oidc-client vs oidc-client-ts vs openid-client vs react-oidc-context
Implementing OpenID Connect Authentication in JavaScript Applications
Search packages..
oidc-clientoidc-client-tsopenid-clientreact-oidc-contextSimilar Packages:

Implementing OpenID Connect Authentication in JavaScript Applications

oidc-client is the legacy JavaScript library for browser-based OIDC authentication, now deprecated in favor of oidc-client-ts. oidc-client-ts is the modern TypeScript rewrite that serves as the core standard for Single Page Applications (SPAs). openid-client is a specialized library designed for Node.js backends and confidential clients, not browsers. react-oidc-context is a React-specific wrapper that simplifies integrating oidc-client-ts using hooks and context providers.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
oidc-client02,431-1165 years agoApache-2.0
oidc-client-ts01,9051.73 MB1512 months agoApache-2.0
openid-client02,337221 kB013 days agoMIT
react-oidc-context01,019118 kB962 months agoMIT

OpenID Connect Libraries: Architecture, Security, and Framework Integration

Implementing authentication in modern web applications requires careful selection of tools that match your runtime environment and framework. The oidc-client ecosystem has evolved significantly, shifting from legacy JavaScript to modern TypeScript, while distinct libraries serve backend versus frontend needs. Let's compare how these four packages handle authentication flows, environment constraints, and framework integration.

πŸ—οΈ Core Architecture and Runtime Environment

oidc-client was the original standard for browser-based OIDC.

  • Written in vanilla JavaScript.
  • Runs exclusively in the browser (SPA).
  • Status: Deprecated and archived.
// oidc-client: Legacy setup (Do Not Use)
const userManager = new Oidc.UserManager({
  authority: "https://accounts.google.com",
  client_id: "your-client-id",
  redirect_uri: "http://localhost:3000/callback"
});

oidc-client-ts is the direct successor and rewrite.

  • Written in TypeScript for type safety.
  • Runs exclusively in the browser (SPA).
  • Status: Active maintenance and recommended standard.
// oidc-client-ts: Modern setup
import { UserManager } from "oidc-client-ts";

const userManager = new UserManager({
  authority: "https://accounts.google.com",
  client_id: "your-client-id",
  redirect_uri: "http://localhost:3000/callback"
});

openid-client targets server-side environments.

  • Designed for Node.js backends.
  • Supports confidential clients (client secrets).
  • Status: Active maintenance for backend use.
// openid-client: Backend setup
import { customFetch, Issuer } from "openid-client";

const issuer = await Issuer.discover("https://accounts.google.com");
const client = new issuer.Client({
  client_id: "your-client-id",
  client_secret: "your-client-secret" // Secure on server
});

react-oidc-context wraps the browser client for React.

  • Built on top of oidc-client-ts.
  • Provides React hooks and Context API.
  • Status: Active maintenance for React projects.
// react-oidc-context: React setup
import { AuthProvider } from "react-oidc-context";

const config = {
  authority: "https://accounts.google.com",
  client_id: "your-client-id",
  redirect_uri: "http://localhost:3000/callback"
};

// Wrap your app
<AuthProvider {...config}>...</AuthProvider>

πŸ” Security Model: Public vs Confidential Clients

Security boundaries define which library you can safely use. Browser-based apps are "public clients" and cannot store secrets. Server apps are "confidential clients" and should.

oidc-client-ts enforces public client security.

  • Uses PKCE (Proof Key for Code Exchange) by default.
  • No client secret is passed in the code.
  • Tokens stored in browser memory or storage.
// oidc-client-ts: PKCE handled automatically
await userManager.signinRedirect();
// No client_secret in config

openid-client supports confidential client flows.

  • Allows client_secret_basic or client_secret_post.
  • Suitable for backend-for-frontend (BFF) patterns.
  • Keeps tokens on the server, away from the browser.
// openid-client: Using client secret
const tokenSet = await client.callback(redirectUri, params, {
  code_verifier: "verifier",
  state: "state"
});
// Secret used internally during token exchange

react-oidc-context inherits oidc-client-ts security.

