oidc-node-stateless

Stateless openid-connect for node

Express middlewares to connect to OIDC without need of persisted session in redis or others.

• Sets a session cookie using a JWT containing information from the OIDC userinfo endpoint.
• Built with openid-client.
• Refreshes the session if a refresh token was provided.
• Supports RP-Initiated Logout.

The standard oidc workflow is as follows:

1. GET / unprotected page is displayed
2. User navigates to /login which redirects to OIDC Server for user authentication.
3. User logs in with username, password; OIDC Server redirects to redirectUrl.
4. GET /?code={code} login middleware exchanges code with access, refresh and id token from OIDC Server.
   • login middleware calls userinfo endpoint and creates JWT session token.
   • session token is set as session cookie and is used for further user authorization.
5. Payload of session cookie JWT is accessible at req.session

See ./example/index.js for a functional example.

import cookieParser from 'cookie-parser'
import { login, protect, Jwt } from 'oidc-node-stateless'

const app = express()

app.use(
  httpsRedirect({ newHost: `localhost:3000` }),
  cookieParser(),
  login({
    jwt: new Jwt({ secret: 'kitten' }),
    serverUrl: 'http://localhost:8080/oidc',
    clientId: 'client-id',
    clientSecret: 'secret',
    redirectUrl: 'https://localhost:3000',
    claims: ['aud', 'azp']
  })
)

app.get('/', (req, res) => res.end('home'))

app.get('/protected', protected(), (req, res) => res.end('protected'))

app.listen(80)
https.createServer(app, { cert: '..', key: '...' }).listen(3000)

Example

1. Clone and install packages with npm install
2. Start the provided oidc test server npm run server
3. Run the sample with npm start
4. https://localhost:3000

License

MIT licensed