GitHub says version 2.x, NPM latest is version 1.x. Getting state mismatch error.

[benjaminDanis]

I'm submitting this issue for the package(s):

• jwt-verifier
• okta-angular
• oidc-middleware
• okta-react
• okta-react-native
• okta-vue

I'm submitting a:

• Bug report
• Feature request
• Other (Describe below)

Current behavior

Seems to be some breaking changes in v 2. NPM latest version is 1.x. I'm assuming that this would not be an issue if I could get the latest version of the package, but it is not available on NPM. I will clone the repo off github and work from there, but NPM should be updated.
Getting a state mismatch error after a "successful" login. Despite the error, all userContext is attached to the req obj and the route with the oidc.ensureAuthenticated() middleware installed on it can be accessed if manually entered.

Expected behavior

After login, user would proceed to the route they had previously attempted to access. There would be no state mismatch error.

Minimal reproduction of the problem with instructions

Extra information about the use case/user story you are trying to implement

Environment

• Package Version: 1.0.2
• Browser: Chrome 71
• OS: mac 10.13.6
• Node version (node -v): 8.14.0
• Other:

[swiftone]

Sorry about the confusion - the version mismatch would be my fault for updating github prior to begin ready for an NPM publish, which I am working to rectify now.

The 2.x update adds a logout feature, but doesn't (at least 2.0.0 doesn't) fix any issues that would prevent 1.x from working.

It is possible you are sending a 1.x configuration to the 2.x library - can you provide the config fields (NOT their values - please keep your information, particularly your client secret, safe) you are setting, and the specific error message you are getting?

[benjaminDanis]

 Error: state mismatch, could not find a state in the session, this is likely an environment setup issue, loaded session: undefined
   at callback.then.catch (/Users/DanisB/apps/grand-canyon/node_modules/openid-client/lib/passport_strategy.js:169:20)
   at <anonymous>
   at runMicrotasksCallback (internal/process/next_tick.js:122:5)
   at _combinedTickCallback (internal/process/next_tick.js:132:7)
   at process._tickCallback (internal/process/next_tick.js:181:9) 

Above is the error I am receiving. When I navigate to any route on my app that is not the route /oktalogin (which contains the oidc.ensureAuthenticated() middleware) and then proceed to navigate to /oktalogin after hitting that initial route I receive the state mismatch error. I get a 401 from the auth-code callback. oidc.on('error') does not emit anything. After the error occurs, I am able to access the /oktalogin route by manually entering it in the address bar.

I do not receive this error when I navigate directly to /oktalogin.

Below are my configs:

const { ExpressOIDC } = require('@okta/oidc-middleware');
const oidc = new ExpressOIDC({
  issuer: `${process.env.ORG_URL}/oauth2/default/`,
  client_id: process.env.CLIENT_ID,
  client_secret: process.env.CLIENT_SECRET,
  redirect_uri: `${process.env.HOST_URL}/authorization-code/callback`,
  scope: 'openid profile',
})

[swiftone]

I just created a sample app using 1.02 of the middleware, using your pattern of configs (with my own org) and I was unable to recreate your issue.

• I created an /open route that did not use oidc.ensureAuthenticated()
• I created an /oktalogin route that did

Navigating to /open was successful without errors, and /oktalogin would redirect to Okta to check for login and either prompt me there or return me to my app. Did I miss the sequence that would lead to your error?

A state mismatch MIGHT occur if something calls /logout during the session (example, a different browser tab). Do you have anything like that going on?

Unrelated to your error, but related to your bug report: 2.0.0 should be visible via npm. It provides a new, automatic /logout route (that is POST-based, in case you have browser pre-fetch or something else hitting your /logout route)

[snair-ext]

Has this issue been resolved ? I am also facing this exact issue.