Skip to content

Commit

Permalink
fix(passport): ignore static state and nonce passed to Strategy() (#556)
Browse files Browse the repository at this point in the history
Co-authored-by: Filip Skokan <panva.ip@gmail.com>
  • Loading branch information
prust and panva authored Jan 20, 2023
1 parent a78b2ef commit 43daff3
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
12 changes: 11 additions & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -840,7 +840,7 @@ Creates a new Strategy

- `options`: `<Object>`
- `client`: `<Client>` Client instance. The strategy will use it.
- `params`: `<Object>` Authorization Request parameters. The strategy will use these.
- `params`: `<Object>` Authorization Request parameters. The strategy will use these for every authorization request.
- `passReqToCallback`: `<boolean>` Boolean specifying whether the verify function should get
the request object as first argument instead. **Default:** 'false'
- `usePKCE`: `<boolean>` &vert; `<string>` The PKCE method to use. When 'true' it will resolve based
Expand All @@ -857,6 +857,16 @@ Creates a new Strategy

---

The strategy automatically generates `state` and `nonce` parameters when required. To provide one for a flow where it is optional (for example the `nonce` for the Authorization Code Flow), it can be passed in the optional `options` argument to `passport.authenticate()`:

```js
app.post('/auth/oidc', function(req, res, next) {
passport.authenticate('oidc', { nonce: crypto.randomBytes(16).toString('base64url') })(req, res, next);
});
```

---

## generators

<!-- TOC generators START -->
Expand Down
5 changes: 5 additions & 0 deletions lib/passport_strategy.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ function OpenIDConnectStrategy(
this._usePKCE = usePKCE;
this._key = sessionKey || `oidc:${url.parse(this._issuer.issuer).hostname}`;
this._params = cloneDeep(params);

// state and nonce should be provided or generated below on each authenticate()
delete this._params.state;
delete this._params.nonce;

this._extras = cloneDeep(extras);

if (!this._params.response_type) this._params.response_type = resolveResponseType.call(client);
Expand Down

0 comments on commit 43daff3

Please sign in to comment.