stateData lost during identity brokering

[zam6ak]

Hi

I am using openid-client v6.8.1 with Express.js v5.2.1 and Passport.js v0.7.0 (all latest).
I am also using Keycloak as IdP and have configured sample web application (not SPA, just regular web app) with appropriate OIDC client
My application has context root of "/poc-web-keycloak" and am using Authorization Code flow w/ PKCS.

Everything works great when I authenticate against Keycloak!

However, if I configure any of "Identity Providers" in Keycloak (either social login such as Bitbucket or another OIDC provider such as Auth0), I am getting 401 during "last leg" redirect.
After some debugging, I am noticing that failure occurs due to missing stateData (it is retrieved from session but it is missing code_verifier)

Here is the annotated application log/flow of 2 scenarios (successful one and failure one)
Note - I added some debugging (console.log) messages in the openid-client files...

Scenario A) - log in using Keycloak credentials

1. from application landing page, click login button - user is taken to Keycloak login page and flow will start (this takes user to Keycloak realm's OpenID Connect authorization endpoint (/auth/realms/apps/protocol/openid-connect/auth) for an authorization code)

     router dispatching GET /poc-web-keycloak/login +8s
     express-session fetching q1G43e9OI-F7-vAjdguENkReB3Vgz-JI +8s
     express-session session found +1ms
     app:main middleware #1: res.locals... +8s
     router <anonymous>  : /poc-web-keycloak/login +1ms
   openid-client | passport.js | authorizationRequest() | start...
   openid-client | passport.js | authorizationRequest() | stored in session, sessionKey: localhost.mydomain.dev, stateData: { code_verifier: 'ftHpD6i-eN1d37oGCDwVzCtizWDmkip4HJAV36Ehvdk' }
     express-session saving q1G43e9OI-F7-vAjdguENkReB3Vgz-JI +2ms
   

2. enter credentials on Keycloak login page and click login button

     router dispatching GET /poc-web-keycloak/auth/callback?session_state=f708f50a-a1a2-2cf4-2216-552a28ce7473&iss=https%3A%2F%2Flocalhost.mydomain.dev%2Fauth%2Frealms%2Fexa-apps&code=87c6c852-278f-8766-f7fc-ed493119db9c.f708f50a-a1a2-2cf4-2216-552a28ce7473.b14996ae-7e75-4828-b6ad-75145c9aba1e +47s
     express-session fetching q1G43e9OI-F7-vAjdguENkReB3Vgz-JI +47s
     express-session session found +0ms
     router initialize  : /poc-web-keycloak/auth/callback?session_state=f708f50a-a1a2-2cf4-2216-552a28ce7473&iss=https%3A%2F%2Flocalhost.mydomain.dev%2Fauth%2Frealms%2Fexa-apps&code=87c6c852-278f-8766-f7fc-ed493119db9c.f708f50a-a1a2-2cf4-2216-552a28ce7473.b14996ae-7e75-4828-b6ad-75145c9aba1e +1ms
     router authenticate  : /poc-web-keycloak/auth/callback?session_state=f708f50a-a1a2-2cf4-2216-552a28ce7473&iss=https%3A%2F%2Flocalhost.mydomain.dev%2Fauth%2Frealms%2Fexa-apps&code=87c6c852-278f-8766-f7fc-ed493119db9c.f708f50a-a1a2-2cf4-2216-552a28ce7473.b14996ae-7e75-4828-b6ad-75145c9aba1e +0ms
     app:main middleware #1: res.locals... +47s
     app:main /poc-web-keycloak/auth/callback | req.session.returnTo: undefined +0ms
     app:main /poc-web-keycloak/auth/callback | successRedirect: https://localhost.mydomain.dev/poc-web-keycloak/protected +0ms
   openid-client | passport.js | authorizationCodeGrant() | start...
   openid-client | passport.js | authorizationCodeGrant() | retrieved from session, sessionKey: localhost.mydomain.dev, stateData: { code_verifier: 'ftHpD6i-eN1d37oGCDwVzCtizWDmkip4HJAV36Ehvdk' }
   openid-client | passport.js | authorizationCodeGrant() | calling client.authorizationCodeGrant()...
   openid-client | index.js | authorizationCodeGrant() | start...
   openid-client | index.js | authorizationCodeGrant() | calling authorizationCodeGrantRequest()...
   openid-client | index.js | authorizationCodeGrant() | calling processAuthorizationCodeResponse()...
   openid-client | passport.js | authorizationCodeGrant() | calling verified()...
     app:main passport.serializeUser()... +58ms
     express-session set-cookie sid.poc-web-keycloak=s%3AGqmAvgdOpSPpkPK_QYre7Yy4ROXQjyq7.eX6wTv%2F3YSNhrzu3FrwigaiMBj0imCB8BLGDc1u452g; Path=/; Expires=Thu, 11 Dec 2025 16:39:17 GMT; HttpOnly; Secure; SameSite=Strict +60ms
     express-session split response +0ms  
     router dispatching GET /poc-web-keycloak/protected +70ms
   

