ok I found it, passport.socketio has its depends on Passport and has it's own "version" of passport. Which means that in my code when I set serializeUser/deserializeUser it only affects the passport I use for the REST:
passport.serializeUser(function(user, done) {
done(null, user);
});
passport.deserializeUser(function(id, done) {
done(null, id);
});
While passport.socketio by default does:
var defaults = {
passport: require('passport'),
key: 'connect.sid',
secret: null,
...
};
Meaning the serializeUser/deserializeUser are not used, which in turn causes this:
Error: failed to deserialize user out of session
The solution is pretty simple just to pass the passport used for the REST to the passport.socketio
io.set('authorization', passportSocketIo.authorize({
passport : passport,
cookieParser: express.cookieParser,
...
}));