OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
openid-client simplifies integration with authorization servers by providing easy-to-use APIs for the most common authentication and authorization flows, including OAuth 2 and OpenID Connect. It is designed for JavaScript runtimes like Node.js, Browsers, Deno, Cloudflare Workers, and more.
Features
The following features are currently in scope and implemented in this software:
Authorization Server Metadata discovery
Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, FAPI 1.0 Advanced, and FAPI 2.0)
Refresh Token, Device Authorization, and Client Credentials Grants
Demonstrating Proof-of-Possession at the Application Layer (DPoP)
If you want to quickly add authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. Create an Auth0 account; it's free!
Filip Skokan has certified that this software conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connectβ’ protocol.
Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
Authorization Code flow is for obtaining Access Tokens (and optionally Refresh Tokens) to use with
third party APIs.
When you want to have your end-users authorize or authenticate you need to send them to the authorization server's authorization_endpoint. Consult the web framework of your choice on how to redirect but here's how
to get the authorization endpoint's URL with parameters already encoded in the query to redirect
to.
1/**
2 * Value used in the authorization request as the redirect_uri parameter, this
3 * is typically pre-registered at the Authorization Server.
4 */
5let redirect_uri!: string
6let scope!: string // Scope of the access request
7/**
8 * PKCE: The following MUST be generated for every redirect to the
9 * authorization_endpoint. You must store the code_verifier and statein the
10 * end-user session such that it can be recovered as the user gets redirected
11 * from the authorization server back to your application.
12 */
13let code_verifier: string = client.randomPKCECodeVerifier()
14let code_challenge: string =
15 await client.calculatePKCECodeChallenge(code_verifier)
16let state!: string
1718let parameters: Record<string, string> = {
19 redirect_uri,
20 scope,
21 code_challenge,
22 code_challenge_method: 'S256',
23}
2425if (!config.serverMetadata().supportsPKCE()) {
26 /**
27 * We cannot be sure the server supports PKCE so we're going to use state too.
28 * Use of PKCE is backwards compatible even if the AS doesn't support it which
29 * is why we're using it regardless. Like PKCE, randomstate must be generated
30 * for every redirect to the authorization_endpoint.
31 */
32state = client.randomState()
33 parameters.state = state34}
3536let redirectTo: URL = client.buildAuthorizationUrl(config, parameters)
3738// now redirect the userto redirectTo.href
39console.log('redirecting to', redirectTo.href)
When end-users are redirected back to the redirect_uri your application consumes the callback and
passes in PKCE code_verifier to include it in the authorization code grant token exchange.
1let scope!: string// Scope of the access request23let response = await client.initiateDeviceAuthorization(config, { scope })
45console.log('User Code:', response.user_code)
6console.log('Verification URI:', response.verification_uri)
7console.log('Verification URI (complete):', response.verification_uri_complete)
You will display the instructions to the end-user and have them directed at verification_uri or
verification_uri_complete, afterwards you can start polling for the Device Access Token Response.
This will poll in a regular interval and only resolve with tokens once the end-user authenticates.
Client Credentials Grant
Client Credentials flow is for obtaining Access Tokens to use with third party APIs on behalf of your application, rather than an end-user which was the case in previous examples.
1let scope!: string// Scope of the access request2let resource!: string// Resource Indicator of the Resource Server the access token is for34let tokens: client.TokenEndpointResponse = await lib.clientCredentialsGrant(
5config,
6 { scope, resource },
7)89console.log('Token Endpoint Response', tokens)
Supported Runtimes
The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):