@payapps/client-credentials-auth NPM

client-credentials-auth

Library for resolving access tokens using the OpenID Connect client credentials flow (OIDC client_credentials grant). Designed to allow easy addition of Authorization header bearer tokens to outgoing API requests, e.g. using an Axios request interceptor.

coverage

Discovery information and tokens are automatically cached in memory according configuration (discovery) or the token expiry (access tokens), and transparently reloaded as required. OIDC discovery and token issuance is handled internally by the openid-client package.

Client credentials can be pre-configured (using .addClient('clientname', options)), or resolved at runtime using a credentials store callback. Runtime resolution allows easy async resolution of client secrets from a secret store, or environment variables.

See the integration.test.ts for a working example using Axios.

Usage

Create a global (using default options) and add a pre-configured client

const clientCredentialsAuth = new ClientCredentialsAuth();
clientCredentialsAuth.addClient("test-api", {
    clientId: "test-api-client-id",
    clientSecret: "not-very-secret",
    oidcProviderAddress: "http://localhost:5123",
    scope: "testscope",
});

Setup your Axios request interceptor

axios.interceptors.request.use(async (config) => {
    const token = await clientCredentialsAuth.getClientToken("test-api");
    config.headers.Authorization = `bearer ${token}`;
    return config;
});

Setup your Axios response error interceptor

axios.interceptors.response.use(undefined, async (error) => {
    const { config, isRetry, response } = error;
    if (!isRetry && response && response.status === 401) {
        clientCredentialsAuth.clearClientToken("test-api");
        config.isRetry = true;
        return axios(config);
    } else {
        return Promise.reject(error);
    }
});