path. It prints RequestContext {}
ES6 class getters are not enumerable, so this is expected, eg try node -e "console.log(new (class RequestContext { get accessToken() {} })())"
OPError: invalid_grant (grant request is invalid)
This is probably because oidc-provider can't find the refresh token you're using. The client stores the refresh token in a cookie and oidc-provider stores it in memory. So if you restart the server, you need to clear your cookies, otherwise you'll be attempting to refresh the access token with a refresh token that the authorization server doesn't recognise
Closing, as I believe https://github.com/auth0/express-openid-connect/issues/384#issuecomment-1252504902 answers your question
Closing, as I believe #384 (comment) answers your question
no, it doesn't but it's ok. I created my own personal logic for the refresh of the token.