  • Same PKCE requirements.
  • Adds React-specific security like automatic session monitoring.
  • Keeps implementation consistent with the underlying library.
// react-oidc-context: Secure hook usage
const { isAuthenticated, signoutRedirect } = useAuth();
// PKCE and token handling abstracted away

oidc-client had legacy security models.

  • Lacked modern TypeScript safety checks.
  • No longer updated for new security threats.
  • Risk of vulnerabilities in token handling.
// oidc-client: Legacy security (Risky)
// No type safety to prevent misconfiguration
userManager.signinRedirect();

πŸ”„ Handling Authentication State and Tokens

Managing the user session lifecycle is a core task. Each library exposes this differently.

oidc-client-ts gives manual control over the user manager.

  • You explicitly call methods to get the user.
  • You must wire up event listeners for token expiration.
  • Best for non-framework or custom framework setups.
// oidc-client-ts: Manual user retrieval
const user = await userManager.getUser();
if (user?.access_token) {
  // Attach token to API calls
}

react-oidc-context automates state via hooks.

  • useAuth hook provides reactive user state.
  • Automatically triggers re-renders on login/logout.
  • Reduces boilerplate for React components.
// react-oidc-context: Reactive state
const { user, isLoading } = useAuth();

if (isLoading) return <div>Loading...</div>;
return <div>Hello {user?.profile.name}</div>;

openid-client manages sessions on the server.

  • You handle sessions via cookies or server memory.
  • No browser-based user object to manage directly.
  • Focuses on validating tokens received from the frontend.
// openid-client: Token validation
const claims = await client.userinfo(tokenSet.access_token);
// Validate claims on server side

oidc-client used older event patterns.

  • Relied on global callbacks.
  • Harder to integrate with modern component lifecycles.
  • Deprecated event handling mechanisms.
// oidc-client: Legacy events
userManager.events.addUserLoaded((user) => {
  console.log("User loaded", user);
});

🧩 Framework Integration and Boilerplate

The amount of code you write depends on how much the library abstracts for your specific framework.

react-oidc-context is purpose-built for React.

  • Minimal setup code for standard flows.
  • Integrated loading and error states.
  • Ideal for teams wanting speed in React ecosystems.
// react-oidc-context: Protected Route
function ProtectedRoute() {
  const { isAuthenticated } = useAuth();
  return isAuthenticated ? <Dashboard /> : <Login />;
}

oidc-client-ts requires manual React integration.

  • You must create your own Context or Hooks.
  • More flexible for Vue, Angular, or Svelte.
  • Better if you need full control over the lifecycle.
// oidc-client-ts: Custom React Hook
function useUserManager() {
  const [user, setUser] = useState(null);
  // Manual wiring of userManager events required
  return user;
}

openid-client integrates with Express or NestJS.

  • Used in route handlers or middleware.
  • No frontend component integration.
  • Essential for BFF (Backend for Frontend) architectures.
// openid-client: Express Middleware
app.get("/profile", async (req, res) => {
  const tokens = req.session.tokens;
  const userinfo = await client.userinfo(tokens.access_token);
  res.json(userinfo);
});

oidc-client requires legacy integration patterns.

  • Callback-based patterns instead of Promises.
  • More verbose error handling.
  • Not compatible with modern TypeScript projects.
// oidc-client: Callback pattern
userManager.signinRedirectCallback().then(function (user) {
  // Handle success
}).catch(function (err) {
  // Handle error
});

πŸ“Š Summary: Key Differences

Featureoidc-client-tsreact-oidc-contextopenid-clientoidc-client
EnvironmentBrowser (SPA)Browser (React)Node.js (Backend)Browser (Legacy)
LanguageTypeScriptTypeScriptTypeScript/JSJavaScript
Client TypePublic (PKCE)Public (PKCE)Confidential (Secret)Public (PKCE)
IntegrationManual / CustomReact HooksServer MiddlewareManual / Legacy
Statusβœ… Activeβœ… Activeβœ… Active❌ Deprecated

πŸ’‘ The Big Picture

oidc-client-ts is the foundation πŸ—οΈ for any browser-based authentication. Use it directly if you are not using React or need maximum control over the authentication lifecycle.

react-oidc-context is the accelerator πŸš€ for React teams. It removes the boilerplate of wiring up oidc-client-ts manually, letting you focus on building UI components rather than auth logic.

openid-client is the secure vault πŸ”’ for your backend. Use it when you need to keep tokens off the client entirely (BFF pattern) or when your backend needs to call other APIs on behalf of the user.

oidc-client is the legacy system πŸ•ΈοΈ. Do not start new projects with it. If you are still using it, treat migration to oidc-client-ts as a security priority.

