Questions moving from passport-auth0 to express-openid-connect

Ok, so I’ve been using the Passport version to connect to auth0 for a while, and I saw that there was this slicker library to connect, that seemed to offer more control and be a bit faster. I can’t find a translation document, though, and I fully admit not not understanding deep details of the auth transaction (which is why I’m using auth0 in the first place).

In other words: I’m a bit out of my depth here. Please bear with me.

In express-openid-connect:

Q1: In the Passport access, the req.user object returned various ‘normalized’ versions of the user profile: displayName, id, profider, emails, etc. This is not there with the openid version. One of the features of Auth0 I thought was doing this regularization of user identity, but maybe this changed?

Q2: In my app, I have set “RBAC Settings” so that Permissions are included in the access token. In my app, I decode the access token in the Passport callback, and then have those permissions available to check user permissions against different tasks. However, the accessToken doesn’t show up in the req.oidc object, only the idToken (which does not contain the permissions).

Q3: The example code shows getting more user info:

  const userInfo = await req.oidc.fetchUserInfo();

but this call fails for me, with “TypeError: access_token not present in TokenSet”.

Q4: I’m also a bit concerned at letting this library handle the express-session for me, since I’m not sure what it’s saving and why. It seems that req.session is undefined after the auth() middleware. How is it using the session store? How can I use it for my own properties?

Q5: Should I even be trying to use this? I get the impression from the documentation that the openid method is somewhat faster? And may better support refresh tokens so fewer logins? I like the smaller code footprint, and I get the impression I have more control… but I can’t figure out how it use it.

By code inspection, I’ve worked out Q1: there is translation code for those items in the Passport code, which isn’t too bad to port into the new app.

Basically, req.oidc.user.sub → user.user_id, and name becomes displayName.

Q2 remains obscure. I don’t understand how RBAC is supposed to work in this API.

I think it might be related to Q3… looking at the contents of req.oidc, at no point is the accessToken field filled. Maybe I’m not getting access tokens, only refresh tokens?

Q4: Apparently, “session” seems to be a misnomer, since there express-session is never invoked. Still not sure how to integrate this package with express-session