openid-client vs oidc-client-ts vs react-oidc-context vs oidc-client
OpenID Connect Client Libraries Comparison
Search packages..
1 Year
openid-clientoidc-client-tsreact-oidc-contextoidc-clientSimilar Packages:
What's OpenID Connect Client Libraries?

OpenID Connect client libraries are designed to facilitate the implementation of OpenID Connect (OIDC) authentication in web applications. They handle the complexities of the OIDC protocol, allowing developers to easily integrate secure authentication and authorization mechanisms into their applications. These libraries provide essential features such as token management, user session handling, and support for various authentication flows, making it easier to implement secure user authentication in modern web applications.

Package Weekly Downloads Trend
Github Stars Ranking
Stat Detail
Package
Downloads
Stars
Size
Issues
Publish
License
openid-client2,918,5282,039201 kB04 days agoMIT
oidc-client-ts498,9251,6221.66 MB1095 days agoApache-2.0
react-oidc-context168,910838113 kB77a month agoMIT
oidc-client146,4772,433-1164 years agoApache-2.0
Feature Comparison: openid-client vs oidc-client-ts vs react-oidc-context vs oidc-client

TypeScript Support

  • openid-client:

    openid-client is primarily a Node.js library and does not focus on TypeScript support, but it can still be used in TypeScript projects with some additional type definitions.

  • oidc-client-ts:

    oidc-client-ts is built with TypeScript in mind, offering complete type definitions and ensuring type safety across all functionalities, making it ideal for TypeScript projects.

  • react-oidc-context:

    react-oidc-context is designed for React applications and includes TypeScript support, providing type definitions that enhance the development experience.

  • oidc-client:

    oidc-client provides basic TypeScript support, allowing developers to use TypeScript features but may not fully leverage type safety throughout the library.

Authentication Flows

  • openid-client:

    openid-client offers extensive support for OIDC flows, including advanced features like dynamic client registration and support for multiple grant types, making it suitable for complex server-side applications.

  • oidc-client-ts:

    oidc-client-ts inherits the authentication flow capabilities of oidc-client, ensuring compatibility with all standard OIDC flows while providing a TypeScript-friendly interface.

  • react-oidc-context:

    react-oidc-context simplifies the implementation of OIDC flows in React applications, focusing primarily on the authorization code flow with PKCE, which is recommended for public clients.

  • oidc-client:

    oidc-client supports various OIDC authentication flows, including authorization code flow, implicit flow, and hybrid flow, making it versatile for different application needs.

User Session Management

  • openid-client:

    openid-client includes robust session management capabilities, particularly for server-side applications, allowing developers to handle user sessions and token storage securely.

  • oidc-client-ts:

    oidc-client-ts offers the same user session management features as oidc-client, ensuring that TypeScript users can manage sessions effectively without sacrificing functionality.

  • react-oidc-context:

    react-oidc-context leverages React context to manage user sessions seamlessly, providing hooks and components that streamline session handling and state updates in React applications.

  • oidc-client:

    oidc-client provides built-in user session management features, including token storage, automatic token renewal, and session expiration handling, which are essential for maintaining user authentication states.

Community and Documentation

  • openid-client:

    openid-client has thorough documentation and a strong community, particularly among Node.js developers, which helps in understanding its advanced features and configurations.

  • oidc-client-ts:

    oidc-client-ts benefits from the documentation of oidc-client while providing additional TypeScript-specific examples and resources, catering to TypeScript developers.

  • react-oidc-context:

    react-oidc-context has good documentation tailored for React developers, with examples that demonstrate how to integrate OIDC into React applications effectively.

  • oidc-client:

    oidc-client has a large community and extensive documentation, making it easy for developers to find resources, examples, and support when integrating OIDC into their applications.

Integration with Frameworks

  • openid-client:

    openid-client is designed for server-side applications, making it ideal for integration with Node.js frameworks such as Express, providing a robust solution for backend authentication.

  • oidc-client-ts:

    oidc-client-ts is particularly suited for TypeScript projects and can be integrated into any framework that supports TypeScript, enhancing compatibility and usability.

  • react-oidc-context:

    react-oidc-context is specifically built for React, offering a context-based API that simplifies the integration of OIDC into React components, making it the best choice for React applications.

  • oidc-client:

    oidc-client can be integrated into various JavaScript frameworks and libraries, providing flexibility for developers to use it in different environments.

