Authorization Details not in Session


#1

I’ve got a ‘simple’ Express + Node.js + EJS Serverless application that is extremely simple that I’m attempting to put behind authentication. I’m following the Okta-Hosted Login Page Example and having downloaded that I can confirm our Okta set up is correct as I used the same Client ID and Client Secret that I created for my intended application.

Using the oidc-middleware appears to work but I get the following error when I navigate to /login:

Error: did not find expected authorization request details in session, req.session["oidc:https://_URL_/oauth2/default"] is undefined

This is the same error I get to a route that is protected via oidc.ensureAuthenticated().

This is a simplified app.js:

const _ = require('lodash');
const { createReadStream } = require('fs');
const express = require('express');
const session = require('express-session');
const path = require('path');
const bodyParser = require('body-parser');
const { ExpressOIDC } = require('@okta/oidc-middleware');

const clientID = 'CLIENT_ID';
const clientSecret = 'SECRET';
const app = express();
const oidc = new ExpressOIDC({
  issuer: 'https://tempus.oktapreview.com/oauth2/default',
  client_id: clientID,
  client_secret: clientSecret,
  redirect_uri: 'http://localhost:4500/authorization-code/callback',
  scope: 'openid profile',
});

app.use(session({
  secret: 'this-should-be-very-random',
  resave: false,
  saveUninitialized: false,
  cookie: {},
}));
app.use(oidc.router);
    
app.disable('x-powered-by');

app.use(bodyParser.json({ strict: false }));
app.use(bodyParser.urlencoded({ extended: true }));
app.set('views', path.join(__dirname, 'app/views'));
app.set('view engine', 'ejs');

app.get('/', async (req, res) => {
  try {
    console.log('Cookies: ', req.cookies);
    console.log('params: ', req.params);
    console.log('query: ', req.query);
    if (req.userContext) {
      console.log('!!!!!!userContext so logged in!!!!!!');
      // res.send(`Hello ${req.userContext.userinfo.name}! <a href="logout">Logout</a>`);
    } else {
      console.log('!!!!!!no userContext not logged in!!!!!!');
      // res.send('Please <a href="/login">login</a>');
    }

    const data = {test: 'foo'};
    data.testRuns = groupedResults;
    data.keys = keys;
    res.render('dashboard', { data });
  } catch (e) {
    logger.fireError(e);
  }
});

oidc.on('ready', () => {
  app.listen();
});

oidc.on('error', (err) => {
  console.log('Unable to configured ExpressOIDC', err.stack);
  throw err;
});

module.exports = app;

The app is launched via the following:

const serverless = require('serverless-http');
const app = require('./app');

module.exports.handler = serverless(app);

Locally the app is started via:
sls offline start --port 4500

Up to now, there has been no conflict with the express app and serverless which is basically just acting as a proxy.