Fixing Crypto.subtle is available only in secure contexts (HTTPS)

oidc-spa internally relies on the Crypto.subtle browser API for cryptographic operations. This API is only available when your app is served over HTTPS or from localhost.

However, in certain intranet environments, for example, when using a local DNS entry or static IP, setting up HTTPS might not be feasible.

In those cases, you can work around the issue by installing a polyfill such as webcrypto-liner.

1. Install the polyfill

npm install --save webcrypto-liner

2. Add required scripts to your HTML head

Edit your public.html (or the file that defines your HTML head, e.g. in TanStack Start or React Router framework mode) and add the following scripts:

<head>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/7.7.0/polyfill.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/asmCrypto/2.3.2/asmcrypto.all.es5.min.js"></script>
  <script src="https://cdn.rawgit.com/indutny/elliptic/master/dist/elliptic.min.js"></script>
</head>

3. Import the shim

src/oidc.ts

import "webcrypto-liner/build/webcrypto-liner.shim";
// ...

✅ Summary: If you see the error Crypto.subtle is available only in secure contexts (HTTPS) in a non-HTTPS environment, install webcrypto-liner. This allows oidc-spa to work even on local or intranet setups without HTTPS.

PreviousWhy No Client Secret?NextJWT Of the Access Token

Last updated 6 days ago

Was this helpful?