{"id":11499,"library":"openid-client","title":"OpenID Connect Client","description":"openid-client is an OpenID Certified JavaScript client library designed for implementing OAuth 2.0 and OpenID Connect flows. It offers a comprehensive API for common authentication and authorization patterns, including Authorization Code, Refresh Token, Device Authorization, Client-Initiated Backchannel Authentication (CIBA), and Client Credentials grants. The library also supports advanced features like Demonstrating Proof-of-Possession (DPoP), Token Introspection and Revocation, Pushed Authorization Requests (PAR), and various JWT Secured operations (JAR, JARM, UserInfo). It is built for a wide range of JavaScript runtimes, including Node.js, browsers, Deno, and Cloudflare Workers. Currently at version 6.8.3, openid-client is actively maintained with a regular release cadence, ensuring compliance with the latest protocol specifications. A key differentiator is its OpenID Certification for Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles, guaranteeing high standards of protocol interoperability.","status":"active","version":"6.8.3","language":"javascript","source_language":"en","source_url":"https://github.com/panva/openid-client","tags":["javascript","access token","auth","authentication","authorization","basic","browser","bun","certified","typescript"],"install":[{"cmd":"npm install openid-client","lang":"bash","label":"npm"},{"cmd":"yarn add openid-client","lang":"bash","label":"yarn"},{"cmd":"pnpm add openid-client","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required only when integrating with Passport.js using the provided Passport Strategy.","package":"passport","optional":true}],"imports":[{"note":"openid-client is a pure ESM module since v5. CommonJS 'require' syntax will result in a TypeError.","wrong":"const { discovery } = require('openid-client')","symbol":"discovery","correct":"import { discovery } from 'openid-client'"},{"note":"Client is a named export, not a default export. Typically used after issuer discovery.","wrong":"import Client from 'openid-client'","symbol":"Client","correct":"import { Client } from 'openid-client'"},{"note":"The generators for state, nonce, and PKCE verifiers are named exports from the top-level module path.","wrong":"import * as generators from 'openid-client/lib/helpers/generators'","symbol":"generators","correct":"import { generators } from 'openid-client'"},{"note":"This pattern imports all named exports into an 'openid' namespace. For ESM environments only.","wrong":"const openid = require('openid-client')","symbol":"All exports","correct":"import * as openid from 'openid-client'"}],"quickstart":{"code":"import { Issuer, generators } from 'openid-client';\n\nconst main = async () => {\n  const issuerUrl = process.env.OIDC_ISSUER_URL ?? 'https://accounts.google.com';\n  const clientId = process.env.OIDC_CLIENT_ID ?? 'YOUR_CLIENT_ID';\n  const clientSecret = process.env.OIDC_CLIENT_SECRET ?? 'YOUR_CLIENT_SECRET';\n  const redirectUri = process.env.OIDC_REDIRECT_URI ?? 'http://localhost:3000/callback';\n\n  try {\n    // Discover the OpenID Provider's configuration\n    const googleIssuer = await Issuer.discover(issuerUrl);\n    console.log('Discovered issuer: %s %O', googleIssuer.issuer, googleIssuer.metadata);\n\n    // Register a new client with the issuer\n    const client = new googleIssuer.Client({\n      client_id: clientId,\n      client_secret: clientSecret,\n      redirect_uris: [redirectUri],\n      response_types: ['code'],\n    });\n\n    // Generate parameters for the authorization request\n    const code_verifier = generators.codeVerifier();\n    const code_challenge = generators.codeChallenge(code_verifier);\n    const state = generators.state();\n    const nonce = generators.nonce();\n\n    const authorizationUrl = client.authorizationUrl({\n      scope: 'openid email profile',\n      code_challenge,\n      code_challenge_method: 'S256',\n      state,\n      nonce,\n      redirect_uri: redirectUri,\n    });\n\n    console.log(`\nNavigate to this URL to start the login flow:\\n${authorizationUrl}\n`);\n\n  } catch (error) {\n    console.error('Error during OpenID Connect setup:', error);\n  }\n};\n\nmain();","lang":"typescript","description":"This quickstart demonstrates how to discover an OpenID Provider, register a client, and generate an authorization URL for the Authorization Code Flow with PKCE and OIDC."},"warnings":[{"fix":"Migrate your project to use ES Modules with `import` statements. Ensure your `package.json` includes `\"type\": \"module\"` or use `.mjs` file extensions.","message":"Since v5, openid-client is a pure ECMAScript Module (ESM). Attempting to use `require()` for imports will result in a TypeError.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Refer to the official documentation or the changelog entry (v6.8.3) for the recommended workaround regarding `redirect_uri` construction. Prefer full, unambiguous URLs without extraneous query parameters unless specifically handled.","message":"When using `redirect_uri` with a query string or a bare origin, there are known subtle issues that may require a specific workaround documented by the library.","severity":"gotcha","affected_versions":">=6.8.3"},{"fix":"Review the Passport strategy documentation and examples. You may need to update how you trigger the authentication flow, potentially passing `req.host` explicitly in older Express environments (v6.7.1) or defining custom logic.","message":"The Passport strategy integration (e.g., in Express.js apps) may now require custom logic to drive initiating authentication requests, affecting previous implementations that relied on implicit request handling.","severity":"gotcha","affected_versions":">=6.6.3"},{"fix":"Ensure your application's state management for Passport callbacks is robust and handles the expected deletion of one-time state, especially if you had custom state persistence logic.","message":"When using the Passport strategy, a fix was implemented to correctly delete one-time state on callback, which might alter behavior for applications expecting state to persist or for those that didn't correctly clean up state previously.","severity":"breaking","affected_versions":">=6.8.3"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Ensure your project is configured for ES Modules. Use `import { discovery } from 'openid-client'` and add `\"type\": \"module\"` to your `package.json` or rename your file to `.mjs`.","cause":"Attempting to use `require()` to import `openid-client` in a CommonJS module, or running an ESM module without proper configuration (e.g., missing `\"type\": \"module\"` in `package.json` or incorrect file extension).","error":"TypeError: (0, openid_client_1.discovery) is not a function"},{"fix":"Verify your client registration at the Authorization Server to ensure 'authorization_code' is an allowed grant type and 'code' is an allowed response type. Double-check `client.response_types` configuration.","cause":"The client registered with the Authorization Server does not have the 'authorization_code' grant type enabled or the 'response_types' are misconfigured.","error":"Error: authorization_code grant type not allowed for this client"},{"fix":"Ensure the `code_verifier` sent during the token exchange matches the `code_challenge` sent during the authorization request. Also, ensure the authorization code is used only once and within its validity period. Check the redirect URI matching exactly.","cause":"The authorization code exchanged for tokens is invalid, expired, or has already been used. This can also happen due to PKCE mismatch.","error":"Error: invalid_grant"}],"ecosystem":"npm"}