Interface UserManagerSettings

The settings used to configure the UserManager.

interface UserManagerSettings {
    accessTokenExpiringNotificationTimeInSeconds?: number;
    acr_values?: string;
    authority: string;
    automaticSilentRenew?: boolean;
    checkSessionIntervalInSeconds?: number;
    client_authentication?: "client_secret_post" | "client_secret_basic";
    client_id: string;
    client_secret?: string;
    disablePKCE?: boolean;
    display?: string;
    dpop?: DPoPSettings;
    extraHeaders?: Record<string, ExtraHeader>;
    extraQueryParams?: Record<string, string | number | boolean>;
    extraTokenParams?: Record<string, unknown>;
    fetchRequestCredentials?: RequestCredentials;
    filterProtocolClaims?: boolean | string[];
    iframeNotifyParentOrigin?: string;
    iframeScriptOrigin?: string;
    includeIdTokenInSilentRenew?: boolean;
    includeIdTokenInSilentSignout?: boolean;
    loadUserInfo?: boolean;
    max_age?: number;
    mergeClaimsStrategy?: {
        array: "replace" | "merge";
    };
    metadata?: Partial<OidcMetadata>;
    metadataSeed?: Partial<OidcMetadata>;
    metadataUrl?: string;
    monitorAnonymousSession?: boolean;
    monitorSession?: boolean;
    omitScopeWhenRequesting?: boolean;
    popup_post_logout_redirect_uri?: string;
    popup_redirect_uri?: string;
    popupWindowFeatures?: PopupWindowFeatures;
    popupWindowTarget?: string;
    post_logout_redirect_uri?: string;
    prompt?: string;
    query_status_response_type?: string;
    redirect_uri: string;
    redirectMethod?: "replace" | "assign";
    redirectTarget?: "top" | "self";
    refreshTokenAllowedScope?: string;
    requestTimeoutInSeconds?: number;
    resource?: string | string[];
    response_mode?: "query" | "fragment";
    response_type?: string;
    revokeTokenAdditionalContentTypes?: string[];
    revokeTokensOnSignout?: boolean;
    revokeTokenTypes?: ("access_token" | "refresh_token")[];
    scope?: string;
    signingKeys?: SigningKey[];
    silent_redirect_uri?: string;
    silentRequestTimeoutInSeconds?: number;
    staleStateAgeInSeconds?: number;
    stateStore?: StateStore;
    stopCheckSessionOnError?: boolean;
    ui_locales?: string;
    userStore?: WebStorageStateStore;
    validateSubOnSilentRenew?: boolean;
}

Hierarchy (view full)

Properties

accessTokenExpiringNotificationTimeInSeconds? acr_values? authority automaticSilentRenew? checkSessionIntervalInSeconds? client_authentication? client_id client_secret? disablePKCE? display? dpop? extraHeaders? extraQueryParams? extraTokenParams? fetchRequestCredentials? filterProtocolClaims? iframeNotifyParentOrigin? iframeScriptOrigin? includeIdTokenInSilentRenew? includeIdTokenInSilentSignout? loadUserInfo? max_age? mergeClaimsStrategy? metadata? metadataSeed? metadataUrl? monitorAnonymousSession? monitorSession? omitScopeWhenRequesting? popup_post_logout_redirect_uri? popup_redirect_uri? popupWindowFeatures? popupWindowTarget? post_logout_redirect_uri? prompt? query_status_response_type? redirect_uri redirectMethod? redirectTarget? refreshTokenAllowedScope? requestTimeoutInSeconds? resource? response_mode? response_type? revokeTokenAdditionalContentTypes? revokeTokensOnSignout? revokeTokenTypes? scope? signingKeys? silent_redirect_uri? silentRequestTimeoutInSeconds? staleStateAgeInSeconds? stateStore? stopCheckSessionOnError? ui_locales? userStore? validateSubOnSilentRenew?

Properties

OptionalaccessTokenExpiringNotificationTimeInSeconds

accessTokenExpiringNotificationTimeInSeconds?: number

The number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60)

Optionalacr_values

acr_values?: string

optional protocol param

authority

authority: string

The URL of the OIDC/OAuth2 provider

OptionalautomaticSilentRenew

automaticSilentRenew?: boolean

Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true)

OptionalcheckSessionIntervalInSeconds

checkSessionIntervalInSeconds?: number

Interval in seconds to check the user's session (default: 2)

Optionalclient_authentication

client_authentication?: "client_secret_post" | "client_secret_basic"

Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")

  • "client_secret_basic": using the HTTP Basic authentication scheme
  • "client_secret_post": including the client credentials in the request body

See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

client_id

client_id: string

Your client application's identifier as registered with the OIDC/OAuth2

Optionalclient_secret

client_secret?: string

OptionaldisablePKCE

disablePKCE?: boolean

Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)

Optionaldisplay

display?: string

optional protocol param

Optionaldpop

dpop?: DPoPSettings

DPoP enabled or disabled

OptionalextraHeaders

extraHeaders?: Record<string, ExtraHeader>

An object containing additional header to be including in request.

OptionalextraQueryParams

extraQueryParams?: Record<string, string | number | boolean>

An object containing additional query string parameters to be including in the authorization request. E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: {resource:"some_identifier"}

OptionalextraTokenParams

extraTokenParams?: Record<string, unknown>

OptionalfetchRequestCredentials

fetchRequestCredentials?: RequestCredentials

Sets the credentials for fetch requests. (default: "same-origin") Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies

OptionalfilterProtocolClaims

filterProtocolClaims?: boolean | string[]

Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) When true, the following claims are removed by default: ["nbf", "jti", "auth_time", "nonce", "acr", "amr", "azp", "at_hash"] When specifying claims, the following claims are not allowed: ["sub", "iss", "aud", "exp", "iat"]

OptionaliframeNotifyParentOrigin

iframeNotifyParentOrigin?: string

The target to pass while calling postMessage inside iframe for callback (default: window.location.origin)

OptionaliframeScriptOrigin

iframeScriptOrigin?: string

The script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin)

OptionalincludeIdTokenInSilentRenew

includeIdTokenInSilentRenew?: boolean

Flag to control if id_token is included as id_token_hint in silent renew calls (default: false)

OptionalincludeIdTokenInSilentSignout

includeIdTokenInSilentSignout?: boolean

Flag to control if id_token is included as id_token_hint in silent signout calls (default: false)

OptionalloadUserInfo

loadUserInfo?: boolean

Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)

Optionalmax_age

max_age?: number

optional protocol param

OptionalmergeClaimsStrategy

mergeClaimsStrategy?: {
    array: "replace" | "merge";
}

Indicates how objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the id token as a single object. (default: { array: "replace" })

  • array: "replace": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects
  • array: "merge": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects

Optionalmetadata

metadata?: Partial<OidcMetadata>

Provide metadata when authority server does not allow CORS on the metadata endpoint

OptionalmetadataSeed

metadataSeed?: Partial<OidcMetadata>

Can be used to seed or add additional values to the results of the discovery request

OptionalmetadataUrl

metadataUrl?: string

OptionalmonitorAnonymousSession

monitorAnonymousSession?: boolean

OptionalmonitorSession

monitorSession?: boolean

Will raise events for when user has performed a signout at the OP (default: false)

OptionalomitScopeWhenRequesting

omitScopeWhenRequesting?: boolean

https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 describes behavior when omitting scopes from sign in requests If the IDP supports default scopes, this setting will ignore the scopes property passed to the config. (Default: false)

Optionalpopup_post_logout_redirect_uri

popup_post_logout_redirect_uri?: string

Optionalpopup_redirect_uri

popup_redirect_uri?: string

The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2

OptionalpopupWindowFeatures

popupWindowFeatures?: PopupWindowFeatures

The features parameter to window.open for the popup signin window. By default, the popup is placed centered in front of the window opener. (default: { location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 })

OptionalpopupWindowTarget

popupWindowTarget?: string

The target parameter to window.open for the popup signin window (default: "_blank")

Optionalpost_logout_redirect_uri

post_logout_redirect_uri?: string

The OIDC/OAuth2 post-logout redirect URI

Optionalprompt

prompt?: string

optional protocol param

Optionalquery_status_response_type

query_status_response_type?: string

redirect_uri

redirect_uri: string

The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider

OptionalredirectMethod

redirectMethod?: "replace" | "assign"

The methods window.location method used to redirect (default: "assign")

OptionalredirectTarget

redirectTarget?: "top" | "self"

The methods target window being redirected (default: "self")

OptionalrefreshTokenAllowedScope

refreshTokenAllowedScope?: string

Only scopes in this list will be passed in the token refresh request.