Final Thought: Security and environment are your primary decision factors. If you are in the browser, use oidc-client-ts (or its React wrapper). If you are on the server, use openid-client. Never mix confidential client secrets into browser-based libraries.

How to Choose: oidc-client vs oidc-client-ts vs openid-client vs react-oidc-context

  • oidc-client:

    Avoid this package for any new development. It is officially deprecated and no longer receives security updates or bug fixes. If you are maintaining a legacy system using this, plan a migration to oidc-client-ts immediately to ensure security compliance.

  • oidc-client-ts:

    Choose oidc-client-ts if you are building a vanilla JavaScript or TypeScript Single Page Application (SPA) without a specific framework wrapper. It provides the core OIDC protocol implementation, token management, and silent renew features for public clients running in the browser.

  • openid-client:

    Choose openid-client if you are implementing authentication on a Node.js backend or a confidential client where you can safely store a client secret. It is not suitable for browser-based SPAs due to security risks associated with exposing secrets in client-side code.

  • react-oidc-context:

    Choose react-oidc-context if you are building a React application and want a streamlined integration. It wraps oidc-client-ts to provide easy-to-use hooks like useAuth and context providers, reducing the boilerplate required to manage user sessions and authentication state.

Similar Npm Packages to oidc-client

oidc-client is a JavaScript library designed for handling OpenID Connect (OIDC) authentication in web applications. It provides a simple way to manage user authentication, including token management, user sessions, and interaction with OIDC providers. While oidc-client is a robust solution for OIDC authentication, there are several alternatives in the ecosystem that cater to similar needs. Here are a few noteworthy alternatives:

  • oidc-client-ts is a TypeScript version of the original oidc-client library. It retains the same core functionality while providing type safety and improved developer experience for TypeScript users. If you're building a TypeScript application and want to leverage the benefits of strong typing while managing OIDC authentication, oidc-client-ts is an excellent choice.

  • oidc-provider is a library for implementing an OpenID Connect provider. Unlike the other libraries mentioned, which focus on client-side authentication, oidc-provider is designed for server-side applications. It allows developers to create their own OIDC-compliant identity provider, enabling them to manage user authentication and authorization flows. If you're looking to build a custom OIDC provider for your applications, oidc-provider is the go-to solution.

  • openid-client is another library that provides a client implementation for OpenID Connect. It is designed to work with any OpenID Connect provider and offers a comprehensive set of features for handling authentication and token management. openid-client is particularly useful for server-side applications that need to interact with OIDC providers. If you require flexibility in choosing your OIDC provider and need a robust client implementation, openid-client is a strong candidate.

  • react-oidc-context is a React-specific library that simplifies the integration of OIDC authentication in React applications. It provides a context-based approach to managing authentication state and user sessions, making it easy to access authentication information throughout your React components. If you are building a React application and want a seamless way to manage OIDC authentication, react-oidc-context is a great option.

To see how these packages compare, check out the comparison: Comparing oidc-client vs oidc-client-ts vs oidc-provider vs openid-client vs react-oidc-context.

Similar Npm Packages to oidc-client-ts

oidc-client-ts is a TypeScript library designed for handling OpenID Connect (OIDC) and OAuth 2.0 authentication in web applications. It provides a robust set of features for managing user authentication, including token management, session handling, and automatic token renewal. With its TypeScript support, oidc-client-ts ensures type safety and a better development experience for those using TypeScript in their projects. This library is particularly useful for developers looking to implement secure authentication flows in their applications while leveraging the benefits of TypeScript.

There are several alternatives to oidc-client-ts that also facilitate OIDC and OAuth 2.0 authentication:

  • oidc-client is the original JavaScript library for managing OIDC and OAuth 2.0 authentication. It provides a comprehensive solution for handling user authentication, including features like token storage, automatic token renewal, and user session management. While oidc-client is widely used and well-documented, it is primarily written in JavaScript, which may not provide the same level of type safety as TypeScript-based libraries. However, it remains a solid choice for developers who prefer a more established library with a large community and extensive support.

