okta-oidc-js | contains Okta 's OpenID Connect JavaScript resources | Authentication library

 by   okta TypeScript Version: @okta/oidc-middleware@4.2.0 License: Non-SPDX

kandi X-RAY | okta-oidc-js Summary

kandi X-RAY | okta-oidc-js Summary

okta-oidc-js is a TypeScript library typically used in Security, Authentication, Angular, Nodejs applications. okta-oidc-js has no bugs, it has no vulnerabilities and it has low support. However okta-oidc-js has a Non-SPDX License. You can download it from GitHub.

This is a monorepo that contains Okta's OpenID Connect JavaScript resources.

            kandi-support Support

              okta-oidc-js has a low active ecosystem.
              It has 383 star(s) with 240 fork(s). There are 51 watchers for this library.
              It had no major release in the last 12 months.
              There are 107 open issues and 313 have been closed. On average issues are closed in 387 days. There are 85 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of okta-oidc-js is @okta/oidc-middleware@4.2.0

            kandi-Quality Quality

              okta-oidc-js has no bugs reported.

            kandi-Security Security

              okta-oidc-js has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

            kandi-License License

              okta-oidc-js has a Non-SPDX License.
              Non-SPDX licenses can be open source with a non SPDX compliant license, or non open source licenses, and you need to review them closely before use.

            kandi-Reuse Reuse

              okta-oidc-js releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of okta-oidc-js
            Get all kandi verified functions for this library.

            okta-oidc-js Key Features

            No Key Features are available at this moment for okta-oidc-js.

            okta-oidc-js Examples and Code Snippets

            No Code Snippets are available at this moment for okta-oidc-js.

            Community Discussions


            Best practice on Securing code_verifier in PKCE-enhanced Authorization Code Flow
            Asked 2021-May-13 at 21:03

            Since PKCE is now the recommended method of authorisation over the implicit flow, i'm looking for best practice on handling code verifier and recommendations on how this might be done. On high level PKCE Authorisation flow consist of:

            1. Generate code_verifier on client side
            2. Generate code_challenge from (1)
            3. hit /authorise with code_challenge which redirect to select idp and in callback there's a code
            4. use code from (3) along with code_verifier to exchange for access token

            Question is, in step 3, before the application redirect to authorisation server and then the idp, one has to store the code_verifier somewhere. Where is that somewhere?

            Seems like libraries like okta-oidc-js store the code_verifier in sessionStorage. Doesn't that expose you to XSS attack? i.e. if i was store the code_verifier in sessionStorage before the application goes into the Authorisation flow and redirects, on the callback, what stops some rouge extension from reading the code from the url and code_verifier from sessionStorage? Combination of which can be used to exchange for a access token.



            Answered 2021-May-13 at 21:03

            What you describe is the standard SPA way of doing things - it could potentially be abused by malicious code, but there is some protection in the fact that an authorization code can only be used once and that the verifier is not stored for long.

            A related XSS attack is to run a complete OAuth authorization redirect + code exchange on a hidden iframe - there is no protection against that, regardless of whether a back end or client secret is involved.

            If you want to be strict about security, the emerging trend is more of a back end for front end approach, where the back end is a 'Proxy API' running at https://api.mywebdomain.com

            • The result of OAuth authorization is a same site cookie issued by the API, to prevent the above iframe attack

            • The SPA can then either use the auth cookie to get an access token or double hop API requests via the proxy API.

            There is a good recent video on SPA security here that discusses these threats in further depth. The browser is a difficult place to implement security and redirects come with risks.

            It is still recommended to separate Web and API concerns however - eg the above proxy API should not get in the way of a company wanting to deploy their SPA via a content delivery network.

            LOGIN DANCE

            In my opinion the preferred approach is summarized below, for full control and no issues with recent browser changes:

            • SPA calls a URL such as https://api.mywebdomain.com/login/start, which writes an HTTP only encrypted cookie for .mywebdomain.com containing the state and code_verifier, and also returns the authorization request URL

            • SPA then does the redirect itself, and saves page location / state to session storage beforehand if needed

            • SPA then receives the response URL with code and state, then POSTs them to a URL such as https://api.mywebdomain.com/login/end. Afterwards the SPA can restore its page location and state, so that usability is good.

            • API completes the login by verifying the state against that in the state cookie, then using the code_verifier from the state cookie. The result of all of this is to write an auth cookie (containing a refresh token) that could not be abused on an iframe.

            Source https://stackoverflow.com/questions/67517436


            Getting 404 error when callback after authentication(Spring Boot + Angular + Okta)
            Asked 2020-Jun-17 at 18:24

            Hi I am now using Angular + Spring Boot to build a website, in my website, I am using Okta Single-Page App to do authentication. For the frontend, I am using okta-angular, and follow the instructions here: https://github.com/okta/okta-oidc-js/tree/master/packages/okta-angular. I am using implicit flow. In order to keep simple, I used okta hosted sign-in widget.

            My frontend code like this:




            Answered 2020-Jun-17 at 17:00

            You're in luck! I just published a blog post today that shows how to take an Angular + Spring Boot app that runs separately (with Okta's SDKs) and package them in a single JAR. You can still develop each app independently using ng serve and ./gradlew bootRun, but you can also run them in a single instance using ./gradlew bootRun -Pprod. The disadvantage to running in prod mode is you won't get hot-reload in Angular. Here are the steps I used in the aforementioned tutorial.

            Create a new AuthService service that will communicate with your Spring Boot API for authentication logic.

            Source https://stackoverflow.com/questions/62422236


            Typescript - Type definition for a higher order function
            Asked 2020-Feb-13 at 12:21

            I'm using the Okta react library - https://github.com/okta/okta-oidc-js/tree/master/packages/okta-react however it doesn't come with type definitions.

            I've created a .d.ts defintion file that has declare module "@okta/okta-react" however this library has a higher order component used like: import { withAuth } from '@okta/okta-react'; (https://github.com/okta/okta-oidc-js/tree/master/packages/okta-react#withauth)

            How do I write this in my definitions file?

            Is this valid?



            Answered 2020-Feb-13 at 12:21

            You need to make withAuth a generic function that takes a component type and returns that component type but with the props modified to remove auth:

            Source https://stackoverflow.com/questions/60204641

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            No vulnerabilities reported

            Install okta-oidc-js

            We use Yarn as our node package manager during package development. To install Yarn, check out their install documentation.


            We're happy to accept contributions and PRs! Please see the contribution guide to understand how to structure a contribution.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries

            Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link