tessl/npm-oidc-client-ts
OpenID Connect (OIDC) & OAuth2 client library for TypeScript/JavaScript applications
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
configuration.mddocs/
Configuration
Comprehensive configuration options for both UserManager and OidcClient with extensive customization capabilities for authentication flows, token management, and provider integration.
Capabilities
UserManager Settings
Extended configuration for UserManager including popup, silent renewal, and session monitoring options.
/**
* The settings used to configure the UserManager
*/
interface UserManagerSettings extends OidcClientSettings {
// Popup flow configuration
/** The URL for the page containing the call to signinPopupCallback */
popup_redirect_uri?: string;
/** The URL for the page containing the call to signoutPopupCallback */
popup_post_logout_redirect_uri?: string;
/** Features parameter for window.open popup (default: { location: false, toolbar: false, height: 640 }) */
popupWindowFeatures?: PopupWindowFeatures;
/** Target parameter for window.open popup (default: "_blank") */
popupWindowTarget?: string;
// Redirect flow configuration
/** Window.location method used to redirect (default: "assign") */
redirectMethod?: "replace" | "assign";
/** Target window being redirected (default: "self") */
redirectTarget?: "top" | "self";
// Silent flow configuration
/** The URL for the page containing the silent renew handler */
silent_redirect_uri?: string;
/** Timeout for silent renew requests in seconds (default: 10) */
silentRequestTimeoutInSeconds?: number;
/** Enable automatic silent token renewal (default: true) */
automaticSilentRenew?: boolean;
/** Validate user.profile.sub in silent renew calls (default: true) */
validateSubOnSilentRenew?: boolean;
/** Include id_token as id_token_hint in silent renew calls (default: false) */
includeIdTokenInSilentRenew?: boolean;
// IFrame configuration
/** Target origin for postMessage inside iframe (default: window.location.origin) */
iframeNotifyParentOrigin?: string;
/** Script origin to check during message callback (default: window.location.origin) */
iframeScriptOrigin?: string;
// Session monitoring
/** Enable session monitoring for signout events (default: false) */
monitorSession?: boolean;
/** Monitor anonymous sessions (default: false) */
monitorAnonymousSession?: boolean;
/** Interval in seconds to check session (default: 2) */
checkSessionIntervalInSeconds?: number;
/** Response type for session status queries */
query_status_response_type?: string;
/** Stop session checking on error (default: true) */
stopCheckSessionOnError?: boolean;
// Token management
/** Token types to revoke on signout (default: ["access_token", "refresh_token"]) */
revokeTokenTypes?: ("access_token" | "refresh_token")[];
/** Invoke revocation endpoint on signout (default: false) */
revokeTokensOnSignout?: boolean;
/** Include id_token as id_token_hint in silent signout (default: false) */
includeIdTokenInSilentSignout?: boolean;
/** Seconds before access token expiry to raise expiring event (default: 60) */
accessTokenExpiringNotificationTimeInSeconds?: number;
// Storage
/** Storage for user data (default: window.sessionStorage) */
userStore?: StateStore;
}
interface PopupWindowFeatures {
/** Show location bar in popup */
location?: boolean;
/** Show toolbar in popup */
toolbar?: boolean;
/** Popup window height */
height?: number;
/** Popup window width */
width?: number;
/** Popup window left position */
left?: number;
/** Popup window top position */
top?: number;
/** Auto-close popup after seconds (-1 to disable) */
closePopupWindowAfterInSeconds?: number;
}OidcClient Settings
Core configuration for OIDC/OAuth2 protocol communication.
