{"id":16031781,"url":"https://github.com/panva/openid-client","last_synced_at":"2026-02-07T21:15:06.225Z","repository":{"id":38326139,"uuid":"62037644","full_name":"panva/openid-client","owner":"panva","description":"OAuth 2 / OpenID Connect Client API for JavaScript Runtimes","archived":false,"fork":false,"pushed_at":"2026-01-27T20:29:43.000Z","size":2885,"stargazers_count":2290,"open_issues_count":0,"forks_count":412,"subscribers_count":32,"default_branch":"main","last_synced_at":"2026-01-28T07:36:04.051Z","etag":null,"topics":["client","connect","oidc","openid","openid-client","openid-connect","passport"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panva.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"panva"}},"created_at":"2016-06-27T08:11:27.000Z","updated_at":"2026-01-27T21:15:43.000Z","dependencies_parsed_at":"2024-01-13T18:25:20.238Z","dependency_job_id":"792eecfa-84dc-489f-9ccd-92b82ea61bb1","html_url":"https://github.com/panva/openid-client","commit_stats":{"total_commits":918,"total_committers":46,"mean_commits":"19.956521739130434","dds":0.07516339869281041,"last_synced_commit":"90eb7056a39ec3f3ec63e81e19689f6f559eddf9"},"previous_names":["panva/openid-client"],"tags_count":216,"template":false,"template_full_name":null,"purl":"pkg:github/panva/openid-client","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Fopenid-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Fopenid-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Fopenid-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Fopenid-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panva","download_url":"https://codeload.github.com/panva/openid-client/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Fopenid-client/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29208239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T20:33:12.493Z","status":"ssl_error","status_checked_at":"2026-02-07T20:30:47.381Z","response_time":63,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["client","connect","oidc","openid","openid-client","openid-connect","passport"],"created_at":"2024-10-08T21:05:36.697Z","updated_at":"2026-02-07T21:15:06.220Z","avatar_url":"https://github.com/panva.png","language":"TypeScript","readme":"# openid-client\n\n\u003e OAuth 2 / OpenID Connect Client API for JavaScript Runtimes\n\nopenid-client simplifies integration with authorization servers by providing easy-to-use APIs for the most common authentication and authorization flows, including OAuth 2 and OpenID Connect. It is designed for JavaScript runtimes like Node.js, Browsers, Deno, Cloudflare Workers, and more.\n\n## Features\n\nThe following features are currently in scope and implemented in this software:\n\n- Authorization Server Metadata discovery\n- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, FAPI 1.0 Advanced, and FAPI 2.0)\n- Refresh Token, Device Authorization, Client-Initiated Backchannel Authentication (CIBA), and Client Credentials Grants\n- Demonstrating Proof-of-Possession at the Application Layer (DPoP)\n- Token Introspection and Revocation\n- Pushed Authorization Requests (PAR)\n- UserInfo and Protected Resource Requests\n- Authorization Server Issuer Identification\n- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo\n- Dynamic Client Registration (DCR)\n- [Passport](https://www.passportjs.org/) Strategy\n\n## Sponsor\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://raw.githubusercontent.com/panva/openid-client/HEAD/sponsor/Auth0byOkta_dark.png\"\u003e\n \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://raw.githubusercontent.com/panva/openid-client/HEAD/sponsor/Auth0byOkta_light.png\"\u003e\n \u003cimg height=\"65\" align=\"left\" alt=\"Auth0 by Okta\" src=\"https://raw.githubusercontent.com/panva/openid-client/HEAD/sponsor/Auth0byOkta_light.png\"\u003e\n\u003c/picture\u003e\n\nIf you want to quickly add authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. [Create an Auth0 account; it's free!][sponsor-auth0]\u003cbr\u003e\u003cbr\u003e\n\n## [Certification](https://openid.net/certification/faq/)\n\n[\u003cimg width=\"96\" height=\"50\" align=\"right\" src=\"https://user-images.githubusercontent.com/241506/166977513-7cd710a9-7f60-4944-aebe-a658e9f36375.png\" alt=\"OpenID Certification\"\u003e](#certification)\n\n[Filip Skokan](https://github.com/panva) has [certified](https://openid.net/certification) that [this software](https://github.com/panva/openid-client) conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connectβ„’ protocol.