14 | Excluded page
15 |
16 |
17 |
--------------------------------------------------------------------------------
/playground/.eslintrc.cjs:
--------------------------------------------------------------------------------
1 | module.exports = {
2 | root: true,
3 | extends: [
4 | '@nuxt/eslint-config',
5 | ],
6 | rules: {
7 | // Global
8 | 'semi': ['error', 'never'],
9 | 'quotes': ['error', 'single'],
10 | 'quote-props': ['error', 'as-needed'],
11 | // Vue
12 | 'vue/multi-word-component-names': 0,
13 | 'vue/max-attributes-per-line': 'off',
14 | 'vue/no-v-html': 0,
15 | },
16 | }
17 |
--------------------------------------------------------------------------------
/docs/content/99.contributing.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Contributing
3 | description: How to contribute to nuxt-oidc-auth
4 | ---
5 |
6 | ## Contributing
7 |
8 | ```bash
9 | # Install dependencies
10 | pnpm install
11 |
12 | # Generate type stubs
13 | pnpm run dev:prepare
14 |
15 | # Develop with the playground
16 | pnpm run dev
17 |
18 | # Build the playground
19 | pnpm run dev:build
20 |
21 | # Run ESLint
22 | pnpm run lint
23 | ```
24 |
--------------------------------------------------------------------------------
/src/runtime/providers/index.ts:
--------------------------------------------------------------------------------
1 | export { apple } from './apple.js'
2 | export { auth0 } from './auth0.js'
3 | export { cognito } from './cognito.js'
4 | export { entra } from './entra.js'
5 | export { github } from './github.js'
6 | export { keycloak } from './keycloak.js'
7 | export { logto } from './logto.js'
8 | export { microsoft } from './microsoft.js'
9 | export { oidc } from './oidc.js'
10 | export { paypal } from './paypal.js'
11 | export { zitadel } from './zitadel.js'
12 |
--------------------------------------------------------------------------------
/docs/app/layouts/docs.vue:
--------------------------------------------------------------------------------
1 |
6 |
7 |
8 |
20 | 
21 |
33 |
34 |
--------------------------------------------------------------------------------
/src/runtime/middleware/oidcAuth.ts:
--------------------------------------------------------------------------------
1 | import type { RouteLocationNormalized } from 'vue-router'
2 | import { defineNuxtRouteMiddleware, useOidcAuth, useRuntimeConfig } from '#imports'
3 |
4 | interface MiddlewareOptions {
5 | /**
6 | * Whether to enable the middleware.
7 | *
8 | * @default true
9 | */
10 | enabled: boolean
11 | }
12 |
13 | declare module '#app' {
14 | interface PageMeta {
15 | oidcAuth?: MiddlewareOptions
16 | }
17 | }
18 |
19 | declare module 'vue-router' {
20 | interface RouteMeta {
21 | oidcAuth?: MiddlewareOptions
22 | }
23 | }
24 |
25 | export default defineNuxtRouteMiddleware(async (to) => {
26 | if (to.meta.oidcAuth?.enabled === false) {
27 | return
28 | }
29 | // 404 exclusion
30 | const isErrorPage = !(to.matched.length > 0)
31 | if (isErrorPage) {
32 | return
33 | }
34 | const { loggedIn, login } = useOidcAuth()
35 |
36 | if (loggedIn.value === true || to.path.startsWith('/auth/')) {
37 | return
38 | }
39 | await login()
40 | })
41 |
--------------------------------------------------------------------------------
/test/fixtures/oidcApp/pages/index.vue:
--------------------------------------------------------------------------------
1 |
6 |
7 |
8 |
21 |
22 |
32 | 23 | Nuxt OIDC Auth 24 |
25 |26 | {{ title }} 27 |
28 |29 | {{ description }} 30 |
31 |
9 | {{ currentProvider }}
10 |
11 |
12 | {{ user?.canRefresh }}
13 |
14 |
15 | {{ user?.updatedAt }}
16 |
17 |
18 | {{ user?.expireAt }}
19 |
20 |
21 | {{ user?.singleSignOut }}
22 |
23 |
24 | {{ loggedIn }}
25 |
26 |
29 |
32 |
35 |
38 |
39 |
--------------------------------------------------------------------------------
/docs/content/3.server-utils/3.oidc-handlers.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: OIDC Handler
3 | description: Nuxt OIDC Auth route handlers
4 | ---
5 |
6 | ## OIDC Event Handlers
7 |
8 | All configured providers automatically register the following server routes.