/**
* The settings used to configure the OidcClient
*/
interface OidcClientSettings {
// Required settings
/** The URL of the OIDC/OAuth2 provider */
authority: string;
/** Your client application's identifier */
client_id: string;
/** The redirect URI to receive responses */
redirect_uri: string;
// Provider configuration
/** Custom metadata URL if different from authority */
metadataUrl?: string;
/** Provide metadata when CORS is not available on discovery endpoint */
metadata?: Partial<OidcMetadata>;
/** Additional values to seed discovery results */
metadataSeed?: Partial<OidcMetadata>;
/** Signing keys when CORS is not available on jwks_uri */
signingKeys?: SigningKey[];
// OAuth2/OIDC parameters
/** Response type requested (default: "code") */
response_type?: string;
/** Scope requested (default: "openid") */
scope?: string;
/** Post logout redirect URI */
post_logout_redirect_uri?: string;
/** Client secret for confidential clients */
client_secret?: string;
// Client authentication
/** Client authentication method (default: "client_secret_post") */
client_authentication?: "client_secret_basic" | "client_secret_post";
// Optional protocol parameters
/** Force user authentication prompt */
prompt?: string;
/** UI display mode */
display?: string;
/** Maximum authentication age in seconds */
max_age?: number;
/** Preferred languages for authentication UI */
ui_locales?: string;
/** Requested Authentication Context Class Reference values */
acr_values?: string;
/** Resource indicators for requested access tokens */
resource?: string | string[];
/** Response mode (query, fragment) */
response_mode?: "query" | "fragment";
// Claims processing
/** Remove optional OIDC protocol claims from profile (default: true) */
filterProtocolClaims?: boolean | string[];
/** Load additional user info from userinfo endpoint (default: false) */
loadUserInfo?: boolean;
/** Strategy for merging userinfo claims with id_token claims */
mergeClaimsStrategy?: { array: "replace" | "merge" };
// Request customization
/** Additional query parameters for authorization requests */
extraQueryParams?: Record<string, string | number | boolean>;
/** Additional parameters for token requests */
extraTokenParams?: Record<string, unknown>;
/** Additional headers for requests */
extraHeaders?: Record<string, ExtraHeader>;
// Storage and state management
/** Storage for request state (default: window.localStorage) */
stateStore?: StateStore;
/** Age in seconds for abandoned state cleanup (default: 900) */
staleStateAgeInSeconds?: number;
// Security features
/** DPoP (Demonstration of Proof-of-Possession) settings */
dpop?: DPoPSettings;
/** Disable PKCE validation (default: false) */
disablePKCE?: boolean;
/** Fetch credentials mode (default: "same-origin") */
fetchRequestCredentials?: RequestCredentials;
// Token revocation
/** Additional content types for revocation endpoint responses */
revokeTokenAdditionalContentTypes?: string[];
}
type ExtraHeader = string | (() => string);
interface DPoPSettings {
/** Bind DPoP key to authorization code */
bind_authorization_code?: boolean;
/** Storage for DPoP state */
store: DPoPStore;
}
type SigningKey = Record<string, string | string[]>;Configuration Store Classes
Immutable configuration stores with applied defaults.
/**
* UserManager settings with defaults applied
*/
class UserManagerSettingsStore extends OidcClientSettingsStore {
constructor(args: UserManagerSettings);
// All UserManagerSettings properties as readonly
readonly popup_redirect_uri: string;
readonly popup_post_logout_redirect_uri: string | undefined;
readonly popupWindowFeatures: PopupWindowFeatures;
readonly popupWindowTarget: string;
readonly redirectMethod: "replace" | "assign";
readonly redirectTarget: "top" | "self";
readonly iframeNotifyParentOrigin: string | undefined;
readonly iframeScriptOrigin: string | undefined;
readonly silent_redirect_uri: string;
readonly silentRequestTimeoutInSeconds: number;
readonly automaticSilentRenew: boolean;
readonly validateSubOnSilentRenew: boolean;
readonly includeIdTokenInSilentRenew: boolean;
readonly monitorSession: boolean;
readonly monitorAnonymousSession: boolean;
readonly checkSessionIntervalInSeconds: number;
readonly query_status_response_type: string;
readonly stopCheckSessionOnError: boolean;
readonly revokeTokenTypes: ("access_token" | "refresh_token")[];
readonly revokeTokensOnSignout: boolean;
readonly includeIdTokenInSilentSignout: boolean;
readonly accessTokenExpiringNotificationTimeInSeconds: number;
readonly userStore: StateStore;
}
/**
* OidcClient settings with defaults applied
*/
class OidcClientSettingsStore {
constructor(args: OidcClientSettings);
// All OidcClientSettings properties as readonly
readonly authority: string;
readonly metadataUrl?: string;
readonly metadata?: Partial<OidcMetadata>;
readonly metadataSeed?: Partial<OidcMetadata>;
readonly signingKeys?: SigningKey[];
readonly client_id: string;
readonly client_secret?: string;
readonly response_type: string;
readonly scope: string;
readonly redirect_uri: string;
readonly post_logout_redirect_uri?: string;
readonly client_authentication: "client_secret_basic" | "client_secret_post";
readonly prompt?: string;
readonly display?: string;
readonly max_age?: number;
readonly ui_locales?: string;
readonly acr_values?: string;
readonly resource?: string | string[];
readonly response_mode?: "query" | "fragment";
readonly filterProtocolClaims: boolean | string[];
readonly loadUserInfo: boolean;
readonly staleStateAgeInSeconds: number;
readonly mergeClaimsStrategy: { array: "replace" | "merge" };
readonly stateStore: StateStore;
readonly extraQueryParams?: Record<string, string | number | boolean>;
readonly extraTokenParams?: Record<string, unknown>;
readonly extraHeaders?: Record<string, ExtraHeader>;
readonly dpop?: DPoPSettings;
readonly revokeTokenAdditionalContentTypes: string[];
readonly disablePKCE: boolean;
readonly fetchRequestCredentials: RequestCredentials;
}OIDC Provider Metadata
Structure for OIDC provider configuration.
