Class: OidcProvider

OidcProvider(connection, options)

The Authentication Provider for OpenID Connect.

See the openid-connect-popup.html and openid-connect-redirect.html files in the /examples/oidc folder for usage examples in the browser.

If you want to implement OIDC in a non-browser environment, you can override the OidcProvider or AuthProvider classes with custom behavior. In this case you must provide a function that creates your new class to the Connection.setOidcProviderFactory() method.

Constructor

new OidcProvider(connection, options)

Creates a new OidcProvider instance to authenticate using OpenID Connect.

Parameters:
Name Type Description
connection Connection

A Connection object representing an established connection to an openEO back-end.
options OidcProviderMeta

OpenID Connect Provider details as returned by the API.
Source:
See:

Extends

Members

authorizationParameters :object.<string, *>

Additional parameters to include in authorization requests.

As defined by the API, these parameters MUST be included when requesting the authorization endpoint.

Type:
  • object.<string, *>
Source:

clientId :string|null

The client ID to use for authentication.

Type:
  • string | null
Source:

clientSecret :string|null

The client secret to use for authentication.

Only used for the client_credentials grant type.

Type:
  • string | null
Source:

(protected) connection :Connection

Type:
Overrides:
Source:

defaultClient :OidcClient

The detected default Client.

Type:
Source:

defaultClients :Array.<OidcClient>

The default clients made available by the back-end.

Type:
Source:

grant :string

The grant type (flow) to use for this provider.

Either "authorization_code+pkce" (default), "implicit" or "client_credentials"

Type:
  • string
Source:

issuer :string

The issuer, i.e. the link to the identity provider.

Type:
  • string
Source:

Any additional links.

Type:
Source:

refreshTokenScope :string

The scope that is used to request a refresh token.

Type:
  • string
Source:

scopes :Array.<string>

The scopes to be requested.

Type:
  • Array.<string>
Source:

user :Oidc.User

The authenticated OIDC user.

Type:
  • Oidc.User
Source:

wellKnownDocument :object.<string, *>|null

The cached OpenID Connect well-known configuration document.

Type:
  • object.<string, *> | null
Source:

(static) grants :Array.<string>

The supported OpenID Connect grants (flows).

The grants are given as defined in openEO API, e.g. implicit and/or authorization_code+pkce If not defined there, consult the OpenID Connect Discovery documentation.

Lists the grants by priority so that the first grant is the default grant. The default grant type since client version 2.0.0 is 'authorization_code+pkce'.

Type:
  • Array.<string>
Source:

(static) redirectUrl :string

The global redirect URL to use.

By default uses the location of the browser, but removes fragment, query and trailing slash. The fragment conflicts with the fragment appended by the Implicit Flow and the query conflicts with the query appended by the Authorization Code Flow. The trailing slash is removed for consistency.

Type:
  • string
Source:

(static) uiMethod :string

The global "UI" method to use to open the login URL, either "redirect" (default) or "popup".

Type:
  • string
Source:

Methods

addListener(event, callback, scopeopt)

Adds a listener to one of the following events:

  • AccessTokenExpiring: Raised prior to the access token expiring.
  • AccessTokenExpired: Raised after the access token has expired.
  • SilentRenewError: Raised when the automatic silent renew has failed.
Parameters:
Name Type Attributes Default Description
event string
callback function
scope string <optional>
 "default"
Source:

detectDefaultClient() → {OidcClient|null}

Detects the default OIDC client ID for the given redirect URL.

Sets the grant and client ID accordingly.

Source:
See:
Returns:
Type
OidcClient | null

getDescription() → {string}

Returns the human-readable description for the authentication method / provider.

Overrides:
Source:
Returns:
Type
string

getDisplayName() → (nullable) {string}

Returns a display name for the authenticated user.

For the client_credentials grant, returns a name based on the client ID.

Overrides:
Source:
Returns:

Name of the user or null

Type
string

getId() → {string}

Get an identifier for the auth provider (combination of the type + provider identifier).

Overrides:
Source:
Returns:
Type
string

(protected) getOptions(options, requestRefreshTokenopt) → {object.<string, *>}

Returns the options for the OIDC client library.

Options can be overridden by custom options via the options parameter.

Parameters:
Name Type Attributes Default Description
options object.<string, *>
requestRefreshToken boolean <optional>
 false

If set to true, adds a scope to request a refresh token.
Source:
See:
Returns:
Type
object.<string, *>

getProviderId() → {string}

Returns the provider identifier, may not be available for all authentication methods.

Overrides:
Source:
Returns:
Type
string

(protected) getResponseType() → {string}

Get the response_type based on the grant type.

Source:
Throws:
Error
Returns:
Type
string

getTitle() → {string}

Returns the human-readable title for the authentication method / provider.

Overrides:
Source:
Returns:
Type
string

getToken() → {string|null}

Returns the access token that is used as Bearer Token in API requests.

Returns null if no access token has been set yet (i.e. not authenticated any longer).

Checks whether the server supports the JWT conformance class.

Overrides:
Source:
Returns:
Type
string | null

(async, protected) getTokenEndpoint() → {Promise.<string>}

Discovers the token endpoint from the OpenID Connect issuer.

Source:
Throws:
Error
Returns:

The token endpoint URL.

Type
Promise.<string>

getType() → {string}

Returns the type of the authentication procedure as specified by the API, e.g. oidc or basic.

Overrides:
Source:
Returns:
Type
string

(async) getWellKnownDocument() → {Promise.<object.<str, *>>|null}

Retrieves the OpenID Connect well-known configuration document.

Source:
Returns:

The well-known configuration document, or null if the issuer URL is not set.

Type
Promise.<object.<str, *>> | null

(async) login(optionsopt, requestRefreshTokenopt) → {Promise.<void>}

Authenticate with OpenID Connect (OIDC).

Supported in Browser environments for authorization_code+pkce and implicit grants. The client_credentials grant is supported in all environments.

Parameters:
Name Type Attributes Default Description
options object.<string, *> <optional>
 {}

Object with authentication options.
requestRefreshToken boolean <optional>
 false

If set to true, adds a scope to request a refresh token.
Overrides:
Source:
See:
Throws:
Error
Returns:
Type
Promise.<void>

(async, protected) loginClientCredentials() → {Promise.<void>}

Authenticate using the OIDC Client Credentials grant.

Requires clientId and clientSecret to be set. This flow does not use the oidc-client library and works in all environments.

Source:
Throws:
Error
Returns:
Type
Promise.<void>

(async) logout()

Logout from the established session.

Overrides:
Source:

removeListener(event, scopeopt)

Removes the listener for the given event that has been set with addListener.

Parameters:
Name Type Attributes Default Description
event string
scope string <optional>
 "default"
Source:
See:

(async) resume(optionsopt) → {Promise.<boolean>}

Restores a previously established OIDC session from storage.

Not supported for the client_credentials grant as credentials are not persisted. Use login() to re-authenticate instead.

Parameters:
Name Type Attributes Default Description
options object.<string, *> <optional>
 {}

Additional options passed to the OIDC UserManager.
Overrides:
Source:
See:
Returns:

true if the session could be resumed, false otherwise.

Type
Promise.<boolean>

setClientId(clientId)

Sets the Client ID for OIDC authentication.

This may override a detected default client ID.

Parameters:
Name Type Description
clientId string | null
Source:

setClientSecret(clientSecret)

Sets the Client Secret for OIDC authentication.

Only used for the client_credentials grant type.

Parameters:
Name Type Description
clientSecret string | null
Source:

setGrant(grant)

Sets the grant type (flow) used for OIDC authentication.

Parameters:
Name Type Description
grant string

Grant Type
Source:
Throws:
Error

setToken(tokennullable)

Sets the access token that is used as Bearer Token in API requests.

Set to null to remove the access token.

This also manages which auth provider is set for the connection.

Parameters:
Name Type Attributes Description
token string <nullable>
Overrides:
Source:

setUser(user)

Sets the OIDC User.

Parameters:
Name Type Description
user Oidc.User | null

The OIDC User. Passing null resets OIDC authentication details.
Source:
See:

(async) supportsClientCredentials() → {Promise.<(boolean|null)>}

Checks whether the OpenID Connect provider supports the Client Credentials grant.

Source:
Returns:

true if the Client Credentials grant is supported, false otherwise. null if unknown.

Type
Promise.<(boolean|null)>

(static) isSupported() → {boolean}

Checks whether the required OIDC client library openid-client-js is available.

Source:
Returns:
Type
boolean

(async, static) signinCallback(provider, optionsopt) → {Promise.<?Oidc.User>}

Finishes the OpenID Connect sign in (authentication) workflow.

Must be called in the page that OpenID Connect redirects to after logging in.

Supported only in Browser environments.

Parameters:
Name Type Attributes Default Description
provider OidcProvider null

A OIDC provider to assign the user to.
options object.<string, *> <optional>
 {}

Object with additional options.
Source:
See:
Throws:
Error
Returns:

For uiMethod = 'redirect' only: OIDC User

Type
Promise.<?Oidc.User>