9 |
10 | - `/auth/
9 |
31 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/docs/eslint.config.mjs:
--------------------------------------------------------------------------------
1 | import antfu from '@antfu/eslint-config'
2 | import { createConfigForNuxt } from '@nuxt/eslint-config/flat'
3 |
4 | export default createConfigForNuxt({
5 | features: {
6 | tooling: false,
7 | standalone: false,
8 | stylistic: true,
9 | },
10 | }, {
11 | rules: {
12 | 'node/prefer-global/process': 'off',
13 | },
14 | ignores: ['.github/*'],
15 | }).prepend(
16 | antfu(
17 | {
18 | unocss: false,
19 | markdown: true,
20 | rules: {
21 | 'operator-linebreak': 'off',
22 | 'linebreak-style': ['error', 'unix'],
23 | 'eol-last': ['error', 'always'],
24 | 'node/prefer-global/process': 'off',
25 | 'style/member-delimiter-style': [
26 | 'error',
27 | {
28 | multiline: {
29 | delimiter: 'none',
30 | requireLast: false,
31 | },
32 | singleline: {
33 | delimiter: 'semi',
34 | requireLast: false,
35 | },
36 | },
37 | ],
38 | },
39 | },
40 | ),
41 | )
42 |
--------------------------------------------------------------------------------
/playground/layouts/default.vue:
--------------------------------------------------------------------------------
1 |
4 |
5 |
6 |
10 |
28 | 11 | Please login 12 |
13 |
14 |
20 |
26 |
27 |
9 |
31 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/src/runtime/server/api/sso.ts:
--------------------------------------------------------------------------------
1 | import { useStorage } from '#imports'
2 | import { createError, createEventStream, defineEventHandler } from 'h3'
3 | import { getSingleSignOutSessionId, getUserSessionId, logoutHooks } from '../utils/session'
4 |
5 | export default defineEventHandler(async (event) => {
6 | const sessionId = await getSingleSignOutSessionId(event)
7 | if (!sessionId) {
8 | throw createError({
9 | statusCode: 401,
10 | message: 'Unauthorized',
11 | })
12 | }
13 | const userSessionId = await getUserSessionId(event)
14 | const eventStream = createEventStream(event)
15 |
16 | let logoutHook: () => void
17 |
18 | const cleanupHook = async () => {
19 | await useStorage('oidc').removeItem(userSessionId)
20 | logoutHook()
21 | }
22 |
23 | let firstCall = false
24 | logoutHook = logoutHooks.hook(sessionId, async () => {
25 | if (!firstCall) {
26 | firstCall = true
27 | cleanupHook()
28 | }
29 | await eventStream.push({
30 | event: 'logout',
31 | data: '',
32 | })
33 | })
34 | return eventStream.send()
35 | })
36 |
--------------------------------------------------------------------------------
/playground/server/plugins/session.ts:
--------------------------------------------------------------------------------
1 | export default defineNitroPlugin(() => {
2 | sessionHooks.hook('fetch', async (session) => {
3 | // Extend User Session
4 | // Or throw createError({ ... }) if session is invalid
5 | // session.extended = {
6 | // fromHooks: true
7 | // }
8 | // eslint-disable-next-line no-console
9 | console.log('Injecting "status" claim as test on fetch')
10 | if (!(Object.keys(session).length === 0)) {