/**
* OIDC provider metadata from discovery document
*/
interface OidcMetadata {
/** The authorization server's issuer identifier */
issuer: string;
/** URL of the authorization endpoint */
authorization_endpoint: string;
/** URL of the token endpoint */
token_endpoint: string;
/** URL of the userinfo endpoint */
userinfo_endpoint?: string;
/** URL of the end session endpoint */
end_session_endpoint?: string;
/** URL of the check session iframe */
check_session_iframe?: string;
/** URL of the revocation endpoint */
revocation_endpoint?: string;
/** URL of the introspection endpoint */
introspection_endpoint?: string;
/** URL of the jwks_uri */
jwks_uri: string;
/** URL of the registration endpoint */
registration_endpoint?: string;
/** Supported scopes */
scopes_supported?: string[];
/** Supported response types */
response_types_supported: string[];
/** Supported response modes */
response_modes_supported?: string[];
/** Supported grant types */
grant_types_supported?: string[];
/** Supported subject types */
subject_types_supported: string[];
/** Supported ID token signing algorithms */
id_token_signing_alg_values_supported: string[];
/** Supported ID token encryption algorithms */
id_token_encryption_alg_values_supported?: string[];
/** Supported ID token encryption encoding algorithms */
id_token_encryption_enc_values_supported?: string[];
/** Supported userinfo signing algorithms */
userinfo_signing_alg_values_supported?: string[];
/** Supported userinfo encryption algorithms */
userinfo_encryption_alg_values_supported?: string[];
/** Supported userinfo encryption encoding algorithms */
userinfo_encryption_enc_values_supported?: string[];
/** Supported request object signing algorithms */
request_object_signing_alg_values_supported?: string[];
/** Supported request object encryption algorithms */
request_object_encryption_alg_values_supported?: string[];
/** Supported request object encryption encoding algorithms */
request_object_encryption_enc_values_supported?: string[];
/** Supported token endpoint authentication methods */
token_endpoint_auth_methods_supported?: string[];
/** Supported token endpoint authentication signing algorithms */
token_endpoint_auth_signing_alg_values_supported?: string[];
/** Supported display values */
display_values_supported?: string[];
/** Supported claim types */
claim_types_supported?: string[];
/** Supported claims */
claims_supported?: string[];
/** Whether claims parameter is supported */
claims_parameter_supported?: boolean;
/** Whether request parameter is supported */
request_parameter_supported?: boolean;
/** Whether request_uri parameter is supported */
request_uri_parameter_supported?: boolean;
/** Whether TLS client certificate bound access tokens are supported */
tls_client_certificate_bound_access_tokens?: boolean;
/** Supported revocation endpoint authentication methods */
revocation_endpoint_auth_methods_supported?: string[];
/** Supported revocation endpoint authentication signing algorithms */
revocation_endpoint_auth_signing_alg_values_supported?: string[];
/** Supported introspection endpoint authentication methods */
introspection_endpoint_auth_methods_supported?: string[];
/** Supported introspection endpoint authentication signing algorithms */
introspection_endpoint_auth_signing_alg_values_supported?: string[];
/** Supported PKCE code challenge methods */
code_challenge_methods_supported?: string[];
}Configuration Examples
Basic Configuration
import { UserManager } from "oidc-client-ts";
const userManager = new UserManager({
// Required settings
authority: "https://demo.identityserver.io",
client_id: "interactive.public",
redirect_uri: "http://localhost:3000/callback",
// Basic OAuth2/OIDC settings
response_type: "code",
scope: "openid profile email",
