{"id":17627,"library":"express-openid-connect","title":"Express OpenID Connect Middleware","description":"express-openid-connect is an Express.js middleware designed to integrate OpenID Connect (OIDC) authentication into web applications, streamlining user login and session management. Currently at version 2.20.2, the library is actively maintained with a regular release cadence, frequently addressing bug fixes and introducing minor features. It abstracts away much of the complexity of OIDC flows, particularly when used with Auth0 as an identity provider, by handling authentication, logout, and session management automatically. Key differentiators include its focus on Express applications, deep integration capabilities with Auth0, and providing sensible defaults to secure web applications, while also offering extensive configuration options for advanced use cases. It ships with TypeScript types, enhancing developer experience for type-safe applications.","status":"active","version":"2.20.2","language":"javascript","source_language":"en","source_url":"https://github.com/auth0/express-openid-connect","tags":["javascript","typescript"],"install":[{"cmd":"npm install express-openid-connect","lang":"bash","label":"npm"},{"cmd":"yarn add express-openid-connect","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-openid-connect","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core web framework required for middleware functionality.","package":"express","optional":false}],"imports":[{"note":"The primary middleware factory to initialize OIDC. While CommonJS destructuring (`const { auth } = require(...)`) is also valid, named ESM imports are generally preferred in modern TypeScript/ESM projects.","wrong":"const auth = require('express-openid-connect');","symbol":"auth","correct":"import { auth } from 'express-openid-connect';"},{"note":"A middleware function used to protect specific Express routes, ensuring a user is authenticated before access is granted.","wrong":"app.use(auth.requiresAuth());","symbol":"requiresAuth","correct":"import { requiresAuth } from 'express-openid-connect';"},{"note":"While `req.oidc.isAuthenticated()` is available on the request object after authentication, importing `isAuthenticated` can be useful for direct checks in view engines via `res.locals` or for manual authentication status queries. It returns `true` if the user is authenticated, `false` otherwise.","wrong":"import isAuthenticated from 'express-openid-connect';","symbol":"isAuthenticated","correct":"import { isAuthenticated } from 'express-openid-connect';"}],"quickstart":{"code":"import express from 'express';\nimport { auth, requiresAuth } from 'express-openid-connect';\nimport dotenv from 'dotenv';\n\ndotenv.config(); // Load environment variables from .env file\n\nconst app = express();\nconst port = process.env.PORT || 3000;\n\nconst config = {\n  authRequired: false,\n  auth0Logout: true,\n  secret: process.env.SECRET ?? 'a-very-long-random-string-that-is-at-least-32-characters-long',\n  baseURL: process.env.BASE_URL ?? `http://localhost:${port}`,\n  clientID: process.env.CLIENT_ID ?? 'YOUR_AUTH0_CLIENT_ID',\n  issuerBaseURL: process.env.ISSUER_BASE_URL ?? 'https://YOUR_AUTH0_DOMAIN',\n  // Uncomment and configure a session store for production environments\n  // session: {\n  //   store: new MemoryStore({ checkPeriod: 86400000 })\n  // }\n};\n\n// Attach /login, /logout, and /callback routes to the baseURL\napp.use(auth(config));\n\n// Basic route, checks if user is authenticated\napp.get('/', (req, res) => {\n  res.send(\n    `<h1>Welcome</h1><p>${\n      req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out'\n    }</p><a href=\"/login\">Login</a> | <a href=\"/profile\">Profile</a> | <a href=\"/logout\">Logout</a>`\n  );\n});\n\n// The /profile route requires authentication\napp.get('/profile', requiresAuth(), (req, res) => {\n  res.send(\n    `<h2>User Profile</h2><pre>${JSON.stringify(req.oidc.user, null, 2)}</pre><a href=\"/\">Home</a>`\n  );\n});\n\n// Example of a public route that does not require authentication\napp.get('/public', (req, res) => {\n  res.send(`\n    <h1>Public Page</h1>\n    <p>User is ${req.oidc.isAuthenticated() ? 'authenticated' : 'not authenticated'}.</p>\n    <a href=\"/\">Home</a>\n  `);\n});\n\napp.listen(port, () => {\n  console.log(`Server running on http://localhost:${port}`);\n  console.log('Remember to set ISSUER_BASE_URL, CLIENT_ID, BASE_URL, and SECRET environment variables.');\n  console.log('Also, configure \"Allowed Callback URLs\" and \"Allowed Logout URLs\" in Auth0 to match your BASE_URL.');\n});","lang":"javascript","description":"This quickstart initializes an Express application with OpenID Connect authentication using `express-openid-connect`. It demonstrates basic login, logout, and a protected profile route, requiring environment variables for Auth0 configuration."