There are similar questions out there, but not that directly address why this application of express-session consistently works in Safari but not in chrome.
My server code is below, which only needs to authenticate a single page with a logged out and logged in view. Yesterday, this was working in chrome when served locally and when deployed to Azure or Heroku. Today, with no change made, it wasn't working at all in chrome, both locally or deployed. The home page load but when I click login and am redirected to the Okta login page, this is the error I am getting after logging in when redirected back to my page (e.g. localhost:3000/authorization-code/callback?code=xxxxxxxx&state=xxxxxxxx) after logging in:
Error: did not find expected authorization request details in session, req.session["oidc:https://subdomain.domain.com/oauth2/default"] is undefined
I then tested in Safari where it has consistently worked without issue--both local and hosted. I did just noticed that the hosted version works in Azure again for the moment--again, with no change or redeployment. The local version still does not work.
const http = require('http')
const express = require('express')
const path = require('path')
const app = express()
const fs = require('fs')
require('dotenv').config()
app.use(express.json())
app.use(express.urlencoded({
extended: true
}))
app.use(express.static('express'))
var cors = require('cors')
const OktaJwtVerifier = require('@okta/jwt-verifier')
const session = require('express-session')
const {
ExpressOIDC
} = require('@okta/oidc-middleware')
var getUserInfo = require('./getUserInfo')
// session support is required to use ExpressOIDC
app.use(
session({
secret: 'secretsecret',
resave: true,
saveUninitialized: false,
cookie: {
httpOnly: false,
},
})
)
const oidc = new ExpressOIDC({
issuer: process.env.ISSUER || 'https://[okta hosted custom domain].com/oauth2/default',
client_id: process.env.CLIENT_ID || 'xxxxxxxxxx',
client_secret: process.env.CLIENT_SECRET || 'xxxxxxxxxxxxxxxxxxx',
redirect_uri: process.env.REDIRECT_URI ||
'http://localhost:3000/authorization-code/callback',
appBaseUrl: process.env.APP_BASE_URL || 'http://localhost:3000',
scope: 'openid profile',
})
// ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes
app.use(oidc.router)
app.use(cors())
app.options('*', cors())
app.get('/userinfo', (req, res) => {
console.debug("in user info")
let domain = 'dev'
if (req.isAuthenticated()) {
getUserInfo.userRequest(res, req.userContext, domain)
}
})
app.get('/authStatus', (req, res) => {
console.debug("in auth status")
if (req.isAuthenticated()) {
res.send(req.userContext.userinfo)
}
})
app.post('/forces-logout', oidc.forceLogoutAndRevoke(), (req, res) => {
// Nothing here will execute, after the redirects the user will end up wherever the `routes.logoutCallback.path` specifies (default `/`)
})
// default URL for website
app.get('/', function(req, res) {
res.sendFile(path.join(__dirname + '/express/index.html'))
//__dirname : It will resolve to your project folder.
})
// FAQ Path
app.get('/help', function(req, res) {
res.sendFile(path.join(__dirname + '/express/help.html'))
//__dirname : It will resolve to your project folder.
})
// default URL for website
app.get('*', function(req, res) {
res.sendFile(path.join(__dirname + '/express/index.html'))
//__dirname : It will resolve to your project folder.
})
const port = normalizePort(process.env.PORT || '3000')
const server = http.createServer(app)
server.listen(port)
console.debug('Info site server listening on port ' + port)
function normalizePort(val) {
var port = parseInt(val, 10)
if (isNaN(port)) {
// named pipe
return val
}
if (port >= 0) {
// port number
return port
}
return false
}
