OIDC Middleware issues: Protecting routes

edmondhlau4 · January 7, 2021, 9:54pm

Hi,

I’m using Node and trying to use oidc.ensureAuthentication to protect some of my routes. I am currently testing it on a page called alarms with a file called “alarms.html” in the directory. I am able to login using the oidc-middleware package however afterwards I am unable to use oidc.ensureAuthentication. My URL is a localhost port.

My server.js

const express = require('express');

const app = express();

const session = require('express-session');

const { ExpressOIDC } = require('@okta/oidc-middleware');

const port = 8080;

// Setting up the public directory

app.use(express.static(__dirname));

app.listen(port, () => console.log(`listening on port ${port}!`));

// session support is required to use ExpressOIDC

app.use(session({

  secret: 'this should be secure',

  resave: true,

  saveUninitialized: false

}));

const oidc = new ExpressOIDC({

  issuer: <URL>/oauth2/default',

  client_id: '.....',

  client_secret: '.....',

  redirect_uri: '<URL>/authorization-code/callback',

  scope: 'openid profile',

  appBaseUrl: '<URL>'

});

// ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes

app.use(oidc.router);

app.get('/alarms', oidc.ensureAuthenticated(), (req, res) => {

  console.log('Authenticated');

  res.render('alarms');

});

erik · January 8, 2021, 5:24pm

Hello,
I ran a test using a similar setup found at the repo, and the oidc.ensureAuthentication worked in protecting my route. If I am logged in, I am able to access routes protected by it, If I am not logged in I get redirected to the login page. Could you detail what you are seeing?

edmondhlau4 · January 8, 2021, 10:37pm

So once I enter into the localhost, I check the protected route to see if I am redirect to login page, however even if I am not logged in, I can still view and access the protected page.

erik · January 9, 2021, 2:40am

Since your app does not have logout functionality are you sure you don’t have an Okta session the entire time? The below is form our repo, can you try running this sample and see if you have the same issue. Make sure that in the Okta console for the web app you are testing with you set the ‘Logout Redirect URIs’ to ‘http://localhost/’

const express = require(‘express’);
const session = require(‘express-session’);
const { ExpressOIDC } = require(’@okta/oidc-middleware’);

const app = express();
const oidc = new ExpressOIDC({
issuer: ‘https://???.okta.com/oauth2/default’,
client_id: ‘…’,
client_secret: ‘…’,
appBaseUrl: ‘http://localhost:8080’,
scope: ‘openid profile’,
//redirect_uri: ‘http://localhost:8080/authorization-code/callback’,
});

app.use(session({
secret: ‘this-should-be-very-random’,
resave: true,
saveUninitialized: false
}));
app.use(oidc.router);

app.get(’/’, (req, res) => {
if (req.userContext) {
res.send( Hello ${req.userContext.userinfo.name}! <form method="POST" action="/logout"> <button type="submit">Logout</button> </form> );
} else {
res.send(‘Please login’);
}
});

app.get(’/protected’, oidc.ensureAuthenticated(), (req, res) => {
res.send(‘Top Secret’);
});

oidc.on(‘ready’, () => {
app.listen(8080, () => console.log(‘app started’));
});

oidc.on(‘error’, err => {
// An error occurred while setting up OIDC, during token revokation, or during post-logout handling
});

edmondhlau4 · January 10, 2021, 3:14am

Hi, I was able to run the sample without having the same issue. I think my issue was with how I was sending certain files.

Thank you!