Why OAuth 2.0 protocol requires a session support? #23
Description
When I provide an {session: false} option to passport.authenticate() method, it gives the error below:
Error: OAuth 2.0 authentication requires session support when using state. Did you forget to use express-session middleware?
As I know Twitter started to fully support OAuth 2.0 protocol relatively recently, so now we are able to use this auth protocol on scheme like application-user authentication (OAuth 2.0 Authorization Code Flow with PKCE), and not only for application-only authentication (App only). Thus, this new feature enables the use case where we can handle an auth flow on our own, e.g. using it without session at all. That's why, passport provides {session: false} option to disable keeping tokens in a session when needed to query the API on behalf of users without using libraries like express-session, and passport already supports this working style for Google, Facebook and etc.
To better understand the issue, you can refer (at that time Twitter didn't support OAUTH 2.0 with PKCE, but anyway the discussion makes sense so far):
https://stackoverflow.com/questions/44071555/why-passport-twitter-requires-session-support
Could you please enable the option {session: false} passed into passport.authenticate()? And, if this library already supports this behavior, could you please give me a hint to fix this issue? Thanks.