Package Exports
- openid-client
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (openid-client) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
openid-client
openid-client is a server side OpenID Relying Party (RP, Client) implementation for Node.js
Example
Head over to the example folder to see the library in use. This example is deployed and configured to use an example OpenID Connect Provider here. The provider is using oidc-provider library.
Get started
On the off-chance you want to manage multiple clients for multiple issuers you need to first get an Issuer instance.
via Discovery (recommended)
const Issuer = require('openid-client').Issuer;
Issuer.discover('https://accounts.google.com') // => Promise
.then(function (googleIssuer) {
console.log('Discovered issuer %s', googleIssuer);
});manually
const Issuer = require('openid-client').Issuer;
const googleIssuer = new Issuer({
issuer: 'https://accounts.google.com',
authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
token_endpoint: 'https://www.googleapis.com/oauth2/v4/token',
userinfo_endpoint: 'https://www.googleapis.com/oauth2/v3/userinfo',
jwks_uri: 'https://www.googleapis.com/oauth2/v3/certs',
}); // => Issuer
console.log('Set up issuer %s', googleIssuer);Now you can create your Client.
manually (recommended)
You should provide the following metadata; client_id, client_secret. You can also provide
id_token_signed_response_alg (defaults to RS256) and token_endpoint_auth_method (defaults to
client_secret_basic);
const client = new googleIssuer.Client({
client_id: 'zELcpfANLqY7Oqas',
client_secret: 'TQV5U29k1gHibH5bx1layBo0OSAvAbRT3UYW3EWrSYBB5swxjVfWUa1BS8lqzxG/0v9wruMcrGadany3'
}); // => Clientvia registration client uri
Should your oidc provider have provided you with a registration client uri and registration access token you can also have the Client discovered.
new googleIssuer.Client.fromUri(registration_client_uri, registration_access_token) // => Promise
.then(function (client) {
console.log('Discovered client %s', client);
});Usage
Getting authorization url
client.authorizationUrl({
redirect_uri: 'https://client.example.com/callback',
scope: 'openid email',
}); // => StringProcessing callback
client.authorizationCallback('https://client.example.com/callback', request.query) // => Promise
.then(function (tokens) {
console.log('received tokens %j', tokens);
});Refreshing a token
client.refresh(refreshToken) // => Promise
.then(function (tokens) {
console.log('refreshed tokens %j', tokens);
});Revoke a token
client.revoke(token) // => Promise
.then(function () {
console.log('revoked token %s', token);
});Introspect a token
client.introspect(token) // => Promise
.then(function (details) {
console.log('token details %j', details);
});Fetching userinfo
client.userinfo(accessToken) // => Promise
.then(function (userinfo) {
console.log('userinfo %j', userinfo);
});via POST
client.userinfo(accessToken, { verb: 'post' }); // => Promiseauth via query
client.userinfo(accessToken, { via: 'query' }); // => Promiseauth via body
client.userinfo(accessToken, { verb: 'post', via: 'body' }); // => PromiseCustom token endpoint grants
Use when the token endpoint also supports client_credentials or password grants;
client.grant({
grant_type: 'client_credentials'
}); // => Promise
client.grant({
grant_type: 'password',
username: 'johndoe',
password: 'A3ddj3w',
}); // => PromiseRegistering new client (via Dynamic Registration)
issuer.Client.register(metadata, [keystore]) // => Promise
.then(function (client) {
console.log('Registered client %s, %j', client, client.metadata);
});