Undocumented Strategy constructor options

[kara-ryli]

Looking through the code trying to figure out how to do CSRF state values, I noticed a bunch of undocumented options in the Strategy constructor:

customHeaders
scope
scopeSeparator
state
sessionKey
proxy
skipUserProfile

Any reason they're not documented? state seems particularly important.

[jaredhanson]

state and scope should be documented. The rest are not documented simply because they are not generally useful, and I tend to favor explaining less options in order to reduce confusion.

All the options are usable and supported however, and I tend to comment on them only when discussing specific use cases where they are needed.

[bertramn]

So how is someone to implement logic that requires setup of application state prior to the oauth login and take action based on the state after successful authentication?

[joh-klein]

I would as well really appreciate the full documentation of how to use the state paramenter.

[joh-klein]

Implementation with the examples from the Readme:

// add 'state: true' to enable state parameter inclusion
passport.use(new OAuth2Strategy({
    authorizationURL: 'https://www.example.com/oauth2/authorize',
    tokenURL: 'https://www.example.com/oauth2/token',
    clientID: EXAMPLE_CLIENT_ID,
    clientSecret: EXAMPLE_CLIENT_SECRET,
    callbackURL: "http://localhost:3000/auth/example/callback",
    state: true
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ exampleId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }
));

app.get('/auth/example',
  passport.authenticate('oauth2'));

// This is where the state parameter is checked. 
// If it fails, users will be redirected to '/login' (value from failureRedirect)
app.get('/auth/example/callback',
  passport.authenticate('oauth2', { failureRedirect: '/login' }),
  function(req, res) {
    // Successful authentication, redirect home.
    res.redirect('/');
  });

[infoGraphMT]

Shouldn't I be able to pass any string with state parameter?

[joh-klein]

No. It is implemented in a way that generating, sending and response checking is done in the background.

See #24 and #49 for reference

[tmarshall]

Just spent far too long trying to figure out why a redirect was switching from https to http. stumbled upon strongloop/loopback-component-passport#120 and then ended up figuring out proxy by stepping through the module. The issue I referenced shows that this causes problems with more devs than myself. Not sure why you would not document usable options.