The reason this doesn’t work is because you’re passing state as an object instead of a string. Seems like passport doesn’t stringify that value for you. If you want to pass an object through the state param, you could do something like this:
passport.authenticate("google", {
scope: [
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/userinfo.email'
],
state: base64url(JSON.stringify(blah: 'test'))
})(request, response);
As Rob DiMarco noted in his answer, you can access the state param in the callback req.query object.
I’m not sure encoding application state and passing it in the state param is a great idea though. The OAuth 2.0 RFC Section 4.1.1 defines state as “an opaque value”. It’s intended to be used for CSRF protection. A better way to preserve application state in between the authorization request and the callback might be to:
- generate some
stateparameter value (hash of cookie, for example) - persist the application state with
stateas an identifier before initiating the authorization request - retrieve the application state in the callback request handler using the
stateparam passed back from Google