Interface UserManagerSettings

The settings used to configure the UserManager.

interface UserManagerSettings {
    accessTokenExpiringNotificationTimeInSeconds?: number;
    acr_values?: string;
    authority: string;
    automaticSilentRenew?: boolean;
    checkSessionIntervalInSeconds?: number;
    client_authentication?: "client_secret_post" | "client_secret_basic";
    client_id: string;
    client_secret?: string;
    disablePKCE?: boolean;
    display?: string;
    extraHeaders?: Record<string, ExtraHeader>;
    extraQueryParams?: Record<string, string | number | boolean>;
    extraTokenParams?: Record<string, unknown>;
    fetchRequestCredentials?: RequestCredentials;
    filterProtocolClaims?: boolean | string[];
    iframeNotifyParentOrigin?: string;
    iframeScriptOrigin?: string;
    includeIdTokenInSilentRenew?: boolean;
    includeIdTokenInSilentSignout?: boolean;
    loadUserInfo?: boolean;
    max_age?: number;
    mergeClaimsStrategy?: {
        array: "replace" | "merge";
    metadata?: Partial<OidcMetadata>;
    metadataSeed?: Partial<OidcMetadata>;
    metadataUrl?: string;
    monitorAnonymousSession?: boolean;
    monitorSession?: boolean;
    popupWindowFeatures?: PopupWindowFeatures;
    popupWindowTarget?: string;
    popup_post_logout_redirect_uri?: string;
    popup_redirect_uri?: string;
    post_logout_redirect_uri?: string;
    prompt?: string;
    query_status_response_type?: string;
    redirectMethod?: "replace" | "assign";
    redirectTarget?: "top" | "self";
    redirect_uri: string;
    refreshTokenAllowedScope?: string;
    resource?: string | string[];
    response_mode?: "query" | "fragment";
    response_type?: string;
    revokeTokenAdditionalContentTypes?: string[];
    revokeTokenTypes?: ("access_token" | "refresh_token")[];
    revokeTokensOnSignout?: boolean;
    scope?: string;
    signingKeys?: SigningKey[];
    silentRequestTimeoutInSeconds?: number;
    silent_redirect_uri?: string;
    staleStateAgeInSeconds?: number;
    stateStore?: StateStore;
    stopCheckSessionOnError?: boolean;
    ui_locales?: string;
    userStore?: WebStorageStateStore;
    validateSubOnSilentRenew?: boolean;

Hierarchy (view full)


accessTokenExpiringNotificationTimeInSeconds?: number

The number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60)

acr_values?: string

optional protocol param

authority: string

The URL of the OIDC/OAuth2 provider

automaticSilentRenew?: boolean

Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true)

checkSessionIntervalInSeconds?: number

Interval in seconds to check the user's session (default: 2)

client_authentication?: "client_secret_post" | "client_secret_basic"

Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")

  • "client_secret_basic": using the HTTP Basic authentication scheme
  • "client_secret_post": including the client credentials in the request body


client_id: string

Your client application's identifier as registered with the OIDC/OAuth2

client_secret?: string
disablePKCE?: boolean

Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)

display?: string

optional protocol param

extraHeaders?: Record<string, ExtraHeader>

An object containing additional header to be including in request.

extraQueryParams?: Record<string, string | number | boolean>

An object containing additional query string parameters to be including in the authorization request. E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: {resource:"some_identifier"}

extraTokenParams?: Record<string, unknown>
fetchRequestCredentials?: RequestCredentials

Sets the credentials for fetch requests. (default: "same-origin") Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies

filterProtocolClaims?: boolean | string[]

Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) When true, the following claims are removed by default: ["nbf", "jti", "auth_time", "nonce", "acr", "amr", "azp", "at_hash"] When specifying claims, the following claims are not allowed: ["sub", "iss", "aud", "exp", "iat"]

iframeNotifyParentOrigin?: string

The target to pass while calling postMessage inside iframe for callback (default: window.location.origin)

iframeScriptOrigin?: string

The script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin)

includeIdTokenInSilentRenew?: boolean

Flag to control if id_token is included as id_token_hint in silent renew calls (default: false)

includeIdTokenInSilentSignout?: boolean

Flag to control if id_token is included as id_token_hint in silent signout calls (default: false)

loadUserInfo?: boolean

Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)

max_age?: number

optional protocol param

mergeClaimsStrategy?: {
    array: "replace" | "merge";

Indicates how objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the id token as a single object. (default: { array: "replace" })

  • array: "replace": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects
  • array: "merge": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects

Type declaration

  • array: "replace" | "merge"
metadata?: Partial<OidcMetadata>

Provide metadata when authority server does not allow CORS on the metadata endpoint

metadataSeed?: Partial<OidcMetadata>

Can be used to seed or add additional values to the results of the discovery request

metadataUrl?: string
monitorAnonymousSession?: boolean
monitorSession?: boolean

Will raise events for when user has performed a signout at the OP (default: false)

popupWindowFeatures?: PopupWindowFeatures

The features parameter to for the popup signin window. By default, the popup is placed centered in front of the window opener. (default: { location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 })

popupWindowTarget?: string

The target parameter to for the popup signin window (default: "_blank")

popup_post_logout_redirect_uri?: string
popup_redirect_uri?: string

The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2

post_logout_redirect_uri?: string

The OIDC/OAuth2 post-logout redirect URI

prompt?: string

optional protocol param

query_status_response_type?: string
redirectMethod?: "replace" | "assign"

The methods window.location method used to redirect (default: "assign")

redirectTarget?: "top" | "self"

The methods target window being redirected (default: "self")

redirect_uri: string

The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider

refreshTokenAllowedScope?: string

Only scopes in this list will be passed in the token refresh request.

resource?: string | string[]

optional protocol param

response_mode?: "query" | "fragment"

Optional protocol param The response mode used by the authority server is defined by the response_type unless explicitly specified:

  • Response mode for the OAuth 2.0 response type "code" is the "query" encoding
  • Response mode for the OAuth 2.0 response type "token" is the "fragment" encoding
response_type?: string

The type of response desired from the OIDC/OAuth2 provider (default: "code")

revokeTokenAdditionalContentTypes?: string[]

Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])

revokeTokenTypes?: ("access_token" | "refresh_token")[]

The token_type_hints to pass to the authority server by default (default: ["access_token", "refresh_token"])

Token types will be revoked in the same order as they are given here.

revokeTokensOnSignout?: boolean

Will invoke the revocation endpoint on signout if there is an access token for the user (default: false)

scope?: string

The scope being requested from the OIDC/OAuth2 provider (default: "openid")

signingKeys?: SigningKey[]

Provide signingKeys when authority server does not allow CORS on the jwks uri

silentRequestTimeoutInSeconds?: number

Number of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10)

silent_redirect_uri?: string

The URL for the page containing the code handling the silent renew

staleStateAgeInSeconds?: number

Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)

stateStore?: StateStore

Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window). E.g. stateStore: new WebStorageStateStore({ store: window.localStorage })

stopCheckSessionOnError?: boolean
ui_locales?: string

optional protocol param

Storage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window). E.g. userStore: new WebStorageStateStore({ store: window.localStorage })

validateSubOnSilentRenew?: boolean

Flag to validate user.profile.sub in silent renew calls (default: true)

Generated using TypeDoc