Is there a way to pass custom state with the Passport strategy's authenticate call?

[delfuego]

Is there a way to pass custom state with the Passport strategy's authenticate call such that, once the OIDC provider passes the browser back to the application after successful authentication, that custom state is returned to the application as well?

I have an application that has to force-auth users at the point of them applying a digital signature to an object, so at that point, I have to pop up a window which redirects them through a forced-login flow (using the prompt=login request parameter). On returning from that login, I need to then be able to finish the digital signature process, so they need to be redirected back to the right endpoint in my app to do that. My ideal would be to be able to have the initial redirection to our OIDC provider include the extra state of where they should be redirected upon successful authentication, state that then gets passed back to the app after that authentication succeeds.

(Note that I've experimented with using server-side session to do this, but this is fraught with the session then meaning that if they have another app window open, that window too ends up also being affected by the session change. And even then, I've run into painful race states when/if there is an issue saving the session before the redirection completes, then they get stuck in an auth loop.)

[delfuego]

One followup note — #747 made me think of a way to cleanly handle this with session state such that I could control the race conditions a bit better, and I think I'm good to go now. I'd love to know whether there is any way to pass custom state through the Passport authenticate flow, but I figured out how to manage what I need to manage for the moment!

[panva]

You can overload the prototype/instance authorizationRequestParams method to enrich the authorization request parameters as needed. The arguments passed to it are the arguments passed to authenticate().

[delfuego]

The part that I can't wrap my brain around, though, is whether anything I add there comes back to me in the post-authentication redirect to my app's endpoint -- and if so, where I find that data. So, for my app, after a successful OIDC login, our OIDC server redirects the browser to /openid-connect-login; I guess I need to throw some debug params into an overloaded authorizationRequestParams and then put logging on the request I get to /openid-connect-login to see how I might see those debug params come back to me.

[panva]

I believe you're better off with server-side session mechanism. If you're unsure about the purpose and security considerations of the OAuth 2.0 state parameter you're better off leaving the strategy's use of PKCE/state/nonce in its default mode of operation.