Skip to content

Passport authorization should support POST and GET #811

Closed
Closed
Passport authorization should support POST and GET#811
@trombonekenny

Description

@trombonekenny
trombonekenny
opened on Aug 5, 2025

What happened?

The 6.x branch passport library only triggers the authorizationRequest when initiated from a GET call:

openid-client/src/passport.ts

Line 655 in b77c786

req.method === 'GET' &&

But the OIDC spec allows for both GET and POST:

The parameters can either be passed as query parameters using the HTTP GET method or be passed as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method.

This is a regression from the 5.x branch which supported either via client.callbackParams:

openid-client/lib/passport_strategy.js

Line 94 in 45c96f6

if (length === 0 || (length === 1 && parameter === 'iss')) {

Version

6.6.2

Runtime

Node.js

Runtime Details

Node v22.16.0

Code to reproduce

One resolution might be to patch the logic in https://github.com/panva/openid-client/blob/b77c7861f2f9f07103f975326f2f7a84c9d52968/src/passport.ts#L636 to:


    const parameters = {...req.query, ...req.body};
        if (['code', 'error', 'response'].some(key => key in parameters)) {
          Strategy.prototype.authorizationCodeGrant.call(this, req, currentUrl, options);
        } else {
          Strategy.prototype.authorizationRequest.call(this, req, options);
        }

Required

  • I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions