Interface OidcClientSettings

The settings used to configure the OidcClient.

interface OidcClientSettings {
    acr_values?: string;
    authority: string;
    client_authentication?: "client_secret_post" | "client_secret_basic";
    client_id: string;
    client_secret?: string;
    disablePKCE?: boolean;
    display?: string;
    dpop?: DPoPSettings;
    extraHeaders?: Record<string, ExtraHeader>;
    extraQueryParams?: Record<string, string | number | boolean>;
    extraTokenParams?: Record<string, unknown>;
    fetchRequestCredentials?: RequestCredentials;
    filterProtocolClaims?: boolean | string[];
    loadUserInfo?: boolean;
    max_age?: number;
    mergeClaimsStrategy?: {
        array: "replace" | "merge";
    };
    metadata?: Partial<OidcMetadata>;
    metadataSeed?: Partial<OidcMetadata>;
    metadataUrl?: string;
    omitScopeWhenRequesting?: boolean;
    post_logout_redirect_uri?: string;
    prompt?: string;
    redirect_uri: string;
    refreshTokenAllowedScope?: string;
    requestTimeoutInSeconds?: number;
    resource?: string | string[];
    response_mode?: "query" | "fragment";
    response_type?: string;
    revokeTokenAdditionalContentTypes?: string[];
    scope?: string;
    signingKeys?: SigningKey[];
    staleStateAgeInSeconds?: number;
    stateStore?: StateStore;
    ui_locales?: string;
}

Hierarchy (view full)

Properties

acr_values? authority client_authentication? client_id client_secret? disablePKCE? display? dpop? extraHeaders? extraQueryParams? extraTokenParams? fetchRequestCredentials? filterProtocolClaims? loadUserInfo? max_age? mergeClaimsStrategy? metadata? metadataSeed? metadataUrl? omitScopeWhenRequesting? post_logout_redirect_uri? prompt? redirect_uri refreshTokenAllowedScope? requestTimeoutInSeconds? resource? response_mode? response_type? revokeTokenAdditionalContentTypes? scope? signingKeys? staleStateAgeInSeconds? stateStore? ui_locales?

Properties

Optionalacr_values

acr_values?: string

optional protocol param

authority

authority: string

The URL of the OIDC/OAuth2 provider

Optionalclient_authentication

client_authentication?: "client_secret_post" | "client_secret_basic"

Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")

  • "client_secret_basic": using the HTTP Basic authentication scheme
  • "client_secret_post": including the client credentials in the request body

See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

client_id

client_id: string

Your client application's identifier as registered with the OIDC/OAuth2

Optionalclient_secret

client_secret?: string

OptionaldisablePKCE

disablePKCE?: boolean

Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)

Optionaldisplay

display?: string

optional protocol param

Optionaldpop

dpop?: DPoPSettings

DPoP enabled or disabled

OptionalextraHeaders

extraHeaders?: Record<string, ExtraHeader>

An object containing additional header to be including in request.

OptionalextraQueryParams

extraQueryParams?: Record<string, string | number | boolean>

An object containing additional query string parameters to be including in the authorization request. E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: {resource:"some_identifier"}

OptionalextraTokenParams

extraTokenParams?: Record<string, unknown>

OptionalfetchRequestCredentials

fetchRequestCredentials?: RequestCredentials

Sets the credentials for fetch requests. (default: "same-origin") Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies

OptionalfilterProtocolClaims

filterProtocolClaims?: boolean | string[]

Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) When true, the following claims are removed by default: ["nbf", "jti", "auth_time", "nonce", "acr", "amr", "azp", "at_hash"] When specifying claims, the following claims are not allowed: ["sub", "iss", "aud", "exp", "iat"]

OptionalloadUserInfo

loadUserInfo?: boolean

Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)

Optionalmax_age

max_age?: number

optional protocol param

OptionalmergeClaimsStrategy

mergeClaimsStrategy?: {
    array: "replace" | "merge";
}

Indicates how objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the id token as a single object. (default: { array: "replace" })

  • array: "replace": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects
  • array: "merge": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects

Optionalmetadata

metadata?: Partial<OidcMetadata>

Provide metadata when authority server does not allow CORS on the metadata endpoint

OptionalmetadataSeed

metadataSeed?: Partial<OidcMetadata>

Can be used to seed or add additional values to the results of the discovery request

OptionalmetadataUrl

metadataUrl?: string

OptionalomitScopeWhenRequesting

omitScopeWhenRequesting?: boolean

https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 describes behavior when omitting scopes from sign in requests If the IDP supports default scopes, this setting will ignore the scopes property passed to the config. (Default: false)

Optionalpost_logout_redirect_uri

post_logout_redirect_uri?: string

The OIDC/OAuth2 post-logout redirect URI

Optionalprompt

prompt?: string

optional protocol param

redirect_uri

redirect_uri: string

The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider

OptionalrefreshTokenAllowedScope

refreshTokenAllowedScope?: string

Only scopes in this list will be passed in the token refresh request.

OptionalrequestTimeoutInSeconds

requestTimeoutInSeconds?: number

Defines request timeouts globally across all requests made to the authorisation server

Optionalresource

resource?: string | string[]

optional protocol param

Optionalresponse_mode

response_mode?: "query" | "fragment"

Optional protocol param The response mode used by the authority server is defined by the response_type unless explicitly specified:

  • Response mode for the OAuth 2.0 response type "code" is the "query" encoding
  • Response mode for the OAuth 2.0 response type "token" is the "fragment" encoding

See

https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes

Optionalresponse_type

response_type?: string

The type of response desired from the OIDC/OAuth2 provider (default: "code")

OptionalrevokeTokenAdditionalContentTypes

revokeTokenAdditionalContentTypes?: string[]

Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])

Optionalscope

scope?: string

The scope being requested from the OIDC/OAuth2 provider (default: "openid")

OptionalsigningKeys

signingKeys?: SigningKey[]

Provide signingKeys when authority server does not allow CORS on the jwks uri

OptionalstaleStateAgeInSeconds

staleStateAgeInSeconds?: number

Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)

OptionalstateStore

stateStore?: StateStore

Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window). E.g. stateStore: new WebStorageStateStore({ store: window.localStorage })

Optionalui_locales

ui_locales?: string

optional protocol param

Settings

Member Visibility

On This Page

Properties