Options
All
  • Public
  • Public/Protected
  • All
Menu

Express OpenID Connect

Express JS middleware implementing sign on for Express web apps using OpenID Connect.

CircleCI codecov NPM version FOSSA Status

Table of Contents

Documentation

Install

Node.js version >=12.0.0 is recommended, but ^10.19.0 lts/dubnium is also supported.

npm install express-openid-connect

Getting Started

Follow our Secure Local Development guide to ensure that applications using this library are running over secure channels (HTTPS URLs). Applications using this library without HTTPS may experience "invalid state" errors.

The library needs issuerBaseURL, baseURL, clientID and secret to request and accept authentication. These can be configured with environmental variables:

ISSUER_BASE_URL=https://YOUR_DOMAIN
CLIENT_ID=YOUR_CLIENT_ID
BASE_URL=https://YOUR_APPLICATION_ROOT_URL
SECRET=LONG_RANDOM_VALUE

... or in the library initialization:

// index.js

const { auth } = require('express-openid-connect');
app.use(
  auth({
    issuerBaseURL: 'https://YOUR_DOMAIN',
    baseURL: 'https://YOUR_APPLICATION_ROOT_URL',
    clientID: 'YOUR_CLIENT_ID',
    secret: 'LONG_RANDOM_STRING',
    idpLogout: true,
  })
);

With this basic configuration, your application will require authentication for all routes and store the user identity in an encrypted and signed cookie.

See the examples for route-specific authentication, custom application session handling, requesting and using access tokens for external APIs, and more.

See the API documentation for additional configuration possibilities and provided methods.

A note on error handling

Errors raised by this library are handled by the default Express error handler which, in the interests of security, does not include the stack trace in the production environment.

But you may want to go one step further and hide additional error details from client, like the error message. To do this see the Express documentation on writing Custom error handlers

Contributing

We appreciate feedback and contribution to this repo! Before you get started, please see the following:

Contributions can be made to this library through PRs to fix issues, improve documentation or add features. Please fork this repo, create a well-named branch, and submit a PR with a complete template filled out.

Code changes in PRs should be accompanied by tests covering the changed or added functionality. Tests can be run for this library with:

npm install
npm test

When you're ready to push your changes, please run the lint command first:

npm run lint

Support + Feedback

Please use the Issues queue in this repo for questions and feedback.

Vulnerability Reporting

Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

What is Auth0?

Auth0 helps you to easily:

  • implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.)
  • log in users with username/password databases, passwordless, or multi-factor authentication
  • link multiple user accounts together
  • generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely
  • access demographics and analytics detailing how, when, and where users are logging in
  • enrich user profiles from other data sources using customizable JavaScript rules

Why Auth0?

License

This project is licensed under the MIT license. See the LICENSE file for more info.

FOSSA Status

Index

Functions

attemptSilentLogin

  • attemptSilentLogin(): RequestHandler
  • Use this MW to attempt silent login (prompt=none) but not require authentication.

    See attemptSilentLogin

    const { attemptSilentLogin } = require('express-openid-connect');
    
    app.get('/', attemptSilentLogin(), (req, res) => {
      res.render('homepage', {
        isAuthenticated: req.isAuthenticated() // show a login or logout button
      });
    });
    

    Returns RequestHandler

auth

  • Express JS middleware implementing sign on for Express web apps using OpenID Connect.

    The auth() middleware requires secret, baseURL, clientID and issuerBaseURL.

    If you are using a response type that includes code, you will also need: clientSecret

    const express = require('express');
    const { auth } = require('express-openid-connect');
    
    const app = express();
    
    app.use(
      auth({
         issuerBaseURL: 'https://YOUR_DOMAIN',
         baseURL: 'https://YOUR_APPLICATION_ROOT_URL',
         clientID: 'YOUR_CLIENT_ID',
         secret: 'LONG_RANDOM_STRING',
      })
    );
    
    app.get('/', (req, res) => {
      res.send(`hello ${req.oidc.user.name}`);
    });
    
     app.listen(3000, () => console.log('listening at http://localhost:3000'))

    Parameters

    Returns RequestHandler

claimCheck

  • claimCheck(checkFn: (req: OpenidRequest, claims: IdTokenClaims) => boolean): RequestHandler
  • Use this MW to protect a route, providing a custom function to check.

    const { claimCheck } = require('express-openid-connect');
    
    app.get('/admin/community', claimCheck((req, claims) => {
      return claims.isAdmin && claims.roles.includes('community');
    }), (req, res) => {
      res.send(...);
    });
    

    Parameters

    Returns RequestHandler

claimEquals

  • claimEquals(claim: string, value: boolean | number | string | null): RequestHandler
  • Use this MW to protect a route based on the value of a specific claim.

    const { claimEquals } = require('express-openid-connect');
    
    app.get('/admin', claimEquals('isAdmin', true), (req, res) => {
      res.send(...);
    });
    

    Parameters

    • claim: string

      The name of the claim

    • value: boolean | number | string | null

      The value of the claim, should be a primitive

    Returns RequestHandler

claimIncludes

  • claimIncludes(claim: string, ...args: (string | number | false | true)[]): RequestHandler
  • Use this MW to protect a route, checking that all values are in a claim.

    const { claimIncludes } = require('express-openid-connect');
    
    app.get('/admin/delete', claimIncludes('roles', 'admin', 'superadmin'), (req, res) => {
      res.send(...);
    });
    

    Parameters

    • claim: string

      The name of the claim

    • Rest ...args: (string | number | false | true)[]

      Claim values that must all be included

    Returns RequestHandler

requiresAuth

  • requiresAuth(requiresLoginCheck?: (req: OpenidRequest) => boolean): RequestHandler
  • Set authRequired to false then require authentication on specific routes.

    const { auth, requiresAuth } = require('express-openid-connect');
    
    app.use(
      auth({
         ...
         authRequired: false
      })
    );
    
    app.get('/profile', requiresAuth(), (req, res) => {
      res.send(`hello ${req.oidc.user.name}`);
    });
    

    Parameters

    Returns RequestHandler