  • openid-client is a certified OpenID Connect client library for Node.js. It is designed for server-side applications and provides a comprehensive set of features for implementing OIDC authentication flows. This library is particularly useful for backend developers who need to integrate OIDC into their server-side applications. While it is not specifically tailored for frontend applications, it offers a robust solution for server-side authentication and can be used in conjunction with frontend libraries for a complete authentication solution.

  • react-oidc-context is a React-specific library that simplifies the integration of OIDC authentication in React applications. It provides a context-based API that makes it easy to manage user authentication state and access tokens within React components. If you are building a React application and want a straightforward way to implement OIDC authentication, react-oidc-context is an excellent choice, as it leverages React's context API for seamless integration.

To explore how these libraries compare, check out the comparison: Comparing oidc-client vs oidc-client-ts vs openid-client vs react-oidc-context.

Similar Npm Packages to openid-client

openid-client is a powerful and flexible OpenID Connect (OIDC) client library for Node.js applications. It allows developers to easily integrate OIDC authentication into their applications, enabling secure user authentication and authorization. With support for various OIDC providers, openid-client simplifies the process of managing tokens, handling redirects, and making authenticated requests to APIs. Its robust features make it a popular choice for applications that require secure user authentication and seamless integration with OIDC-compliant identity providers.

An alternative to openid-client is oidc-client. This library is specifically designed for client-side applications, such as single-page applications (SPAs), and provides a simple way to manage OIDC authentication flows. oidc-client focuses on handling user sessions, managing tokens, and facilitating interactions with OIDC providers from the browser. It is well-suited for applications that require a lightweight solution for OIDC authentication without the need for extensive server-side logic.

For a comprehensive comparison between these two libraries, check out the following link: Comparing oidc-client vs openid-client.

Similar Npm Packages to react-oidc-context

react-oidc-context is a library designed to simplify the integration of OpenID Connect (OIDC) authentication in React applications. It provides a context-based approach to manage authentication state and user information, making it easier for developers to implement secure login flows and manage user sessions. With react-oidc-context, you can easily handle user authentication, token management, and session renewal, ensuring a smooth user experience while maintaining security.

One notable alternative to react-oidc-context is oidc-client. This library is a JavaScript implementation of the OpenID Connect and OAuth 2.0 protocols, designed to work in both browser and Node.js environments. While oidc-client provides a more general-purpose solution for handling OIDC authentication, it does not specifically cater to React applications. Developers using oidc-client may need to implement their own context or state management solutions to integrate it effectively within a React app.

When choosing between these two libraries, consider your specific needs. If you are building a React application and want a streamlined way to manage OIDC authentication with minimal setup, react-oidc-context is likely the better choice. On the other hand, if you need a more flexible solution that can be used across different environments or frameworks, oidc-client may be more suitable.

For a detailed comparison, check out the following link: Comparing oidc-client vs react-oidc-context.

README for oidc-client

npm package

oidc-client

Library to provide OpenID Connect (OIDC) and OAuth2 protocol support for client-side, browser-based JavaScript client applications. Also included is support for user session and access token management.

Install

Node.js

Node.js v4.4 or later required.

NPM

npm install oidc-client --save

NOTE: if you're not already using babel-polyfill make sure you run npm install --save babel-polyfill as well. Then include it in your build.

CommonJS

If you don't use a package manager or a module loader, then you can get the library from the dist folder on github here.

Including in the browser

If you intend to use this library directly in a browser and are not using UMD/AMD then there is a compiled version in the ~/dist folder. It is already bundled/minified and contains the necessary dependencies and polyfills (mainly for ES6 features such as Promises).

If you are using UMD/AMD and/or you already have included an ES6 polyfill (such as babel-polyfill.js) then you can include the UMD packaged version of the file from the ~/lib folder.

Building the Source

git clone https://github.com/IdentityModel/oidc-client-js.git
cd oidc-client-js
npm install
npm run build

Running the Sample

npm start

and then browse to http://localhost:15000.

Running the Tests

npm test

Docs

Some initial docs are here.

Feedback, Feature requests, and Bugs

All are welcome on the issue tracker.

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.