\n\n## [πŸ’— Help the project](https://github.com/sponsors/panva)\n\nSupport from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).\n\n## [API Reference Documentation](docs/README.md)\n\n`openid-client` is distributed via [npmjs.com](https://www.npmjs.com/package/openid-client), [jsr.io](https://jsr.io/@panva/openid-client), and [github.com](https://github.com/panva/openid-client).\n\n## [Examples](examples/README.md)\n\n**`example`** ESM import[^cjs]\n\n```ts\nimport * as client from 'openid-client'\n```\n\n- Authorization Code Flow (OAuth 2.0) - [source](examples/oauth.ts)\n- Authorization Code Flow (OpenID Connect) - [source](examples/oidc.ts) | [diff](examples/oidc.diff)\n- Extensions\n - DPoP - [source](examples/dpop.ts) | [diff](examples/dpop.diff)\n - JWT Secured Authorization Request (JAR) - [source](examples/jar.ts) | [diff](examples/jar.diff)\n - JWT Secured Authorization Response Mode (JARM) - [source](examples/jarm.ts) | [diff](examples/jarm.diff)\n - Pushed Authorization Request (PAR) - [source](examples/par.ts) | [diff](examples/par.diff)\n- Passport Strategy - [source](examples/passport.ts)\n\n## Quick start\n\n```ts\nlet server!: URL // Authorization Server's Issuer Identifier\nlet clientId!: string // Client identifier at the Authorization Server\nlet clientSecret!: string // Client Secret\n\nlet config: client.Configuration = await client.discovery(\n server,\n clientId,\n clientSecret,\n)\n```\n\n### Authorization Code Flow\n\nAuthorization Code flow is for obtaining Access Tokens (and optionally Refresh Tokens) to use with\nthird party APIs.\n\nWhen you want to have your end-users authorize or authenticate you need to send them to the authorization server's `authorization_endpoint`. Consult the web framework of your choice on how to redirect but here's how\nto get the authorization endpoint's URL with parameters already encoded in the query to redirect\nto.\n\n```ts\n/**\n * Value used in the authorization request as the redirect_uri parameter, this\n * is typically pre-registered at the Authorization Server.\n */\nlet redirect_uri!: string\nlet scope!: string // Scope of the access request\n/**\n * PKCE: The following MUST be generated for every redirect to the\n * authorization_endpoint. You must store the code_verifier and state in the\n * end-user session such that it can be recovered as the user gets redirected\n * from the authorization server back to your application.\n */\nlet code_verifier: string = client.randomPKCECodeVerifier()\nlet code_challenge: string =\n await client.calculatePKCECodeChallenge(code_verifier)\nlet state!: string\n\nlet parameters: Record\u003cstring, string\u003e = {\n redirect_uri,\n scope,\n code_challenge,\n code_challenge_method: 'S256',\n}\n\nif (!config.serverMetadata().supportsPKCE()) {\n /**\n * We cannot be sure the server supports PKCE so we're going to use state too.\n * Use of PKCE is backwards compatible even if the AS doesn't support it which\n * is why we're using it regardless. Like PKCE, random state must be generated\n * for every redirect to the authorization_endpoint.\n */\n state = client.randomState()\n parameters.state = state\n}\n\nlet redirectTo: URL = client.buildAuthorizationUrl(config, parameters)\n\n// now redirect the user to redirectTo.href\nconsole.log('redirecting to', redirectTo.href)\n```\n\nWhen end-users are redirected back to the `redirect_uri` your application consumes the callback and\npasses in PKCE `code_verifier` to include it in the authorization code grant token exchange.