Interface AuthOptions

Hierarchy

  • JwtVerifierOptions
    • AuthOptions

Properties

agent? audience? authRequired? cacheMaxAge? clockTolerance? cooldownDuration? issuer? issuerBaseURL? jwksUri? maxTokenAge? secret? strict? timeoutDuration? tokenSigningAlg? validators?

Properties

Optional agent

agent?: Agent | Agent

An instance of http.Agent or https.Agent to pass to the http.get or https.get method options. Use when behind an http(s) proxy.

Optional audience

audience?: string | string[]

Expected JWT "aud" (Audience) Claim value(s). REQUIRED: You can also provide the AUDIENCE environment variable.

Optional authRequired

authRequired?: boolean

True if a valid Access Token JWT should be required for all routes. Defaults to true.

Optional cacheMaxAge

cacheMaxAge?: number

Maximum time (in milliseconds) between successful HTTP requests to the JWKS and Discovery endpoint. Default is 600000 (10 minutes).

Optional clockTolerance

clockTolerance?: number

Clock tolerance (in secs) used when validating the exp and iat claim. Defaults to 5 secs.

Optional cooldownDuration

cooldownDuration?: number

Duration in ms for which no more HTTP requests to the JWKS Uri endpoint will be triggered after a previous successful fetch. Default is 30000.

Optional issuer

issuer?: string

Expected JWT "iss" (Issuer) Claim value. REQUIRED (if you don't include {@Link AuthOptions.issuerBaseURL}) You can also provide the ISSUER environment variable.

Optional issuerBaseURL

issuerBaseURL?: string

Base url, used to find the authorization server's app metadata per https://datatracker.ietf.org/doc/html/rfc8414 You can pass a full url including .well-known if your discovery lives at a non standard path. REQUIRED (if you don't include {@Link AuthOptions.jwksUri} and {@Link AuthOptions.issuer}) You can also provide the ISSUER_BASE_URL environment variable.

Optional jwksUri

jwksUri?: string

Url for the authorization server's JWKS to find the public key to verify an Access Token JWT signed with an asymmetric algorithm. REQUIRED (if you don't include {@Link AuthOptions.issuerBaseURL}) You can also provide the JWKS_URI environment variable.

Optional maxTokenAge

maxTokenAge?: number

Maximum age (in secs) from when a token was issued to when it can no longer be accepted.

Optional secret

secret?: string

Secret to verify an Access Token JWT signed with a symmetric algorithm. By default this SDK validates tokens signed with asymmetric algorithms.

Optional strict

strict?: boolean

If set to true the token validation will strictly follow 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens' https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-12 Defaults to false.

Optional timeoutDuration

timeoutDuration?: number

Timeout in ms for HTTP requests to the JWKS and Discovery endpoint. When reached the request will be aborted. Default is 5000.

Optional tokenSigningAlg

tokenSigningAlg?: string

You must provide this if your tokens are signed with symmetric algorithms and it must be one of HS256, HS384 or HS512. You may provide this if your tokens are signed with asymmetric algorithms and, if provided, it must be one of RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES256K, ES384, ES512 or EdDSA (case-sensitive).

Optional validators

validators?: Partial<Validators>

Pass in custom validators to override the existing validation behavior on standard claims or add new validation behavior on custom claims.

 {
   validators: {
     // Disable issuer validation by passing `false`
     iss: false,
     // Add validation for a custom claim to equal a passed in string
     org_id: 'my_org_123'
     // Add validation for a custom claim, by passing in a function that
     // accepts:
     // roles: the value of the claim
     // claims: an object containing the JWTPayload
     // header: an object representing the JWTHeader
     roles: (roles, claims, header) => roles.includes('editor') && claims.isAdmin
   }
 }

Settings

Member Visibility

Theme

On This Page