post_logout_redirect_uri: "http://localhost:3000",
});Production Configuration
import { UserManager, WebStorageStateStore } from "oidc-client-ts";
const userManager = new UserManager({
// Provider configuration
authority: "https://your-oidc-provider.com",
client_id: "your-production-client-id",
redirect_uri: "https://your-app.com/auth/callback",
post_logout_redirect_uri: "https://your-app.com",
// Flow configuration
response_type: "code",
scope: "openid profile email api1 api2",
// Popup flow
popup_redirect_uri: "https://your-app.com/auth/popup-callback",
popup_post_logout_redirect_uri: "https://your-app.com",
popupWindowFeatures: {
location: false,
toolbar: false,
width: 500,
height: 600,
left: 100,
top: 100,
},
// Silent renewal
silent_redirect_uri: "https://your-app.com/auth/silent-callback",
automaticSilentRenew: true,
silentRequestTimeoutInSeconds: 10,
includeIdTokenInSilentRenew: true,
// Session monitoring
monitorSession: true,
checkSessionIntervalInSeconds: 2,
// Token management
revokeTokensOnSignout: true,
revokeTokenTypes: ["access_token", "refresh_token"],
accessTokenExpiringNotificationTimeInSeconds: 60,
// Storage configuration
userStore: new WebStorageStateStore({ store: window.localStorage }),
stateStore: new WebStorageStateStore({
store: window.sessionStorage,
prefix: "oidc."
}),
// Security
filterProtocolClaims: true,
loadUserInfo: true,
// Custom parameters
extraQueryParams: {
tenant: "your-tenant-id",
},
// Custom headers
extraHeaders: {
"X-Custom-Header": "your-value",
},
});Enterprise Configuration with Custom Metadata
import { UserManager } from "oidc-client-ts";
const userManager = new UserManager({
authority: "https://enterprise-sso.company.com",
client_id: "enterprise-app",
redirect_uri: "https://app.company.com/auth/callback",
// Custom metadata when discovery is not available
metadata: {
issuer: "https://enterprise-sso.company.com",
authorization_endpoint: "https://enterprise-sso.company.com/oauth/authorize",
token_endpoint: "https://enterprise-sso.company.com/oauth/token",
userinfo_endpoint: "https://enterprise-sso.company.com/oauth/userinfo",
end_session_endpoint: "https://enterprise-sso.company.com/oauth/logout",
jwks_uri: "https://enterprise-sso.company.com/.well-known/jwks",
response_types_supported: ["code"],
subject_types_supported: ["public"],
id_token_signing_alg_values_supported: ["RS256"],
},
// Enterprise-specific settings
client_authentication: "client_secret_basic",
response_type: "code",
scope: "openid profile email groups",
// Security requirements
acr_values: "urn:mace:incommon:iap:silver",
max_age: 3600,
// Custom authentication parameters
extraQueryParams: {
domain_hint: "company.com",
prompt: "select_account",
},
// Network configuration
fetchRequestCredentials: "include", // Send cookies for SSO
// Claims processing
filterProtocolClaims: ["nbf", "jti", "auth_time", "nonce"],
loadUserInfo: true,
mergeClaimsStrategy: { array: "merge" },
});Azure AD Configuration
import { UserManager } from "oidc-client-ts";
const userManager = new UserManager({
authority: "https://login.microsoftonline.com/your-tenant-id/v2.0",
client_id: "your-azure-app-id",
redirect_uri: "http://localhost:3000/auth/callback",
post_logout_redirect_uri: "http://localhost:3000",
response_type: "code",
scope: "openid profile email User.Read",
// Azure AD specific parameters
extraQueryParams: {
resource: "https://graph.microsoft.com",
prompt: "select_account",
},
// Token configuration
automaticSilentRenew: true,
silent_redirect_uri: "http://localhost:3000/auth/silent-callback",
// Azure AD metadata override (optional)
metadataSeed: {
end_session_endpoint: "https://login.microsoftonline.com/your-tenant-id/oauth2/v2.0/logout",
},
});Install with Tessl CLI
npx tessl i tessl/npm-oidc-client-ts