Skip to main content

OpenIdConnectClient

Index

Methods

Methods

publicdisconnect

  • disconnect(): void

  • Returns void

publicgetAccessToken

  • getAccessToken(): Promise<string>

  • Provides an access token from the Open ID connect provider.

    Returns a cached value if there's sufficient time left until the access_token expires. If the access_token is about to expire a fresh token is fetched.

    Returns Promise<string>

    access_token from the /token endpoint.

publicgetIdentityToken

  • Provides an identity token from the Open ID connect provider.

    Returns a cached value if there's sufficient time left until the id_token expires. If the id_token is about to expire a fresh token is fetched.

    @throws

    an OpenIdConnectClientError if this client has no identity token at all. Whether a createWithClientCredentials client has one depends on the identity provider: some issue an id_token to the service account when the openid scope applies (protocol claims only — a service account has no user profile), others issue none for the grant.

    Returns Promise<IdentityToken>

    parsed id_token from the /token endpoint.

publicstaticclearLoginState

  • clearLoginState(sessionStorage: Storage): void

  • Removes the transient login parameters loginWithRedirect writes to session storage (the state, PKCE code verifier and redirect URI). create consumes and removes these on a successful token exchange; a caller that drives the login flow out of band (e.g. a popup or iframe login that ends by being closed or cancelled) can call this to clear the orphaned values so they do not linger for the tab's lifetime. The set of keys lives here, next to the code that writes and reads them.

    Parameters

    • sessionStorage: Storage

    Returns void

publicstaticcreate

  • Creates an Open ID Connect client that uses refresh tokens. Expects callbackState to be the values from the callback caused by loginWithRedirect.

    See https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-auth-code-flow

    @example
    const options: OpenIdConnectClientOptions = {
        clientId: '<client-id>',
        openIdProviderUrl: '<idp-url>',
        // create() restores the redirect_uri that loginWithRedirect persisted to session storage and
        // uses that for the token exchange, so this value is not what gets sent — keep it the stable
        // login URL (no callback query) for consistency.
        redirectUri: window.location.href.split('?')[0]
    };
    const callbackState = inferLoginCallbackStateFromUrl(window.location.href);
    if (isSuccessfulLoginCallbackState(callbackState)) {
        const client = await OpenIdConnectClient.create(options, callbackState);
        const token = await client.getToken();
    } else {
      // ...
    }

    Parameters

    • clientOptions: OpenIdConnectClientOptions

      specifies which Open ID provider to login with and the client credentials

    • callbackState: SuccessfulLoginCallbackState

      code and state received from the query parameters in the callback caused by loginWithRedirect

    • createDependencies: Partial<CreateDependencies> = {}

      dependency injection

    Returns Promise<OpenIdConnectClient>

    an Open ID Connect client that uses refresh tokens

publicstaticcreateFromTokenResponse

publicstaticcreateWithClientCredentials

  • Creates an Open ID Connect client for a service using the client credentials grant — no user, no browser, no redirects: the client authenticates as itself with its ClientCredentialsOptions.clientSecret in a single request to the token endpoint. Tokens are renewed automatically by re-running the grant (the provider issues no refresh token for it).

    The provider must have the client configured as a confidential client with service accounts enabled. Whether getIdentityToken works for clients created this way depends on the provider — see its documentation.

    @throws

    an OpenIdConnectClientCriticalError when invoked in a browser: the client secret must never be shipped to end users. Use the interactive login flows there instead.

    @example
    const client = await OpenIdConnectClient.createWithClientCredentials({
        openIdProviderUrl: 'https://customer.twinfinity.com',
        clientId: 'my-integration',
        clientSecret: process.env.MY_INTEGRATION_CLIENT_SECRET!
    });
    const accessToken = await client.getAccessToken();

    Parameters

    Returns Promise<OpenIdConnectClient>

publicstaticloginWithRedirect

  • Initializes the login with redirect for code flow with the Open ID provider specified in clientOptions. The returned promise will never resolve. Awaiting the return value will block the continued execution of the promise chain.

    See https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-auth-code-flow

    @example
    const options: OpenIdConnectClientOptions = {
        clientId: '<client-id>',
        openIdProviderUrl: '<idp-url>', // or openIdProviderConfigurationUrl() to discover from the page origin
        // Use a stable URL with no query parameters: the exact same redirect_uri has to be sent again
        // at token exchange (see create()), so strip the callback query rather than using href verbatim.
        redirectUri: window.location.href.split('?')[0]
    };
    await OpenIdConnectClient.loginWithRedirect(options);
    throw 'The async function OpenIdConnectClient#loginWithRedirect should never resolve, returns an unfulfilled promise';

    Parameters

    Returns Promise<never>

    an unfulfilled promise that will never resolve

publicstaticprefetchedMetadataFetcher

Page Options