How to Choose: openid-client vs oidc-client-ts vs react-oidc-context vs oidc-client
  • openid-client:

    Select openid-client if you require a more comprehensive and flexible solution for server-side applications. It is designed for Node.js environments and offers advanced features such as dynamic client registration and support for multiple OIDC providers, making it suitable for complex authentication scenarios.

  • oidc-client-ts:

    Opt for oidc-client-ts if you are specifically working with TypeScript and want type safety and better integration with TypeScript features. This library is a TypeScript-first version of oidc-client, providing a more modern approach while maintaining the core functionalities of its predecessor.

  • react-oidc-context:

    Use react-oidc-context if you are building a React application and want a library that provides a context-based API for managing OIDC authentication. It simplifies the integration of OIDC into React components, allowing for a more seamless user experience and easier state management.

  • oidc-client:

    Choose oidc-client if you need a mature and widely used library that supports a variety of OIDC flows and is compatible with both JavaScript and TypeScript. It is well-documented and has a large community, making it a reliable choice for general OIDC authentication needs.

Similar Npm Packages to openid-client

openid-client is a powerful and flexible OpenID Connect (OIDC) client library for Node.js applications. It allows developers to easily integrate OIDC authentication into their applications, enabling secure user authentication and authorization. With support for various OIDC providers, openid-client simplifies the process of managing tokens, handling redirects, and making authenticated requests to APIs. Its robust features make it a popular choice for applications that require secure user authentication and seamless integration with OIDC-compliant identity providers.

An alternative to openid-client is oidc-client. This library is specifically designed for client-side applications, such as single-page applications (SPAs), and provides a simple way to manage OIDC authentication flows. oidc-client focuses on handling user sessions, managing tokens, and facilitating interactions with OIDC providers from the browser. It is well-suited for applications that require a lightweight solution for OIDC authentication without the need for extensive server-side logic.

For a comprehensive comparison between these two libraries, check out the following link: Comparing oidc-client vs openid-client.

Similar Npm Packages to oidc-client-ts

oidc-client-ts is a TypeScript library designed for handling OpenID Connect (OIDC) and OAuth 2.0 authentication in web applications. It provides a robust set of features for managing user authentication, including token management, session handling, and automatic token renewal. With its TypeScript support, oidc-client-ts ensures type safety and a better development experience for those using TypeScript in their projects. This library is particularly useful for developers looking to implement secure authentication flows in their applications while leveraging the benefits of TypeScript.

There are several alternatives to oidc-client-ts that also facilitate OIDC and OAuth 2.0 authentication:

  • oidc-client is the original JavaScript library for managing OIDC and OAuth 2.0 authentication. It provides a comprehensive solution for handling user authentication, including features like token storage, automatic token renewal, and user session management. While oidc-client is widely used and well-documented, it is primarily written in JavaScript, which may not provide the same level of type safety as TypeScript-based libraries. However, it remains a solid choice for developers who prefer a more established library with a large community and extensive support.

  • openid-client is a certified OpenID Connect client library for Node.js. It is designed for server-side applications and provides a comprehensive set of features for implementing OIDC authentication flows. This library is particularly useful for backend developers who need to integrate OIDC into their server-side applications. While it is not specifically tailored for frontend applications, it offers a robust solution for server-side authentication and can be used in conjunction with frontend libraries for a complete authentication solution.

  • react-oidc-context is a React-specific library that simplifies the integration of OIDC authentication in React applications. It provides a context-based API that makes it easy to manage user authentication state and access tokens within React components. If you are building a React application and want a straightforward way to implement OIDC authentication, react-oidc-context is an excellent choice, as it leverages React's context API for seamless integration.

To explore how these libraries compare, check out the comparison: Comparing oidc-client vs oidc-client-ts vs openid-client vs react-oidc-context.

Similar Npm Packages to react-oidc-context

react-oidc-context is a library designed to simplify the integration of OpenID Connect (OIDC) authentication in React applications. It provides a context-based approach to manage authentication state and user information, making it easier for developers to implement secure login flows and manage user sessions. With react-oidc-context, you can easily handle user authentication, token management, and session renewal, ensuring a smooth user experience while maintaining security.

One notable alternative to react-oidc-context is oidc-client. This library is a JavaScript implementation of the OpenID Connect and OAuth 2.0 protocols, designed to work in both browser and Node.js environments. While oidc-client provides a more general-purpose solution for handling OIDC authentication, it does not specifically cater to React applications. Developers using oidc-client may need to implement their own context or state management solutions to integrate it effectively within a React app.

