@boundstate/hapi-oidc-auth NPM

hapi-oidc-auth

OpenID Connect auth plugin for hapi.

Uses token introspection to verify tokens and get their details.

npm install @boundstate/hapi-oidc-auth

Usage

import * as Hapi from '@hapi/hapi';
import {hapiOidcAuth} from '@boundstate/hapi-oidc-auth';

const server = new Hapi.Server();

await server.register({
  plugin: hapiOidcAuth,
  options: {
    issuer: 'https://sso.example.com',
    clientMetadata: {
      client_id: 'my-app-id',
      client_secret: 'my-app-secret',
    },
  },
});

Dynamic client registration

Instead of specifying the client id and secret, you may provide configuration for dynamic registration:

await server.register({
  plugin: hapiOidcAuth,
  options: {
    issuer: 'https://sso.example.com',
    clientMetadata: fs.existsSync(oidcMetadataPath)
      ? JSON.parse(fs.readFileSync(oidcMetadataPath, {encoding: 'utf8'}))
      : undefined,
    dynamicRegistration: {
      initialAccessToken: 'secret',
      clientMetadata: {
        grant_types: […],
        redirect_uris: […],
        response_types: […],
      },
      onRegistered: (metadata: HapiOidcClientMetadata) => {
        fs.writeFileSync(oidcMetadataPath, JSON.stringify(metadata, null, 2));
      },
    },
  },
});

Plugin options

issuer: OpenID provider URL (used for discovery)
allowQueryToken: (optional, default: false) accept token via query parameter
clientMetadata: (optional) Client metadata
- client_id: Client ID
- client_secret: Client secret
dynamicRegistration: (optional) dynamic registration options
- initialAccessToken: access token used for registration
- clientMetadata: Client metadata for registration
- verify: (optional, default: false) verify client when server starts and attempt registration if necessary
- onRegistered: callback when registration succeeds