Node authentication with Passport.js and OpenID Connect

Node authentication with Passport.js and OpenID Connect

This post demonstrates how to set up OpenID Connect authentication in Node with Passport.js.

sachin saxena

If I need the access token returned after authentication, how can I get that ?

Randall Degges

When you first create the passport strategy, there’s a callback function that in the example above isn’t using, eg:

// set up passport
passport.use(‘oidc’, new OidcStrategy({
issuer: ‘https://dev-846291.oktapreview.com/oauth2/default’,
authorizationURL: ‘https://dev-846291.oktapreview.com/oauth2/default/v1/authorize’,
tokenURL: ‘https://dev-846291.oktapreview.com/oauth2/default/v1/token’,
userInfoURL: ‘https://dev-846291.oktapreview.com/oauth2/default/v1/userinfo’,
clientID: ‘{ClientID}’,
clientSecret: ‘{ClientSecret}’,
callbackURL: ‘http://localhost:3000/authorization-code/callback’,
scope: ‘openid profile’
}, (issuer, sub, profile, accessToken, refreshToken, done) => {
return done(null, profile);
}));

What you can do is take the accessToken variable from there and store it someplace for later usage =)

Brian McBride

I’m always looking for more articles on how people implemented passport and Okta is a great product.

it might be great to see an example with Okta using JWTs & Authentication Headers over cookies. When I saw express-session there, I had to check the date of this blog post as I was thinking I might be seeing something from a couple years ago :slight_smile:

Sathish Balasubramaniyan

How can I get the OIDC ID Token if I need it?

Randall Degges

I believe it’s in the session cookie already.

Adam

Thanks for the article! Got me on the right path, but the passport-openidconnect package did not work for other oidc provider implementations like IdentityServer4. The auth redirect url is not formed correctly, so the provider rejects the request. There are a number of parameters missing such as a nonce value. I was able to use the following package’s strategy and it worked like a champ. https://github.com/panva/no…

Joao Reis

should the secret be hardcoded? seems like a security flaw to me…

Lee Brandt

Never. This is just for demonstration purposes. Secrets can be stored and used in lots of secure ways. This is more about demonstrating how passport works with OIDC,

Vadym Rybak

no, you can find ID Token in params object which is missing in example callback above:
(issuer, sub, profile, accessToken, refreshToken, params, done)

Vishnu Karthik Reddy Aleti

Hi Team, Thank you for this great article. In my case, we have Loopback framework with Node.Js. So, how shall i implement this Okta with my application. This article is purely for NodeJs & ExpressJs. kindly advise me. Thank you in advance.

pragmaticivan

FYI, req.session.destroy() performs race condition. express-session only performs .save on res.end, it doesn’t wait for redirects.

If you are connected to a store that has some latency, it will redirect before it destroys the session.

Greg Steven

Is this the recommended approach, or is using @okta/oidc-middleware, as described in https://developer.okta.com/…, the standard approach?

leebrandt

The Okta oidc-middleware is probably the more common approach. But if your developers are already familiar with setting up and configuring Passport for authentication, then that might be the right approach for your organization.

Roman Soulman

Thank you for the article, @leebrandt ! Any reason you picked ‘passport-openidconnect’ vs. ‘openid-client’ (http://www.passportjs.org/p… - an OIDC client despite the name) which has many more downloads?

Frédéric Mériot

Hi,
personally, I preferred to use the official library openid-client. The one used in this example no longer seems to be maintained.

Nomi

Great article, got a question though. Where is the user? You have a login link which invokes login flow and calls call back method to redirect to a page printing user.displayName but which user? no user singed in yet. I am confused.