Does passport JWT strategy conflict with OAuth?

Question

In my web app(node express), I use JWT to keep user's authentication status. Since I'm using JWT, I turned off session in passport config:

passport.authenticate('jwt', { session: false });

Now I need to integrate with Xero(or Twitter, whatever), OAuth Strategy comes to place as I need the user's authorization, following the three legged flow.

However, when passport authenticates with OAuth strategy, error appears:

Error: OAuthStrategy requires session support. Did you forget app.use(express.session(...))?

Is the session in the error message the same as the session I turned off in passport setting? If so, why does passport force me to use sessions when I already have JWT?

EDIT

I'm not trying to allow users from third-party websites to login to my website without signup. I just need the user to grants authorization so they can access third-party api through my website. Am I doing wrong, like, should I use

passport.authenticate('token')

instead of current

passport.authenticate('xero-oauth') 

?

Answer 1

Oauth requires express session. So you have to use:

app.use(session(...));

By default passport establishes a persistent login session. You can turn it off by:

passport.authenticate('xero-oauth' , { session: false }); 

Now there is no user session stored at the server and you have to send JWT with every api request. So Oauth doesn't conflict with JWT and you can use them together.

You can follow this blog.

Answer 2

There is no conflict between passport JWT strategy and OAuth.

The thing is: JWT doesn't need the session, but OAuth does.

So, you need to configure the session in you app.

Example:

... 
const session      = require('express-session');
...

app.use(session({ secret: 'secret' /* change it, and keep it safe */ }));
app.use(passport.initialize());
app.use(passport.session());

In this order!!

If it doesn't work for you, please, provide more details about your code.

Hope it can help!