},"warnings":[{"fix":"Ensure the `secret` value in your configuration is a long, random string, preferably 32 characters or more, and stored securely (e.g., via environment variables).","message":"The `secret` configuration variable is critical for session security and requires a minimum length to prevent replay attacks and session hijacking.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Configure your development environment to use HTTPS (e.g., with `ngrok`, `mkcert`, or a local proxy) and ensure your `baseURL` matches your HTTPS URL (e.g., `https://localhost:3000`).","message":"Applications using this library must run over HTTPS, even during local development, to prevent 'invalid state' errors and ensure proper cookie handling due to modern browser security policies.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"In the Auth0 Dashboard, navigate to your application's 'Settings', then 'Advanced Settings' -> 'OAuth' tab. Set 'JsonWebToken Signature Algorithm' to `RS256` and ensure 'OIDC Conformant' is enabled.","message":"The Auth0 application settings for 'JsonWebToken Signature Algorithm' must be set to `RS256`, and 'OIDC Conformant' must be enabled. Incorrect settings can lead to token validation failures and authentication issues.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Review the `express-openid-connect` FAQ for potential workarounds or consider alternative HTTP agents if encountering proxy-related connection problems.","message":"Using `agent-base` with certain proxy or network configurations might cause connectivity issues during OIDC discovery or token exchange.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"Ensure custom session store implementations consistently return promises for `async` operations or adhere to standard Node.js callback patterns that the library can properly promisify. Consult the documentation for `util-promisify` if using custom stores and encountering issues.","message":"Custom asynchronous session store methods (e.g., `get`, `set`, `destroy`) must correctly handle Node.js callbacks or return promises. Incorrect promisification or handling of `async` functions can lead to session data inconsistencies or failures.","severity":"breaking","affected_versions":">=2.19.1"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Ensure your application is accessible via HTTPS, even in development. Verify that `config.baseURL` in your code and 'Allowed Callback URLs'/'Allowed Logout URLs' in your Auth0 application settings precisely match your application's origin (e.g., `https://localhost:3000`).","cause":"Typically occurs when the application runs over HTTP instead of HTTPS, or when the `baseURL` and configured Auth0 callback URLs do not match the application's actual origin.","error":"invalid state"},{"fix":"Check your browser's console for any cookie-related warnings. Ensure your application uses HTTPS. If using a custom session store, verify its `get()` method correctly retrieves the state. Upgrade to `express-openid-connect@2.20.2` or newer for fixes related to missing transaction cookies.","cause":"The OIDC flow relies on a state cookie, which may be missing due to browser security restrictions (e.g., `SameSite` policy), interference from proxies, or an improperly configured custom session store.","error":"Missing transaction cookie"},{"fix":"In your Auth0 Dashboard, navigate to your application's 'Settings', then 'Advanced Settings' -> 'OAuth' tab. Set 'JsonWebToken Signature Algorithm' to `RS256` and ensure 'OIDC Conformant' is enabled.","cause":"This error occurs during token validation if the Auth0 application's 'JsonWebToken Signature Algorithm' is not set to `RS256`, or if 'OIDC Conformant' is not enabled.","error":"JsonWebToken Signature Algorithm must be RS256"},{"fix":"This specific issue was addressed in `express-openid-connect@2.20.0`. Ensure you are using `v2.20.0` or a later version of the library. If the problem persists in a unique environment, consult the library's compatibility notes or report an issue.","cause":"This issue arises from compatibility problems with certain validation libraries (like Joi) in specific environments, such as Cloudflare Workers, where `Joi.binary()` might be unavailable or behave unexpectedly.","error":"TypeError: Joi.binary is not a function"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}