express-openid-connect
Advanced tools
Express middleware to protect web applications using OpenID Connect.
Express.js middleware for OpenID Relying Party (aka OAuth 2.0 Client). Easily add secure and standards-based authentication to Express applications.
This library requires:
This library is installed with npm:
npm i express-openid-connect --save
Follow our Secure Local Development guide to ensure that applications using this library are running over secure channels (HTTPS URLs). Applications using this library without HTTPS may experience "invalid state" errors.
The library needs the following required configuration keys to request and accept authentication. These can be configured in a .env file in the root of your application:
# .env
ISSUER_BASE_URL=https://YOUR_DOMAIN
CLIENT_ID=YOUR_CLIENT_ID
BASE_URL=https://YOUR_APPLICATION_ROOT_URL
APP_SESSION_SECRET=LONG_RANDOM_VALUE
... or in the library initialization:
// index.js
const { auth } = require("express-openid-connect");
app.use(
auth({
issuerBaseURL: "https://YOUR_DOMAIN",
baseURL: "https://YOUR_APPLICATION_ROOT_URL",
clientID: "YOUR_CLIENT_ID",
appSession: {
secret: "LONG_RANDOM_STRING"
}
})
);
With this basic configuration, your application will require authentication for all routes and store the user identity in an encrypted and signed cookie.
See the examples for route-specific authentication, custom application session handling, requesting and using access tokens for external APIs, and more.
See the API documentation for additional configuration possibilities and provided methods.
Errors raised by this library are handled by the default Express error handler which, in the interests of security, does not include the stack trace in the production environment.
But you may want to go one step further and hide additional error details from client, like the error message. To do this see the Express documentation on writing Custom error handlers
We appreciate feedback and contribution to this repo! Before you get started, please see the following:
Contributions can be made to this library through PRs to fix issues, improve documentation or add features. Please fork this repo, create a well-named branch, and submit a PR with a complete template filled out.
Code changes in PRs should be accompanied by tests covering the changed or added functionality. Tests can be run for this library with:
npm install
npm test
When you're ready to push your changes, please run the lint command first:
npm run lint
Please use the Issues queue in this repo for questions and feedback.
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
Auth0 helps you to easily:
This project is licensed under the MIT license. See the LICENSE file for more info.
v1.0.1 (2020-04-17)
Fixed
FAQs
Express middleware to protect web applications using OpenID Connect.
The npm package express-openid-connect receives a total of 46,970 weekly downloads. As such, express-openid-connect popularity was classified as popular.
We found that express-openid-connect demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 45 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Company News
Socket is joining TC54 to help develop standards for software supply chain security, contributing to the evolution of SBOMs, CycloneDX, and Package URL specifications.
Security News
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
Research
Security News
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.