1 of 21

v4

Documentation

Installation

Before starting be aware that oidc-spa does not yet support Next.js projects.

If you are using Next the closer alternative is to use NextAuth.js (with the Keycloak adapter if you are using Keycloak). You can refer to the phase two guide.

If you're having issues don't hesitate to reach out on Discord!

Let's install oidc-spa in your project:

Create the following file in your public directory:

Doing without the silent-sso.html file

If for some reasons it's not fesable or practical for you to rely on the silent-sso.html file it's ok, it will work without it.

Just make sure to

Set publicUrl to

Basic Usage

Let's get your App authenticated!

In this guide, we assume that you have an OIDC-enabled authentication server in place, such as Keycloak.

If you have not yet set up such a server, please refer to .

This piece of code should give you the necessary information to understand how oidc-spa can be used inside your react components. To go further you can refer to the examples setup to see how to integrate oidc-spa with your routing library:

Web API

The primary usecase for a library like oidc-spa is to use it to authenticate a REST, tRPC, or Websocket API.

Let's see a very basic REST API example:

Initialize oidc-spa and expose the oidc instance as a promise:

src/oidc.ts

import { createOidc } from

Create a REST API Client that adds the OIDC Access Token as Autorization header to every HTTP request:

src/api.ts

import axios from "axios"

Initialize the React adapter of oidc-spa and expose the prOidc object, a promise of the vanilla OIDC API:

Create a REST API Client that adds the OIDC Access Token as Autorization header to every HTTP request:

Using your REST API client in your REACT components:

This example is purposefully very basic to minimize noise but in your App you should consider using (if you have JS backend) and .

Backend

If you're implementing a JavaScript Backend (Node/Deno/webworker) oidc-spa also exposes an utility to help you validate and decode the access token that your client sends in the authorization header. Granted, this is fully optional feel free to use anything else. Let's assume we have a Node.js REST API build with Express or Hono. You can create an oidc file as such:

Then you can enforce that some endpoints of your API requires the user to be authenticated, in this example we use Hono:

Comprehensive example

If you're looking for a comprehensive Backend+Frontend example you can refer to Insee's project

The app is live here:

The frontend (Vite project):

The backend (Node TODO App REST API):

Auto Logout

Automatically logging out your user after a set period of inactivity on your app (they dont move the mouse or press any key on the keyboard for a while)

Configuring auto logout policy

This is a policy that is enforced on the identity server.

The auto logout is defined by the lifespan of the refresh token.

For example, if you're using Keycloak and you want an auto disconnect after 10 minutes of inactivity you would set the SSO Session Idle to 10 minutes. See Keycloak configuration guide.

If you can't configure your identity provider you can still enforce auto logout like so:

Note that this parameter is marked as unsafe because what happens if the user closes the tab? He will be able to return a while back and still be logged in. oidc-spa can't enforce a security policy when it's not running. Only the identity server can.

Displaying a coutdown timer before auto logout

Error Management

What happens if the OIDC server is down, or if the server indicates that your client configuration is not valid?

By default, if you don't have isAuthRequiredOnEveryPages set to true, when there is an error with the OIDC initialization your website will load with the user unauthenticated.

This allows the user to access parts of the application that do not require authentication. When the user clicks on the login button (triggering the login() function), a browser alert is displayed, indicating that authentication is currently unavailable, and no further action is taken.

Mock

For certain use cases, you may want a mock adapter to simulate user authentication without involving an actual authentication server.

This approach is useful when building an app where user authentication is a feature but not a requirement. It also proves beneficial for running tests or in Storybook environments.

Tokens Renewal

You probably don't need to do it. The token refresh is handled automatically for you, however you can manually trigger a token refresh:

You can also track when the token are being refreshed:

Or directly in your component:

Globally Enforce Authentication

If there is no part of your app that can be accessed without being logged it you can make oidc-spa automatically redirect your users to the login pages when they are not authenticated.

Note that in this mode you don't have to check isUserLoggedIn (you know it's true), or useOidc({ assertUserLoggedIn: true })(you know that's the case).

User Account Management

In this section we assume the reader is using Keycloak. If you are using another kind of authentication server you'll have to addapt the queryParameter provided.

When your user is logged in, you can provide a link to redirect to Keycloak so they can manage their account.

There is thee main actions:

Doing Something Only When a New Session is Created

In some cases, you might want to perform some operation to initialize the user's session. This could involve calling a special API endpoint or clearing some cached values in the local storage. What you don't want, however, is to run this every time the user refreshes the page or when their session is restored. To help you determine if the session should be initialized, you can leverage the authMethod property that is available when the user is logged in.

