CODEWITHSUNDEEP
authenticationpassport.js
Mike Pateras
Mike Pateras

Reputation: 15015

How can I access OAuth's state parameter using Passport.js?

I'm using Passport.js to do authentication, and per Google's OAuth2 documentation, I'm passing in a state variable:

app.get('/authenticate/googleOAuth', function(request, response) {
  passport.authenticate('google', {
    scope:
    [
      'https://www.googleapis.com/auth/userinfo.profile',
      'https://www.googleapis.com/auth/userinfo.email'
    ],
    state: { blah: 'test' }
  })(request, response);
});

However, I can't seem to access that variable at a later date:

passport.use(new googleStrategy(
{
    clientID: '...',
    clientSecret: '...',
    callbackURL: '...',
    passReqToCallback: true
},
function(request, accessToken, refreshToken, profile, done) {
  console.log('state: ' + request.query.state);
  login(profile, done);
}));

request.query.state is undefined. request.param("state") doesn't work, either.

How can I get at that variable after the authentication callback?

Upvotes: 32

Views: 15730

Answers (2)

Rob DiMarco
Rob DiMarco

Reputation: 13266

Testing this briefly, using Node.js v0.8.9, the runtime-configured parameters for the Google OAuth 2.0 authorization request are eventually formatted via the getAuthorizeUrl method in the node-auth library. This method relies upon querystring.stringify to format the redirect URL:

exports.OAuth2.prototype.getAuthorizeUrl= function( params ) {
  var params= params || {};
  params['client_id'] = this._clientId;
  params['type'] = 'web_server';
  return this._baseSite + this._authorizeUrl + "?" + querystring.stringify(params);
}

(Above copied from https://github.com/ciaranj/node-oauth/blob/efbce5bd682424a3cb22fd89ab9d82c6e8d68caa/lib/oauth2.js#L123).

Testing in the console using the state parameter you specified:

querystring.stringify({ state: { blah: 'test' }}) => 'state='

As a workaround, you can try JSON-encoding your object, or use a single string, which should resolve your issue. You can then access the state, in your callback request handler, via req.query.state. Remember to JSON.parse(req.query.state) when accessing it.

Upvotes: 1

Christian Smith
Christian Smith

Reputation: 8089

The reason this doesn't work is because you're passing state as an object instead of a string. Seems like passport doesn't stringify that value for you. If you want to pass an object through the state param, you could do something like this:

passport.authenticate("google", {
  scope: [
    'https://www.googleapis.com/auth/userinfo.profile',
    'https://www.googleapis.com/auth/userinfo.email'
  ],
  state: base64url(JSON.stringify(blah: 'test'))
})(request, response);

As Rob DiMarco noted in his answer, you can access the state param in the callback req.query object.

I'm not sure encoding application state and passing it in the state param is a great idea though. The OAuth 2.0 RFC Section 4.1.1 defines state as "an opaque value". It's intended to be used for CSRF protection. A better way to preserve application state in between the authorization request and the callback might be to:

  1. generate some state parameter value (hash of cookie, for example)
  2. persist the application state with state as an identifier before initiating the authorization request
  3. retrieve the application state in the callback request handler using the state param passed back from Google

Upvotes: 25

Related Questions