11 | const claimToAdd = { status: 'Fetch' }
12 | session.claims = { ...session.claims, ...claimToAdd }
13 | }
14 | })
15 |
16 | sessionHooks.hook('refresh', async (session) => {
17 | // eslint-disable-next-line no-console
18 | console.log('Injecting "status" claim as test on refresh')
19 | if (!(Object.keys(session).length === 0)) {
20 | const claimToAdd = { status: 'Refresh' }
21 | session.claims = { ...session.claims, ...claimToAdd }
22 | }
23 | })
24 |
25 | sessionHooks.hook('clear', async () => {
26 | // Log that user logged out
27 | // eslint-disable-next-line no-console
28 | console.log('User logged out')
29 | })
30 | })
31 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2023 Jan-Henrik Damaschke
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/docs/tailwind.config.ts:
--------------------------------------------------------------------------------
1 | import type { Config } from 'tailwindcss'
2 | import defaultTheme from 'tailwindcss/defaultTheme'
3 | import plugin from 'tailwindcss/plugin'
4 |
5 | export default
10 |
28 | 11 | Nuxt OIDC Auth 12 |
13 |
14 |
20 |
26 |
27 |
34 |
37 |
38 |
39 |
41 |
42 |
43 |
44 |
47 |
52 |
53 |
55 |
56 |
--------------------------------------------------------------------------------
/eslint.config.js:
--------------------------------------------------------------------------------
1 | import antfu from '@antfu/eslint-config'
2 | import { createConfigForNuxt } from '@nuxt/eslint-config/flat'
3 |
4 | export default createConfigForNuxt({
5 | features: {
6 | tooling: true,
7 | standalone: false,
8 | },
9 | }, {
10 | rules: {
11 | 'node/prefer-global/process': 'off',
12 | },
13 | ignores: ['.github/**', '**/*.md'],
14 | }).prepend(
15 | antfu(
16 | {
17 | ignores: ['client/', 'docs/'],
18 | unocss: false,
19 | markdown: false,
20 | rules: {
21 | 'operator-linebreak': 'off',
22 | 'linebreak-style': ['error', 'unix'],
23 | 'eol-last': ['error', 'always'],
24 | 'node/prefer-global/process': 'off',
25 | 'style/member-delimiter-style': [
26 | 'error',
27 | {
28 | multiline: {
29 | delimiter: 'none',
30 | requireLast: false,
31 | },
32 | singleline: {
33 | delimiter: 'semi',
34 | requireLast: false,
35 | },
36 | },
37 | ],
38 | },
39 | languageOptions: {
40 | parserOptions: {
41 | warnOnUnsupportedTypeScriptVersion: false,
42 | },
43 | },
44 | },
45 | ),
46 | )
47 |
--------------------------------------------------------------------------------
/.vscode/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "files.eol": "\n",
3 | // Enable the ESlint flat config support
4 | "eslint.useFlatConfig": true,
5 | "prettier.enable": false,
6 | "editor.formatOnSave": false,
7 | "editor.tabSize": 2,
8 | "editor.codeActionsOnSave": {
9 | "source.fixAll.eslint": "explicit"
10 | },
11 | // TypeScript formatter options
12 | "typescript.format.insertSpaceAfterOpeningAndBeforeClosingNonemptyParenthesis": false,
13 | "typescript.format.insertSpaceAfterOpeningAndBeforeClosingNonemptyBrackets": false,
14 | "typescript.format.insertSpaceAfterOpeningAndBeforeClosingNonemptyBraces": true,
15 | "typescript.format.semicolons": "remove",