There are three possible values for the authMethod property:

"back from auth server": The user was redirected to the authentication server's login/registration page and then redirected back to the application. Assuming you are using Keycloak and if you have configured your Keycloak server as suggested in , this happens approximately once every 14 days, assuming the user is using the same browser and has not explicitly logged out. Of course, the 14-day session is just a good default if you don't want your user to go through the login process every day, but this is for you to decide. If you implement an

Example setups

TanStack Router

Vite + TypeScript + React + Tanstack Router

The example setup is live here: https://example-tanstack-router.oidc-spa.dev/

Run it locally with:

git clone https://github.com/keycloakify/oidc-spa
mv oidc-spa/examples/tanstack-router-file-based oidc-spa-tanstack-router
rm -rf oidc-spa
cd oidc-spa-tanstack-router
yarn
yarn dev

React Router

The example setup is live here: https://example-react-router.oidc-spa.dev/

Run it locally with:

git clone https://github.com/keycloakify/oidc-spa
mv oidc-spa/examples/react-router oidc-spa-react-router
rm -rf oidc-spa
cd oidc-spa-react-router
yarn
yarn dev

Resources

Keycloak Configuration Guide

Let's spin up a Keycloak server and configure it for your webapp!

Provisioning a Keycloak server

If you already have access to a Keycloak server you can skip this section.

Follow one of the following guides:

Don't want to deploy and maintain a own Keycloak server yourself?

Choosing Keycloak as a Service through a cloud IAM provider can offload the complexities of management and maintenance. It ensures that your system is always up-to-date with the latest security patches and features without the direct overhead of server upkeep. This is especially beneficial for teams prioritizing development and innovation over infrastructure management, offering robust support and service level agreements to guarantee smooth operation.

Configuring your Keycloak server

Let's configure your Keycloak server with good default for an SPA.

Connect to the admin panel of your Keycloak server (we assumes it's https://auth.my-domain.net/auth)

Create a realm called "myrealm" (or something else), go to Realm settings
1. On the tab General
  1. User Profile Enabled: On

Now the parameter that you will have to provide to oidc-spa are:

Replace your-domain.net, myrealm and myclient by what you actually used in the configuration process. (On older Keycloak the issuerUri will be "https://auth.your-domain.net/auth/realms/myrealm")

Accessing Keycloak Groups

End of third-party cookies

TL;DR; It's mostly inconsequential.

Google is ending third-party cookies for all Chrome users in 2024 and are already disabled by default in Safari.

Let's see how it might affect you.

First of all, if your identity server and your app shares the same root domain you are not affected.

Example, if you are in the case:

JWT Of the Access Token

And why it's not supposed to be read on the client side.

You might be surprised or even frustrated by the fact that oidc-spa only provides the decoded id token but not the decoded access token.

Infact the access token is supposed to be opaque for the client application is to be used only as an authentication key such as a Bearer token for an API.

As per the OIDC standard the access token is not even required to be a JWT!

But worry not, everything that you need is probably in the id token, if there is something missing in your id token that is present in your access token there is an explicit policy on your identity server in place that strips this information out. Zod is stripping out all the claims that are not specified in the schema. This might have led you to believe that there is less information in the id token than what actually is.

If, however, you still want to access the informations in the access token you can do it with:

import { decodeJwt } from "oidc-spa/tools/decodeJwt";

const decodedAccessToken = decodeJwt(oidc.getTokens().accessToken);

Discord Server

Feeling a bit lost? Have a question? A feature request? Reach out on Discrord!

Sponsors

Friend of the project

import { createOidc } from "oidc-spa"; const oidc = await createOidc({ issuerUri: "https://auth.your-domain.net/realms/myrealm", clientId: "myclient", /** * Vite: `publicUrl: import.meta.env.BASE_URL` * CRA: `publicUrl: process.env.PUBLIC_URL` * Other: `publicUrl: "/"` (Usually) */ publicUrl: import.meta.env.BASE_URL }); if (!oidc.isUserLoggedIn) { // The user is not logged in. // We can call login() to redirect the user to the login/register page. // This return a promise that never resolve. oidc.login({ /** * If you are calling login() in the callback of a click event * set this to false. */ doesCurrentHrefRequiresAuth: false /** * Optionally, you can add some extra parameter * to be added on the login url. * (Can also be a parameter of createOidc `extraQueryParams: ()=> ({ ui_locales: "fr" })`) */ //extraQueryParams: { kc_idp_hint: "google", ui_locales: "fr" } /** * You can allso set where to redirect the user after * successful login */ // redirectUrl: "/dashboard" /** * Keycloak: You can also send the users directly to the register page * see: https://github.com/keycloakify/oidc-spa/blob/14a3777601c50fa69d1221495d77668e97443119/examples/tanstack-router-file-based/src/components/Header.tsx#L54-L66 */ }); } else { // The user is logged in. const { // The accessToken is what you'll use as a Bearer token to // authenticate to your APIs accessToken, decodedIdToken } = oidc.getTokens(); fetch("https://api.your-domain.net/orders", { headers: { Authorization: `Bearer ${accessToken}` } }) .then(response => response.json()) .then(orders => console.log(orders)); // To call when the user click on logout. // You can also redirect to a custom url with // { redirectTo: "specific url", url: "/bye" } oidc.logout({ redirectTo: "home" }); // If you are wondering why ther's a decodedIdToken and no // decodedAccessToken read this: https://docs.oidc-spa.dev/resources/jwt-of-the-access-token console.log(`Hello ${decodedIdToken.preferred_username}`); // Note that in this example the decodedIdToken is not typed. // What is inside the idToken is defined by the OIDC server you are using. // If you want to specify the type of the decodedIdToken you can do: // // import { z } from "zod"; // export const { useOidc } = createUseOidc({ // ... // decodedIdTokenSchema: z.object({ // sub: z.string(), // preferred_username: z.string(), // // ... other properties // }) // }) }