OptionalrequestTimeoutInSeconds

requestTimeoutInSeconds?: number

Defines request timeouts globally across all requests made to the authorisation server

Optionalresource

resource?: string | string[]

optional protocol param

Optionalresponse_mode

response_mode?: "query" | "fragment"

Optional protocol param The response mode used by the authority server is defined by the response_type unless explicitly specified:

  • Response mode for the OAuth 2.0 response type "code" is the "query" encoding
  • Response mode for the OAuth 2.0 response type "token" is the "fragment" encoding

See

https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes

Optionalresponse_type

response_type?: string

The type of response desired from the OIDC/OAuth2 provider (default: "code")

OptionalrevokeTokenAdditionalContentTypes

revokeTokenAdditionalContentTypes?: string[]

Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])

OptionalrevokeTokensOnSignout

revokeTokensOnSignout?: boolean

Will invoke the revocation endpoint on signout if there is an access token for the user (default: false)

OptionalrevokeTokenTypes

revokeTokenTypes?: ("access_token" | "refresh_token")[]

The token_type_hints to pass to the authority server by default (default: ["access_token", "refresh_token"])

Token types will be revoked in the same order as they are given here.

Optionalscope

scope?: string

The scope being requested from the OIDC/OAuth2 provider (default: "openid")

OptionalsigningKeys

signingKeys?: SigningKey[]

Provide signingKeys when authority server does not allow CORS on the jwks uri

Optionalsilent_redirect_uri

silent_redirect_uri?: string

The URL for the page containing the code handling the silent renew

OptionalsilentRequestTimeoutInSeconds

silentRequestTimeoutInSeconds?: number

Number of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10)

OptionalstaleStateAgeInSeconds

staleStateAgeInSeconds?: number

Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)

OptionalstateStore

stateStore?: StateStore

Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window). E.g. stateStore: new WebStorageStateStore({ store: window.localStorage })

OptionalstopCheckSessionOnError

stopCheckSessionOnError?: boolean

Optionalui_locales

ui_locales?: string

optional protocol param

OptionaluserStore

userStore?: WebStorageStateStore

Storage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window). E.g. userStore: new WebStorageStateStore({ store: window.localStorage })

OptionalvalidateSubOnSilentRenew

validateSubOnSilentRenew?: boolean

Flag to validate user.profile.sub in silent renew calls (default: true)

Settings

Member Visibility

On This Page

Properties
accessTokenExpiringNotificationTimeInSecondsacr_valuesauthorityautomaticSilentRenewcheckSessionIntervalInSecondsclient_authenticationclient_idclient_secretdisablePKCEdisplaydpopextraHeadersextraQueryParamsextraTokenParamsfetchRequestCredentialsfilterProtocolClaimsiframeNotifyParentOriginiframeScriptOriginincludeIdTokenInSilentRenewincludeIdTokenInSilentSignoutloadUserInfomax_agemergeClaimsStrategymetadatametadataSeedmetadataUrlmonitorAnonymousSessionmonitorSessionomitScopeWhenRequestingpopup_post_logout_redirect_uripopup_redirect_uripopupWindowFeaturespopupWindowTargetpost_logout_redirect_uripromptquery_status_response_typeredirect_uriredirectMethodredirectTargetrefreshTokenAllowedScoperequestTimeoutInSecondsresourceresponse_moderesponse_typerevokeTokenAdditionalContentTypesrevokeTokensOnSignoutrevokeTokenTypesscopesigningKeyssilent_redirect_urisilentRequestTimeoutInSecondsstaleStateAgeInSecondsstateStorestopCheckSessionOnErrorui_localesuserStorevalidateSubOnSilentRenew