When choosing between these two libraries, consider your specific needs. If you are building a React application and want a streamlined way to manage OIDC authentication with minimal setup, react-oidc-context is likely the better choice. On the other hand, if you need a more flexible solution that can be used across different environments or frameworks, oidc-client may be more suitable.

For a detailed comparison, check out the following link: Comparing oidc-client vs react-oidc-context.

Similar Npm Packages to oidc-client

oidc-client is a JavaScript library designed for handling OpenID Connect (OIDC) authentication in web applications. It provides a simple way to manage user authentication, including token management, user sessions, and interaction with OIDC providers. While oidc-client is a robust solution for OIDC authentication, there are several alternatives in the ecosystem that cater to similar needs. Here are a few noteworthy alternatives:

  • oidc-client-ts is a TypeScript version of the original oidc-client library. It retains the same core functionality while providing type safety and improved developer experience for TypeScript users. If you're building a TypeScript application and want to leverage the benefits of strong typing while managing OIDC authentication, oidc-client-ts is an excellent choice.

  • oidc-provider is a library for implementing an OpenID Connect provider. Unlike the other libraries mentioned, which focus on client-side authentication, oidc-provider is designed for server-side applications. It allows developers to create their own OIDC-compliant identity provider, enabling them to manage user authentication and authorization flows. If you're looking to build a custom OIDC provider for your applications, oidc-provider is the go-to solution.

  • openid-client is another library that provides a client implementation for OpenID Connect. It is designed to work with any OpenID Connect provider and offers a comprehensive set of features for handling authentication and token management. openid-client is particularly useful for server-side applications that need to interact with OIDC providers. If you require flexibility in choosing your OIDC provider and need a robust client implementation, openid-client is a strong candidate.

  • react-oidc-context is a React-specific library that simplifies the integration of OIDC authentication in React applications. It provides a context-based approach to managing authentication state and user sessions, making it easy to access authentication information throughout your React components. If you are building a React application and want a seamless way to manage OIDC authentication, react-oidc-context is a great option.

To see how these packages compare, check out the comparison: Comparing oidc-client vs oidc-client-ts vs oidc-provider vs openid-client vs react-oidc-context.

README for openid-client

openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

openid-client simplifies integration with authorization servers by providing easy-to-use APIs for the most common authentication and authorization flows, including OAuth 2 and OpenID Connect. It is designed for JavaScript runtimes like Node.js, Browsers, Deno, Cloudflare Workers, and more.

Features

The following features are currently in scope and implemented in this software:

  • Authorization Server Metadata discovery
  • Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, FAPI 1.0 Advanced, and FAPI 2.0)
  • Refresh Token, Device Authorization, Client-Initiated Backchannel Authentication (CIBA), and Client Credentials Grants
  • Demonstrating Proof-of-Possession at the Application Layer (DPoP)
  • Token Introspection and Revocation
  • Pushed Authorization Requests (PAR)
  • UserInfo and Protected Resource Requests
  • Authorization Server Issuer Identification
  • JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
  • Dynamic Client Registration (DCR)
  • Passport Strategy

Sponsor

Auth0 by Okta

If you want to quickly add authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. Create an Auth0 account; it's free!

Certification

OpenID Certification

Filip Skokan has certified that this software conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.

💗 Help the project

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.

API Reference Documentation

openid-client is distributed via npmjs.com, jsr.io, and github.com.

Examples

example ESM import[^cjs]

import * as client from 'openid-client'
  • Authorization Code Flow (OAuth 2.0) - source
  • Authorization Code Flow (OpenID Connect) - source | diff
  • Extensions
  • Passport Strategy - source

Quick start

let server!: URL // Authorization Server's Issuer Identifier
let clientId!: string // Client identifier at the Authorization Server
let clientSecret!: string // Client Secret

let config: client.Configuration = await client.discovery(
  server,
  clientId,
  clientSecret,
)

Authorization Code Flow

Authorization Code flow is for obtaining Access Tokens (and optionally Refresh Tokens) to use with third party APIs.

When you want to have your end-users authorize or authenticate you need to send them to the authorization server's authorization_endpoint. Consult the web framework of your choice on how to redirect but here's how to get the authorization endpoint's URL with parameters already encoded in the query to redirect to.

