checks.state argument is missing

[revmischa]

Using Cognito w/ OIDC

Code:

 const client = new issuer.Client({
      client_id: this._options.clientId,
      client_secret: this._options.clientSecret,
      redirect_uris: this._options.redirectUris,
      response_types: ['code'],
    });

    // get url without query params
    const urlParsed = new URL(url);
    const redirectUri = urlParsed.origin + urlParsed.pathname;

    // exchange code for tokens
    const callbackParams = client.callbackParams(url);
    console.log('callbackParams:', callbackParams);
    const tokenSet = await client.callback(redirectUri, callbackParams, {
      scope: 'openid profile email',
      code_verifier: codeVerifier,
      // state: callbackParams.state,  // if I uncomment this then it says "nonce mismatch, expected undefined, got ...."
    });

callbackParams:

callbackParams: {
  code: '99b3ddb3-5ddc-4047-a0b4-d6cc5033bc8a',
  state: 'wg26HIT7n9vjH6038OIQtsbgIk4ZFKWnoVp5tlqyzoY'
}

I am following the README here where it does not show the need to provide state:

const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });

Which seems to imply to me that since params has state it's not needed to provide it in the third argument. What am I doing wrong? Why does it tell me checks.state is missing even though callbackParams has state?

[panva]

That example you follow didn't pass state to its authorization request, you did, which is why you must pass the same state you sent to the authorization endpoint to the callback method checks.

Same goes for nonce btw. If you sent one in, you must pass the same one to checks. If you didn't there's a known bug in cognito where they will put a random one in, so to avoid it you should pass one to the authorization endpoint.