oidc-client-ts
    Preparing search index...

    Interface UserManagerSettings

    The settings used to configure the UserManager.

    interface UserManagerSettings {
        accessTokenExpiringNotificationTimeInSeconds?: number;
        acr_values?: string;
        authority: string;
        automaticSilentRenew?: boolean;
        checkSessionIntervalInSeconds?: number;
        client_authentication?: "client_secret_post" | "client_secret_basic";
        client_id: string;
        client_secret?: string;
        disablePKCE?: boolean;
        display?: string;
        dpop?: DPoPSettings;
        extraHeaders?: Record<string, ExtraHeader>;
        extraQueryParams?: Record<string, string | number | boolean>;
        extraTokenParams?: Record<string, unknown>;
        fetchRequestCredentials?: RequestCredentials;
        filterProtocolClaims?: boolean | string[];
        iframeNotifyParentOrigin?: string;
        iframeScriptOrigin?: string;
        includeIdTokenInSilentRenew?: boolean;
        includeIdTokenInSilentSignout?: boolean;
        loadUserInfo?: boolean;
        max_age?: number;
        mergeClaimsStrategy?: { array: "replace" | "merge" };
        metadata?: Partial<OidcMetadata>;
        metadataSeed?: Partial<OidcMetadata>;
        metadataUrl?: string;
        monitorAnonymousSession?: boolean;
        monitorSession?: boolean;
        omitScopeWhenRequesting?: boolean;
        popup_post_logout_redirect_uri?: string;
        popup_redirect_uri?: string;
        popupWindowFeatures?: PopupWindowFeatures;
        popupWindowTarget?: string;
        post_logout_redirect_uri?: string;
        prompt?: string;
        query_status_response_type?: string;
        redirect_uri: string;
        redirectMethod?: "replace" | "assign";
        redirectTarget?: "top" | "self";
        refreshTokenAllowedScope?: string;
        requestTimeoutInSeconds?: number;
        resource?: string | string[];
        response_mode?: "query" | "fragment";
        response_type?: string;
        revokeTokenAdditionalContentTypes?: string[];
        revokeTokensOnSignout?: boolean;
        revokeTokenTypes?: ("access_token" | "refresh_token")[];
        scope?: string;
        signingKeys?: SigningKey[];
        silent_redirect_uri?: string;
        silentRequestTimeoutInSeconds?: number;
        staleStateAgeInSeconds?: number;
        stateStore?: StateStore;
        stopCheckSessionOnError?: boolean;
        ui_locales?: string;
        userStore?: StateStore;
        validateSubOnSilentRenew?: boolean;
    }

    Hierarchy (View Summary)

    Index

    Properties

    accessTokenExpiringNotificationTimeInSeconds? acr_values? authority automaticSilentRenew? checkSessionIntervalInSeconds? client_authentication? client_id client_secret? disablePKCE? display? dpop? extraHeaders? extraQueryParams? extraTokenParams? fetchRequestCredentials? filterProtocolClaims? iframeNotifyParentOrigin? iframeScriptOrigin? includeIdTokenInSilentRenew? includeIdTokenInSilentSignout? loadUserInfo? max_age? mergeClaimsStrategy? metadata? metadataSeed? metadataUrl? monitorAnonymousSession? monitorSession? omitScopeWhenRequesting? popup_post_logout_redirect_uri? popup_redirect_uri? popupWindowFeatures? popupWindowTarget? post_logout_redirect_uri? prompt? query_status_response_type? redirect_uri redirectMethod? redirectTarget? refreshTokenAllowedScope? requestTimeoutInSeconds? resource? response_mode? response_type? revokeTokenAdditionalContentTypes? revokeTokensOnSignout? revokeTokenTypes? scope? signingKeys? silent_redirect_uri? silentRequestTimeoutInSeconds? staleStateAgeInSeconds? stateStore? stopCheckSessionOnError? ui_locales? userStore? validateSubOnSilentRenew?

    Properties

    accessTokenExpiringNotificationTimeInSeconds?: number

    The number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60)

    acr_values?: string

    optional protocol param

    authority: string

    The URL of the OIDC/OAuth2 provider

    automaticSilentRenew?: boolean

    Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true)

    checkSessionIntervalInSeconds?: number

    Interval in seconds to check the user's session (default: 2)

    client_authentication?: "client_secret_post" | "client_secret_basic"

    Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")

    • "client_secret_basic": using the HTTP Basic authentication scheme
    • "client_secret_post": including the client credentials in the request body

    See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

    client_id: string

    Your client application's identifier as registered with the OIDC/OAuth2

    client_secret?: string
    disablePKCE?: boolean

    Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)

    display?: string

    optional protocol param

    dpop?: DPoPSettings

    DPoP enabled or disabled

    extraHeaders?: Record<string, ExtraHeader>

    An object containing additional header to be including in request.

    extraQueryParams?: Record<string, string | number | boolean>

    An object containing additional query string parameters to be including in the authorization request. E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: {resource:"some_identifier"}

    extraTokenParams?: Record<string, unknown>
    fetchRequestCredentials?: RequestCredentials

    Sets the credentials for fetch requests. (default: "same-origin") Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies

    filterProtocolClaims?: boolean | string[]

    Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) When true, the following claims are removed by default: ["nbf", "jti", "auth_time", "nonce", "acr", "amr", "azp", "at_hash"] When specifying claims, the following claims are not allowed: ["sub", "iss", "aud", "exp", "iat"]

    iframeNotifyParentOrigin?: string

    The target to pass while calling postMessage inside iframe for callback (default: window.location.origin)

    iframeScriptOrigin?: string

    The script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin)

    includeIdTokenInSilentRenew?: boolean

    Flag to control if id_token is included as id_token_hint in silent renew calls (default: false)

    includeIdTokenInSilentSignout?: boolean

    Flag to control if id_token is included as id_token_hint in silent signout calls (default: false)

    loadUserInfo?: boolean

    Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)

    max_age?: number

    optional protocol param

    mergeClaimsStrategy?: { array: "replace" | "merge" }

    Indicates how objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the id token as a single object. (default: { array: "replace" })

    • array: "replace": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects
    • array: "merge": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects
    metadata?: Partial<OidcMetadata>

    Provide metadata when authority server does not allow CORS on the metadata endpoint

    metadataSeed?: Partial<OidcMetadata>

    Can be used to seed or add additional values to the results of the discovery request

    metadataUrl?: string
    monitorAnonymousSession?: boolean
    monitorSession?: boolean

    Will raise events for when user has performed a signout at the OP (default: false)

    omitScopeWhenRequesting?: boolean

    https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 describes behavior when omitting scopes from sign in requests If the IDP supports default scopes, this setting will ignore the scopes property passed to the config. (Default: false)

    Optionalpopup_post_logout_redirect_uri

    popup_post_logout_redirect_uri?: string
    popup_redirect_uri?: string

    The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2

    popupWindowFeatures?: PopupWindowFeatures

    The features parameter to window.open for the popup signin window. By default, the popup is placed centered in front of the window opener. (default: { location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 })

    popupWindowTarget?: string

    The target parameter to window.open for the popup signin window (default: "_blank")

    Optionalpost_logout_redirect_uri

    post_logout_redirect_uri?: string

    The OIDC/OAuth2 post-logout redirect URI

    prompt?: string

    optional protocol param

    query_status_response_type?: string
    redirect_uri: string

    The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider

    redirectMethod?: "replace" | "assign"

    The methods window.location method used to redirect (default: "assign")

    redirectTarget?: "top" | "self"

    The methods target window being redirected (default: "self")

    refreshTokenAllowedScope?: string

    Only scopes in this list will be passed in the token refresh request.

    requestTimeoutInSeconds?: number

    Defines request timeouts globally across all requests made to the authorisation server

    resource?: string | string[]

    optional protocol param

    response_mode?: "query" | "fragment"

    Optional protocol param The response mode used by the authority server is defined by the response_type unless explicitly specified:

    • Response mode for the OAuth 2.0 response type "code" is the "query" encoding
    • Response mode for the OAuth 2.0 response type "token" is the "fragment" encoding

    https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes

    response_type?: string

    The type of response desired from the OIDC/OAuth2 provider (default: "code")

    revokeTokenAdditionalContentTypes?: string[]

    Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])

    revokeTokensOnSignout?: boolean

    Will invoke the revocation endpoint on signout if there is an access token for the user (default: false)

    revokeTokenTypes?: ("access_token" | "refresh_token")[]

    The token_type_hints to pass to the authority server by default (default: ["access_token", "refresh_token"])

    Token types will be revoked in the same order as they are given here.

    scope?: string

    The scope being requested from the OIDC/OAuth2 provider (default: "openid")

    signingKeys?: SigningKey[]

    Provide signingKeys when authority server does not allow CORS on the jwks uri

    silent_redirect_uri?: string

    The URL for the page containing the code handling the silent renew

    silentRequestTimeoutInSeconds?: number

    Number of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10)

    staleStateAgeInSeconds?: number

    Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)

    stateStore?: StateStore

    Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window). E.g. stateStore: new WebStorageStateStore({ store: window.localStorage })

    stopCheckSessionOnError?: boolean
    ui_locales?: string

    optional protocol param

    userStore?: StateStore

    Storage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window). E.g. userStore: new WebStorageStateStore({ store: window.localStorage })

    validateSubOnSilentRenew?: boolean

    Flag to validate user.profile.sub in silent renew calls (default: true)

    Settings

    Member Visibility

    On This Page

    Properties
    accessTokenExpiringNotificationTimeInSecondsacr_valuesauthorityautomaticSilentRenewcheckSessionIntervalInSecondsclient_authenticationclient_idclient_secretdisablePKCEdisplaydpopextraHeadersextraQueryParamsextraTokenParamsfetchRequestCredentialsfilterProtocolClaimsiframeNotifyParentOriginiframeScriptOriginincludeIdTokenInSilentRenewincludeIdTokenInSilentSignoutloadUserInfomax_agemergeClaimsStrategymetadatametadataSeedmetadataUrlmonitorAnonymousSessionmonitorSessionomitScopeWhenRequestingpopup_post_logout_redirect_uripopup_redirect_uripopupWindowFeaturespopupWindowTargetpost_logout_redirect_uripromptquery_status_response_typeredirect_uriredirectMethodredirectTargetrefreshTokenAllowedScoperequestTimeoutInSecondsresourceresponse_moderesponse_typerevokeTokenAdditionalContentTypesrevokeTokensOnSignoutrevokeTokenTypesscopesigningKeyssilent_redirect_urisilentRequestTimeoutInSecondsstaleStateAgeInSecondsstateStorestopCheckSessionOnErrorui_localesuserStorevalidateSubOnSilentRenew