Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loginCallback.failureRedirect is ignored when using a custom loginCallback.handler #26

Open
3 of 9 tasks
dimapx opened this issue May 6, 2019 · 2 comments
Open
3 of 9 tasks

loginCallback.failureRedirect is ignored when using a custom loginCallback.handler #26

dimapx opened this issue May 6, 2019 · 2 comments

Comments

@dimapx
Copy link

dimapx commented May 6, 2019

I'm submitting this issue for the package(s):

I'm submitting a:

  • Bug report
  • Feature request
  • Other (Describe below)

Current behavior

I'm using oidc-middleware with a custom loginCallback.handler. The handler handles only successful authentication (per the docs), while authentication failure does not end up in this handler.
In the case of using a wrong clientId, for example, a plain "Unauthorized" text is returned to the browser. I tried setting loginCallback.failureRedirect (to redirect such cases back to the login page), but it is useless, as inside connectUtil you set the failureRedirect only when not using a custom handler.

Expected behavior

Set the loginCallback.failureRedirect regardless of whether a loginCallback.handler is in use. An even better approach could be to add a new failedLoginHandler to allow us implement any relevant logic on failed authentication attempts (aside of redirecting the user somewhere).

Minimal reproduction of the problem with instructions

My ExpressOIDC setup -

        const oidc = new ExpressOIDC({
            issuer: /* ISSUER */,
            client_id: /* CLIENT_ID */,
            client_secret: /* SECRET */,
            appBaseUrl: /* BASE_URL */,
            scope: /* SCOPE */,
            timeout: 10000,
            routes: {
                login: {
                    path: /* CUSTOM_LOGIN_ROUTE */,
                    viewHandler: (req, res, next) => {
                        // custom login related logic, eventually doing a `res.render` of the login page
                    }
                },
                loginCallback: {
                    failureRedirect: /* CUSTOM_LOGIN_ROUTE - currently ignored */,
                    handler: (req, res, next) => {
                        // custom handler for login callback - only successful authenticated requests end up here
                    }
                }
            }
        });

        server.use(oidc.router);

Extra information about the use case/user story you are trying to implement

I'm trying to gracefully handle any authentication related (failure) flows. This includes any flows that may end up as a "plain text" returned to the browser. Instead, I want to redirect the users in such cases to the login page. Even better, if you add a failedLoginHandler as mentioned above, I could add a relevant error message ("persist" it via req.session for example) and display it on the server-rendered login page, to indicate the user that there was an authentication issue.

Environment

  • Package Version: 2.0.0
  • Node version (node -v): 8.x, 10.x
@swiftone
Copy link

swiftone commented May 7, 2019

Thanks for the bug report @dimapx - the failedLoginHandler may prove to be the less disruptive route, but we'll investigate the options.

@swiftone
Copy link

swiftone commented May 8, 2019

INFO: Make sure we're calling next() correctly.

@denysoblohin-okta denysoblohin-okta transferred this issue from okta/okta-oidc-js Nov 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swiftone @dimapx