[SOLVED] node-oidc-provider authorization code not found

node-oidc-provider authorization code not found

So i'm trying to implement an openID Connect server using the node-oidc-provider library by panda, using typescript.

I'm encountering a problem when trying to exchange the authorization_code for an auth token. Basically it says the code is not found, although i can see the document in the mongo database, and placing a console.log in the find function of the adapter used by the library to retrieve the code, it does get found.

I get the auth using this url:

http://localhost:3000/auth?client_id=test&response_type=code&scope=openid

And then from postman I'll send this request:

POST http://localhost:3000/token

REQ HEADERS
Content-Type:application/x-www-form-urlencoded

REQ BODY
grant_type:authorization_code
code:rekLjZKPFPk0pPSBJKlgqFt0tPtCq1k03ktS8CUh_X6
client_id:test
client_secret:testsecret
redirect_uri:https://lvh:8080/cb

The response is the following:

{
    "error": "invalid_grant",
    "error_description": "grant request is invalid"
}

Digging deeper into the library I put a console.log in the file lib/actions/grants/authorization_code.js before the if check at line 38. There I can see that the ctx.oidc.params.code variable is correctly set with the auth_code, but then the code retrieved from the line const code = await ctx.oidc.provider.AuthorizationCode.find is undefined.

This is my oidc-config: oidc-config

This is the mongodb adapter: mongodb-adapter

Given the console logs I put in the code for debugging, this is the output I get when I send the token request from postman:

Received code: rekLjZKPFPk0pPSBJKlgqFt0tPtCq1k03ktS8CUh_X6
MongoAdapter#find rekLjZKPFPk0pPSBJKlgqFt0tPtCq1k03ktS8CUh_X6
MongoAdapter#coll authorization_code oidc.authorization_code
MongoAdapter#find result {
  iat: 1570099703,
  exp: 1570105703,
  accountId: 5d937633b00ba1073edaa689,
  authTime: 1570099703,
  claims: { rejected: [] },
  grantId: 'JEMh2GsZaEjlgeGx9MXT0',
  redirectUri: 'https://lvh:8080/cb',
  scope: 'openid',
  sessionUid: 'QA3vhV_8-Jlgc8583_aGZ',
  kind: 'AuthorizationCode',
  jti: 'rekLjZKPFPk0pPSBJKlgqFt0tPtCq1k03ktS8CUh_X6',
  clientId: 'test',
  expiresWithSession: true
}
MongoAdapter#coll session oidc.session
Found code: undefined
InvalidGrant authorization code not found

I'm pretty sure the error is mine, and not a bug in the library. But i can't seem to understand what I'm doing wrong.

UPDATE

Going in debug mode, I see that it actually files at line 26 of lib/models/mixins/is_session_bound.js : >assert.equal(token.accountId, session.accountId(), 'token and session principal are now different');

But I still have no idea what that means.

Solution

So basically the problem was that I was passing the account id as it was coming out from the mongoose query. But since the id of a document by default is an object, the assert check would fail (even tough the content was the same). What I did then was edit the virtual method on the User model adding a toString() at the end.

schema.virtual('id').get(function (this: { _id: string }) {
    return this._id.toString();
});

And that solves the issue.