NestJS: Oidc middleware issues

Hey all

My question is extremely similar to Oidc middleware issues: ensureAuthenticated() doesn't work and userinfo isn't set

I am using NestJS and trying to add auth to my app. I am using the @okta/oidc-middlewar package and configuring the middleware based on the guide and readme for adding it into an Express app.

NestJS uses express underneath. I have been struggling for the longest time to achieve a protected route and a login.

My main.ts

export const oidc = new ExpressOIDC({
  issuer: 'my credentials',
  client_id: 'my credentials',
  client_secret: 'my credentials-zp1TcWQL4',
  redirect_uri: 'http://localhost:3001/my-credentials',
  scope: 'openid profile',
  appBaseUrl: 'my url'

async function bootstrap(oidc) {
  const app = await NestFactory.create(AppModule);
  // session support is required to use ExpressOIDC
    secret: 'this should be secure',
    resave: true,
    saveUninitialized: false

  // ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes

  oidc.on('ready', async () => {
    await app.listen(3001, () => console.log(`Started!`));
  oidc.on('error', err => {
    console.log('Unable to configure ExpressOIDC', err);

My middleware function

import { oidc } from 'src/main';

export function ensureAuth(req: Request, res: Response, next: Function) {

And then it is applied in my app.module.ts as per how to use middleware in NestJS

Two issues:

  1. When I try the /login route i get:
    ForbiddenError: invalid csrf token
    “statusCode”: 500,
    “message”: “Internal server error”

  2. The route I wanted protected works as normal and is not protected

Does anyone have suggestions on what I could be doing wrong or any bad assumptions I am making?

Did you solve?
I want a solution and a sample.


Would you be able to capture the network traces and email with the details so that an Engineer can help you troubleshoot the issue ?