/**
 * Value used in the authorization request as the redirect_uri parameter, this
 * is typically pre-registered at the Authorization Server.
 */
let redirect_uri!: string
let scope!: string // Scope of the access request
/**
 * PKCE: The following MUST be generated for every redirect to the
 * authorization_endpoint. You must store the code_verifier and state in the
 * end-user session such that it can be recovered as the user gets redirected
 * from the authorization server back to your application.
 */
let code_verifier: string = client.randomPKCECodeVerifier()
let code_challenge: string =
  await client.calculatePKCECodeChallenge(code_verifier)
let state!: string

let parameters: Record<string, string> = {
  redirect_uri,
  scope,
  code_challenge,
  code_challenge_method: 'S256',
}

if (!config.serverMetadata().supportsPKCE()) {
  /**
   * We cannot be sure the server supports PKCE so we're going to use state too.
   * Use of PKCE is backwards compatible even if the AS doesn't support it which
   * is why we're using it regardless. Like PKCE, random state must be generated
   * for every redirect to the authorization_endpoint.
   */
  state = client.randomState()
  parameters.state = state
}

let redirectTo: URL = client.buildAuthorizationUrl(config, parameters)

// now redirect the user to redirectTo.href
console.log('redirecting to', redirectTo.href)

When end-users are redirected back to the redirect_uri your application consumes the callback and passes in PKCE code_verifier to include it in the authorization code grant token exchange.

let getCurrentUrl!: (...args: any) => URL

let tokens: client.TokenEndpointResponse = await client.authorizationCodeGrant(
  config,
  getCurrentUrl(),
  {
    pkceCodeVerifier: code_verifier,
    expectedState: state,
  },
)

console.log('Token Endpoint Response', tokens)

You can then fetch a protected resource response

let protectedResourceResponse: Response = await client.fetchProtectedResource(
  config,
  tokens.access_token,
  new URL('https://rs.example.com/api'),
  'GET',
)

console.log(
  'Protected Resource Response',
  await protectedResourceResponse.json(),
)

Device Authorization Grant (Device Flow)

let scope!: string // Scope of the access request

let response = await client.initiateDeviceAuthorization(config, { scope })

console.log('User Code:', response.user_code)
console.log('Verification URI:', response.verification_uri)
console.log('Verification URI (complete):', response.verification_uri_complete)

You will display the instructions to the end-user and have them directed at verification_uri or verification_uri_complete, afterwards you can start polling for the Device Access Token Response.

let tokens: client.TokenEndpointResponse =
  await client.pollDeviceAuthorizationGrant(config, response)

console.log('Token Endpoint Response', tokens)

This will poll in a regular interval and only resolve with tokens once the end-user authenticates.

Client-Initiated Backchannel Authentication (CIBA)

let scope!: string // Scope of the access request
/**
 * One of login_hint, id_token_hint, or login_hint_token parameters must be
 * provided in CIBA
 */
let login_hint!: string

let response = await client.initiateBackchannelAuthentication(config, {
  scope,
  login_hint,
})

/**
 * OPTIONAL: If your client is configured with Ping Mode you'd invoke the
 * following after getting the CIBA Ping Callback (its implementation is
 * framework specific and therefore out of scope for openid-client)
 */

let tokens: client.TokenEndpointResponse =
  await client.pollBackchannelAuthenticationGrant(config, response)

console.log('Token Endpoint Response', tokens)

This will poll in a regular interval and only resolve with tokens once the end-user authenticates.

Client Credentials Grant

Client Credentials flow is for obtaining Access Tokens to use with third party APIs on behalf of your application, rather than an end-user which was the case in previous examples.

let scope!: string // Scope of the access request
let resource!: string // Resource Indicator of the Resource Server the access token is for

let tokens: client.TokenEndpointResponse = await lib.clientCredentialsGrant(
  config,
  { scope, resource },
)

console.log('Token Endpoint Response', tokens)

Supported Runtimes

The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):

  • Browsers
  • Bun
  • Cloudflare Workers
  • Deno
  • Electron
  • Node.js[^nodejs]
  • Vercel's Edge Runtime

Supported Versions

| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ | Runtime and Module type | | -------------------------------------------------------- | ----------------- | ------------------ | --------------- | ------------------------------- | | v6.x | Security Policy | ✅ | ✅ | Universal[^universal] ESM[^cjs] | | v5.x | Security Policy | ❌ | ❌ | Node.js CJS + ESM |

[^nodejs]: Node.js v20.x as baseline is required

[^universal]: Assumes runtime support of WebCryptoAPI and Fetch API

[^cjs]: CJS style let client = require('openid-client') is possible in Node.js versions where the require(esm) feature is enabled by default (^20.19.0 || ^22.12.0 || >= 23.0.0).

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc or npmjs.com, the official website for the npm registry. Please note that npm is a registered trademark of npm, Inc. For more details, please refer to our Terms & Privacy.