I'm having trouble figuring out the purpose of customState and if/how I can utilize it to pass data to the return url. Specifically I wish to route the user back to their original location after being signed in. I thought I could pass the original url to the parameter customState and have it returned back to me in the return url POST, but it appears to be encoded or perhaps replaced with a different value.
Here is what I want to achieve:
/page/protected which requires authentication.passport.authenticate which in turn redirects the user to sign in./auth/oidc/return./page/protected.A return URL (e.g. "/page/protected") can be round-tripped by:
1) Setting the "customState" parameter before the authentication middleware redirects to Azure AD B2C:
app.get('/login', function (req, res, next) {
passport.authenticate('azuread-openidconnect', {
response: res,
resourceURL: config.resourceURL,
customState: '/page/protected', // Or set to the current URL
failureRedirect: '/'
})(req, res, next);
}, function (req, res) {
res.redirect('/');
});
2) Getting the req.body.state parameter after the authentication middleware validates the authentication response from Azure AD B2C:
app.post('/auth/openid/return', function (req, res, next) {
passport.authenticate('azuread-openidconnect', {
response: res,
failureRedirect: '/'
})(req, res, next);
}, function (req, res) {
res.redirect(req.body.state);
});
The "customState" parameter value should be encrypted, which will mean the req.body.state parameter will have to be decrypted, if you don't want the return URL to be tampered with.
Otherwise, it is common to write the return URL to req.session before the authentication middleware redirects and sends the authentication request to Azure AD B2C, and then read (and then delete) this return URL from req.session after the authentication middleware receives and validates the authentication response from Azure AD B2C.