import { createReactOidc } from "oidc-spa/react"; export const { OidcProvider, useOidc, getOidc } = createReactOidc({ // NOTE: If you don't have the params right away see note below. issuerUri: "https://auth.your-domain.net/realms/myrealm", clientId: "myclient", /** * Vite: `publicUrl: import.meta.env.BASE_URL` * CRA: `publicUrl: process.env.PUBLIC_URL` * Other: `publicUrl: "/"` (Usually) */ publicUrl: import.meta.env.BASE_URL }); ReactDOM.createRoot(document.getElementById("root")!).render( <OidcProvider // Optional, it's usually so fast that a fallback is really not required. fallback={<>Checking authentication ⌛️</>} > <App /> </OidcProvider> ); function App() { const { isUserLoggedIn, login, logout, oidcTokens } = useOidc(); return ( isUserLoggedIn ? ( <> {/* Note: The decodedIdToken can be typed and validated with zod See: https://github.com/keycloakify/oidc-spa/blob/fddac99d2b49669a376f9a0b998a8954174d195e/examples/tanstack-router/src/oidc.tsx#L17-L43 If you are wondering why ther's a decodedIdToken and no decodedAccessToken read this: https://docs.oidc-spa.dev/resources/jwt-of-the-access-token */} <span>Hello {oidcTokens.decodedIdToken.preferred_username}</span> <button onClick={() => logout({ redirectTo: "home" })}> Logout </button> </> ) : ( <button onClick={() => login({ /** * If you are calling login() in the callback of a button click * (like here) set this to false. */ doesCurrentHrefRequiresAuth: false /** * Optionally, you can add some extra parameter * to be added on the login url. * (Can also be a parameter of createReactOidc `extraQueryParams: ()=> ({ ui_locales: "fr" })`) */ //extraQueryParams: { kc_idp_hint: "google", ui_locales: "fr" } /** * You can allso set where to redirect the user after * successful login */ // redirectUrl: "/dashboard" /** * Keycloak: You can also send the user direcly to the register page * See: https://github.com/keycloakify/oidc-spa/blob/14a3777601c50fa69d1221495d77668e97443119/examples/tanstack-router-file-based/src/components/Header.tsx#L54-L66 */ })} > Login </button> ) ); } import { useEffect, useState } from "react"; type Order = { id: number; name: string; }; function OrderHistory(){ const { oidcTokens } = useOidc({ assertUserLoggedIn: true }); const [orders, setOrders] = useState<Order[] | undefined>(undefined); useEffect( ()=> { fetch("https://api.your-domain.net/orders", { headers: { Authorization: `Bearer ${oidcTokens.accessToken}` } }) .then(response => response.json()) .then(orders => setOrders(orders)); }, [] ); if(orders === undefined){ return <>Loading orders ⌛️</> } return ( <ul> {orders.map(order => ( <li key={order.id}>{order.name}</li> ))} </ul> ); }

v4

Documentation

Installation

Basic Usage

Web API

hashtagBackend

hashtagComprehensive example

Auto Logout

hashtagConfiguring auto logout policy

hashtagDisplaying a coutdown timer before auto logout

Error Management

Mock

Tokens Renewal

Globally Enforce Authentication

User Account Management

Doing Something Only When a New Session is Created

Example setups

TanStack Router

React Router

Resources

Keycloak Configuration Guide

hashtagProvisioning a Keycloak server

hashtagConfiguring your Keycloak server

Accessing Keycloak Groups

End of third-party cookies

JWT Of the Access Token

Discord Server

Sponsors

Installation

Web API

hashtagBackend

hashtagComprehensive example

Basic Usage

React Router

Discord Server

JWT Of the Access Token

Accessing Keycloak Groups

TanStack Router

Sponsors

Doing Something Only When a New Session is Created

Tokens Renewal

Globally Enforce Authentication

End of third-party cookies

Mock

hashtagGoogle reCaptcha

Auto Logout

hashtagConfiguring auto logout policy

hashtagDisplaying a coutdown timer before auto logout

Error Management

User Account Management

Keycloak Configuration Guide

hashtagProvisioning a Keycloak server

hashtagConfiguring your Keycloak server

Backend

Comprehensive example

Configuring auto logout policy

Displaying a coutdown timer before auto logout

Provisioning a Keycloak server

Configuring your Keycloak server

Backend

Comprehensive example

Google reCaptcha

Configuring auto logout policy

Displaying a coutdown timer before auto logout

Provisioning a Keycloak server

Configuring your Keycloak server