3. at this point, I am now logged in and can access app's protected area at "/poc-web-keycloak/protected"

Scenario B) - log in using Keycloak's identity provider integration via Auth0

1. from application landing page, click login button, user is taken to Keycloak login page
   • this step is identical in behavior to 1st step of Scenario A above
2. on Keycloak login page, instead of entering credentials, click on the "Sign in with Auth0" button
   • this action loads Auth0 login page, there are no entries in app log yet
3. enter credentials on Auth0, and click login

     router dispatching GET /poc-web-keycloak/auth/callback?session_state=b191c668-f331-5191-9adb-65665c76582c&iss=https%3A%2F%2Flocalhost.mydomain.dev%2Fauth%2Frealms%2Fexa-apps&code=f8a73c77-5928-70ea-ff4c-87ad058b9aed.b191c668-f331-5191-9adb-65665c76582c.b14996ae-7e75-4828-b6ad-75145c9aba1e +2m
     express-session no SID sent, generating session +2m
     router initialize  : /poc-web-keycloak/auth/callback?session_state=b191c668-f331-5191-9adb-65665c76582c&iss=https%3A%2F%2Flocalhost.mydomain.dev%2Fauth%2Frealms%2Fexa-apps&code=f8a73c77-5928-70ea-ff4c-87ad058b9aed.b191c668-f331-5191-9adb-65665c76582c.b14996ae-7e75-4828-b6ad-75145c9aba1e +1ms
     router authenticate  : /poc-web-keycloak/auth/callback?session_state=b191c668-f331-5191-9adb-65665c76582c&iss=https%3A%2F%2Flocalhost.mydomain.dev%2Fauth%2Frealms%2Fexa-apps&code=f8a73c77-5928-70ea-ff4c-87ad058b9aed.b191c668-f331-5191-9adb-65665c76582c.b14996ae-7e75-4828-b6ad-75145c9aba1e +0ms
     app:main middleware #1: res.locals... +2m
     app:main /poc-web-keycloak/auth/callback | req.session.returnTo: undefined +0ms
     app:main /poc-web-keycloak/auth/callback | successRedirect: https://localhost.mydomain.dev/poc-web-keycloak/protected +0ms
   openid-client | passport.js | authorizationCodeGrant() | start...
   openid-client | passport.js | authorizationCodeGrant() | retrieved from session, sessionKey: localhost.mydomain.dev, stateData: undefined
   openid-client | passport.js | authorizationCodeGrant() | returning this.fail('Unable to verify authorization request state')...
   

   • at this point I get a 401 Unauthorized and am "stuck" on "/poc-web-keycloak/auth/callback" page
   • however, if I navigate manually to "/poc-web-keycloak/protected" I can access it and am actually logged into the app
   • Keycloak log also shows no errors and that all "steps" in flow were successful

From what I am observing, it seem to me that in case of indentity provider flows, the call to application callback URL is missing session cookie (somehow) and this is why Strategyis not getting code_verifier in stateData causing it fail.
But at the same time, as observed, simply navigating to protected area of the app after this 401 is displayed actually works.
In the session I see user object, I see tokens, and all other relevant data....

So far I tried several integrations (Bittbucket, Auth0, Microsoft) - they are triggering this issue.

What am I missing here?
Any help is appreciated

Z....

[panva]

Clearly the way your sessions are set up prevents from cookies to be sent with the final redirect from an idp. You're setting them to strict or have them somehow else misconfigured.

[zam6ak]

Thank you @panva !

That was it!
Changing the session cookie sameSite property from strict to lax resolved the issue.