问题
I'm using Passport.js to do authentication, and per Google's OAuth2 documentation, I'm passing in a state variable:
app.get('/authenticate/googleOAuth', function(request, response) {
passport.authenticate('google', {
scope:
[
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/userinfo.email'
],
state: { blah: 'test' }
})(request, response);
});
However, I can't seem to access that variable at a later date:
passport.use(new googleStrategy(
{
clientID: '...',
clientSecret: '...',
callbackURL: '...',
passReqToCallback: true
},
function(request, accessToken, refreshToken, profile, done) {
console.log('state: ' + request.query.state);
login(profile, done);
}));
request.query.state is undefined. request.param("state") doesn't work, either.
How can I get at that variable after the authentication callback?
回答1:
The reason this doesn't work is because you're passing state as an object instead of a string. Seems like passport doesn't stringify that value for you. If you want to pass an object through the state param, you could do something like this:
passport.authenticate("google", {
scope: [
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/userinfo.email'
],
state: base64url(JSON.stringify(blah: 'test'))
})(request, response);
As Rob DiMarco noted in his answer, you can access the state param in the callback req.query object.
I'm not sure encoding application state and passing it in the state param is a great idea though. The OAuth 2.0 RFC Section 4.1.1 defines state as "an opaque value". It's intended to be used for CSRF protection. A better way to preserve application state in between the authorization request and the callback might be to:
- generate some
stateparameter value (hash of cookie, for example) - persist the application state with
stateas an identifier before initiating the authorization request - retrieve the application state in the callback request handler using the
stateparam passed back from Google
回答2:
Testing this briefly, using Node.js v0.8.9, the runtime-configured parameters for the Google OAuth 2.0 authorization request are eventually formatted via the getAuthorizeUrl method in the node-auth library. This method relies upon querystring.stringify to format the redirect URL:
exports.OAuth2.prototype.getAuthorizeUrl= function( params ) {
var params= params || {};
params['client_id'] = this._clientId;
params['type'] = 'web_server';
return this._baseSite + this._authorizeUrl + "?" + querystring.stringify(params);
}
(Above copied from https://github.com/ciaranj/node-oauth/blob/efbce5bd682424a3cb22fd89ab9d82c6e8d68caa/lib/oauth2.js#L123).
Testing in the console using the state parameter you specified:
querystring.stringify({ state: { blah: 'test' }}) => 'state='
As a workaround, you can try JSON-encoding your object, or use a single string, which should resolve your issue. You can then access the state, in your callback request handler, via req.query.state. Remember to JSON.parse(req.query.state) when accessing it.
来源:https://stackoverflow.com/questions/13788107/how-can-i-access-oauths-state-parameter-using-passport-js