Redirect loop with wrong client credentials

[louis-vinchon]

I have a server set up to use OIDC with a Keycloak instance: I have passport + openid-client and it's working fine when the client id and client secrets are correct.

However the other day I had an incorrect client secret, and login in my server caused some weird redirect loop which was difficult to debug.

The gist of it is: If the credentials are wrong, the openid-client strategy will return 302s "on its own" (the verify callback never gets called) and causes that redirection loop.

My questions:

• Is there a way to "validate" my credentials before actually trying to log in with a user account?
• Is there a way to provide a custom "validate" middleware to openid-client that will handle the request, allowing me to customize the response and avoid that pesky redirect loop?

If there is no custom callback to control openid-client's response, should I make some kind of wrapper straategy to handle it?

[panva]

The gist of it is: If the credentials are wrong, the openid-client strategy will return 302s "on its own" (the verify callback never gets called) and causes that redirection loop.

The strategy does nothing of the sort "on its own". It merely passes control back to passport either via .fail() or .error(). The handling of those is entirely up to passport and your configuration or orchestration of it, not the strategy.