Passport authenticate in Nodejs hangs

Questions OAuth/OIDC
1

This is my first project with both passport and Okta in a Nodejs app. I can get the Okta login page, successfully login to Okta, and get redirected to the callback url with a code. This works perfectly.

However, I am having a problem getting the user profile. The call to passport.authenticate in the callback hangs. There are no errors reported or in the log.

I have looked at multiple examples and tried many variations, but I do not see what I am doing wrong. Any idea?

Code segment:

    passport.use('oidc', new Strategy({
        issuer: process.env.ISSUER_URL,
        authorizationURL: process.env.AUTH_URL,
        tokenURL: process.env.TOKEN_URL,
        userInfoURL: process.env.USER_URL,
        clientID: process.env.CLIENT_ID,
        clientSecret: process.env.CLIENT_SECRET,
        callbackURL: process.env.CALLBACK_URL,
        scope: 'openid profile'
    }, (issuer, profile, done) => {
        return done(null, profile);
    }));

    passport.serializeUser((user, done)  => {
        done(null, user);
    });
    passport.deserializeUser((obj, done) => {
        done(null, obj);
    });

    app.post('/oktalogin', passport.authenticate('oidc'));

    app.use('/authorization-code/callback', function(req,res) {
        passport.authenticate('oidc', { failureRedirect: '/autherror' }),
            (req, res) => { res.redirect('/profile') };
    });

    app.use('/profile', (req, res) => {
        res.render('profile', { USER: req.user });
    });

    app.use('/autherror', (req,res) => {
        res.render('error',{ MSG: "AUTH ERROR" });
    });
2

Hello,
Are you able to verify if the /token call is happening?
If successful you should see a log entry in the Okta System.log. If there is an error in the call it may or may not show up the in the log, depending.

If you check the system.log and see no entry either positive/negative, just to test you might try changing the tokenURL in your configuration to a local route capable of handling a POST request and verify that the /token call is even happening.

For reference: Build Secure Node Authentication with Passport.js and OpenID Connect | Okta Developer

3

Hi Eric,

Thanks for your response, I don’t have admin access to Okta, but I can verify that it does log me into Okta and returns a code to the callback without a system error. The problem seems to be returning the profile, is there a way to verify if it is, or is not, a CORS problem?

4

There should be no CORS request for the flow you described. When the code is returned I assume your browser is being 302 back to you Node server correct? This is not a CORS call, but a user-agent redirect.
Once the Node process receives the code it should make a call to the /token endpoint to retrieve your tokens. This happens from the Node server, so not a CORS call either.

5

It does return to the node server callback url and it returns a code. I am working from the following documentation:
https://developer.okta.com/docs/guides/sign-into-web-app-redirect/node-express/main/

This document does not mention making a call to the /token endpoint, am I using the wrong documentation?
If so, can you send me the correct link?

6

The sample app works fine for me.

When you run it and login you should see something like:

express-app@0.0.0 start
node --inspect ./bin/www

Debugger listening on ws://127.0.0.1:9229/39e52bae-4c87-4839-8db0-071537236d2f

For help, see: Debugging - Getting Started | Node.js

GET /login? 302 7.681 ms - 0
GET /authorization-code/callback?code=ZKhUsbdNUNfKY0GWqpMzhNCYHrVnon41VjKmN1sWDwU&state=TzQJUv8AY%2BozCsQXYN4PDcHx 302 619.745 ms - 60
GET /profile 304 264.399 ms - -

Can you post the exact output you see.

7

Hi Eric,

Thank you for your patience with this issue.

The debugger didn’t work because the app is in production and set up in nginx. However,
I took a snap shot of the developer tools window, I hope it can help. It gets to the callback?code with
a status of “pending” then eventually times out. The full value of the “initiator” field is:

.okta.com/oauth2/v1/authorize/redirect?okta_key=yCUvSI.

I don’t have administrator access to Okta to check the system log. Is it possible that I don’t have privilege
to read the profile? Could it have something to do with the cookie? I set it up as follows:

app.use (session({ secret: process.env.SESSION, saveUninitialized: true, resave: false, cookie: { maxAge: 60 * 60 * 1000 } }));

I appreciate any help you can provide!

Capture.PNG
Capture.PNG631×624 47.4 KB

8

If you can provide the URL of your Okta Org I can check the logs.

My assumption assuming you did not make any modifications to the sample is after your browser redirects back to Node with the code value, your Node process is failing on the /token call. Most likely timing out. I suggest verifying network connectivity to your Okta Org from the process/system where nginx is running.

Another possibility is nginx is not configured correctly to route to your application for /authorization-code/callback.

9

We have very strict security on our servers and they are open only to specific urls. It is possible that this
server is not open to the /token endpoint. I will check with the systems person.

To verify, is the token endpoint?

https://.okta.com/oauth2/default/v1/token