GitHubHome

Why oidcEarlyInit

The standard OIDC flow with PKCE is sometimes perceived as less secure than the traditional "backend for frontend" (BFF) flow, where token exchanges happen on the backend and frontend code never has direct access to tokens.

This perception stems mainly from the nature of JavaScript projects, especially SPAs, which often bundle tens of thousands of npm packages from many different authors. If even one of those libraries is compromised, it could potentially steal user tokens unless specific countermeasures are in place. There's also the risk of cross-site scripting (XSS) attacks which, if successful, could lead to the same outcome.

The early init setup recommended in oidc-spa is designed to mitigate these risks. By letting a minimal piece of oidc-spa run before any other JavaScript code, the library ensures that:

  • The response from the authorization server is removed from the URL and stored in memory (scoped variable), so even if malicious code runs later, it can’t access the tokens.

  • Critical browser APIs, like window.fetch, are frozen to prevent malicious code from intercepting or tampering with authenticated requests.

An added (though minor) benefit of the early init + lazy loading setup is improved performance during silent SSO operations in iframes. In the iframe, only a minimal part of the app is evaluated—just the part that needs to forward the auth response to the parent window. Since JS files in SPAs are typically hashed and cached, the benefit isn't about download time but about reducing JavaScript evaluation time. That said, the gain is usually marginal—just a few extra milliseconds in most cases.

Is early init mandatory?

No. If not explicitly called, it will be invoked automatically as soon as oidc-spa is evaluated, which, in most setups, happens early enough.

Can it be skipped?

Yes, if:

  • The application is free of XSS vulnerabilities.

  • The dependencies can be fully trusted.

  • Performance at initialization time is not critical.

In such cases, skipping the setup is reasonable.

Important caveat for React Router (framework mode)

If using React Router in framework mode, then the early init setup must be used. React Router performs early redirects that can interfere with oidc-spa's initialization under certain circumstances. To avoid issues, oidc-spa must run first.

If the project is using Vite or Create React App without a higher-level framework, this caveat does not apply.

PreviousSponsors

Last updated

Was this helpful?