\n\n```ts\nlet getCurrentUrl!: (...args: any) =\u003e URL\n\nlet tokens: client.TokenEndpointResponse = await client.authorizationCodeGrant(\n config,\n getCurrentUrl(),\n {\n pkceCodeVerifier: code_verifier,\n expectedState: state,\n },\n)\n\nconsole.log('Token Endpoint Response', tokens)\n```\n\nYou can then fetch a protected resource response\n\n```ts\nlet protectedResourceResponse: Response = await client.fetchProtectedResource(\n config,\n tokens.access_token,\n new URL('https://rs.example.com/api'),\n 'GET',\n)\n\nconsole.log(\n 'Protected Resource Response',\n await protectedResourceResponse.json(),\n)\n```\n\n### Device Authorization Grant (Device Flow)\n\n```ts\nlet scope!: string // Scope of the access request\n\nlet response = await client.initiateDeviceAuthorization(config, { scope })\n\nconsole.log('User Code:', response.user_code)\nconsole.log('Verification URI:', response.verification_uri)\nconsole.log('Verification URI (complete):', response.verification_uri_complete)\n```\n\nYou will display the instructions to the end-user and have them directed at `verification_uri` or\n`verification_uri_complete`, afterwards you can start polling for the Device Access Token Response.\n\n```ts\nlet tokens: client.TokenEndpointResponse =\n await client.pollDeviceAuthorizationGrant(config, response)\n\nconsole.log('Token Endpoint Response', tokens)\n```\n\nThis will poll in a regular interval and only resolve with tokens once the end-user authenticates.\n\n### Client-Initiated Backchannel Authentication (CIBA)\n\n```ts\nlet scope!: string // Scope of the access request\n/**\n * One of login_hint, id_token_hint, or login_hint_token parameters must be\n * provided in CIBA\n */\nlet login_hint!: string\n\nlet response = await client.initiateBackchannelAuthentication(config, {\n scope,\n login_hint,\n})\n\n/**\n * OPTIONAL: If your client is configured with Ping Mode you'd invoke the\n * following after getting the CIBA Ping Callback (its implementation is\n * framework specific and therefore out of scope for openid-client)\n */\n\nlet tokens: client.TokenEndpointResponse =\n await client.pollBackchannelAuthenticationGrant(config, response)\n\nconsole.log('Token Endpoint Response', tokens)\n```\n\nThis will poll in a regular interval and only resolve with tokens once the end-user authenticates.\n\n### Client Credentials Grant\n\nClient Credentials flow is for obtaining Access Tokens to use with third party APIs on behalf of your application, rather than an end-user which was the case in previous examples.\n\n```ts\nlet scope!: string // Scope of the access request\nlet resource!: string // Resource Indicator of the Resource Server the access token is for\n\nlet tokens: client.TokenEndpointResponse = await lib.clientCredentialsGrant(\n config,\n { scope, resource },\n)\n\nconsole.log('Token Endpoint Response', tokens)\n```\n\n## Supported Runtimes\n\nThe supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are _(but are not limited to)_:\n\n- Browsers\n- Bun\n- Cloudflare Workers\n- Deno\n- Electron\n- Node.js[^nodejs]\n\n## Supported Versions\n\n| Version | Security Fixes πŸ”‘ | Other Bug Fixes 🐞 | New Features ⭐ | Runtime and Module type |\n| -------------------------------------------------------- | ----------------- | ------------------ | --------------- | ------------------------------- |\n| [v6.x](https://github.com/panva/openid-client/tree/v6.x) | [Security Policy] | βœ… | βœ… | Universal[^universal] ESM[^cjs] |\n| [v5.x](https://github.com/panva/openid-client/tree/v5.x) | [Security Policy] | ❌ | ❌ | Node.js CJS + ESM |\n\n[sponsor-auth0]: https://a0.to/signup/panva\n[WebCryptoAPI]: https://w3c.github.io/webcrypto/\n[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API\n[Security Policy]: https://github.com/panva/openid-client/security/policy\n\n[^nodejs]: Node.js v20.x as baseline is required\n\n[^universal]: Assumes runtime support of [WebCryptoAPI][] and [Fetch API][]\n\n[^cjs]: CJS style `let client = require('openid-client')` is possible in Node.js versions where the `require(esm)` feature is enabled by default (^20.19.0 || ^22.12.0 || \u003e= 23.0.0).\n","funding_links":["https://github.com/sponsors/panva"],"categories":["Client Library","TypeScript"],"sub_categories":["JavaScript / TypeScript"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanva%2Fopenid-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanva%2Fopenid-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanva%2Fopenid-client/lists"}