16 | "typescript.format.enable": true,
17 | "typescript.preferences.quoteStyle": "single",
18 | "html.format.wrapAttributes": "force-expand-multiline",
19 | "unocss.root": ["playground"],
20 | "eslint.validate": [
21 | "javascript",
22 | "javascriptreact",
23 | "typescript",
24 | "typescriptreact",
25 | "vue",
26 | "html",
27 | "markdown",
28 | "json",
29 | "jsonc",
30 | "yaml",
31 | "toml",
32 | "xml",
33 | "gql",
34 | "graphql",
35 | "astro",
36 | "svelte",
37 | "css",
38 | "less",
39 | "scss",
40 | "pcss",
41 | "postcss"
42 | ]
43 | }
44 |
--------------------------------------------------------------------------------
/playground/.env.example:
--------------------------------------------------------------------------------
1 | # OIDC MODULE CONFIG
2 | NUXT_OIDC_TOKEN_KEY=
3 | NUXT_OIDC_SESSION_SECRET=
4 | NUXT_OIDC_AUTH_SESSION_SECRET=
5 | # ENTRA ID PROVIDER CONFIG
6 | NUXT_OIDC_PROVIDERS_ENTRA_CLIENT_SECRET=
7 | NUXT_OIDC_PROVIDERS_ENTRA_CLIENT_ID=
8 | NUXT_OIDC_PROVIDERS_ENTRA_AUDIENCE=
9 | NUXT_OIDC_PROVIDERS_ENTRA_AUTHORIZATION_URL=
10 | NUXT_OIDC_PROVIDERS_ENTRA_TOKEN_URL=
11 | NUXT_OIDC_PROVIDERS_ENTRA_USER_NAME_CLAIM=
12 | NUXT_OIDC_PROVIDERS_ENTRA_LOGOUT_URL=
13 | NUXT_OIDC_PROVIDERS_ENTRA_ADDITIONAL_AUTH_PARAMETERS_RESOURCE=
14 | NUXT_OIDC_PROVIDERS_ENTRA_VALIDATE_ACCESS_TOKEN=
15 | NUXT_OIDC_PROVIDERS_ENTRA_VALIDATE_ID_TOKEN=
16 | NUXT_OIDC_PROVIDERS_ENTRA_CALLBACK_REDIRECT_URL=
17 | # AUTH0 PROVIDER CONFIG
18 | NUXT_OIDC_PROVIDERS_AUTH0_CLIENT_SECRET=
19 | NUXT_OIDC_PROVIDERS_AUTH0_CLIENT_ID=
20 | NUXT_OIDC_PROVIDERS_AUTH0_BASE_URL=
21 | # GITHUB PROVIDER CONFIG
22 | NUXT_OIDC_PROVIDERS_GITHUB_CLIENT_SECRET=
23 | NUXT_OIDC_PROVIDERS_GITHUB_CLIENT_ID=
24 | # KEYCLOAK PROVIDER CONFIG
25 | NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET=
26 | NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID=
27 | NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL=
28 | # COGNITO PROVIDER CONFIG
29 | NUXT_OIDC_PROVIDERS_COGNITO_CLIENT_ID=
30 | NUXT_OIDC_PROVIDERS_COGNITO_CLIENT_SECRET=
31 | NUXT_OIDC_PROVIDERS_COGNITO_BASE_URL=
32 | NUXT_OIDC_PROVIDERS_COGNITO_OPEN_ID_CONFIGURATION=
--------------------------------------------------------------------------------
/docs/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "nuxt-oidc-auth-docs",
3 | "type": "module",
4 | "version": "1.0.0",
5 | "private": true,
6 | "description": "Docs for nuxt-oidc-auth",
7 | "authors": "itpropro",
8 | "scripts": {
9 | "dev": "nuxi dev",
10 | "generate": "nuxi generate",
11 | "build": "set NODE_OPTIONS=--disable-warning=DEP0155 --disable-warning=DEP0166 && nuxi build",
12 | "preview": "nuxi preview",
13 | "swadeploy": "dotenv -- swa deploy .output/public --api-location .output/server --api-language \"node\" --api-version \"20\" --env production"
14 | },
15 | "dependencies": {
16 | "@iconify-json/carbon": "^1.2.3",
17 | "@iconify-json/heroicons": "^1.2.1",
18 | "@iconify-json/simple-icons": "^1.2.9",
19 | "@nuxt/content": "^2.13.4",
20 | "@nuxt/fonts": "^0.10.0",
21 | "@nuxt/image": "^1.8.1",
22 | "@nuxt/scripts": "^0.9.5",
23 | "@nuxt/ui-pro": "^1.4.4",
24 | "@nuxtjs/seo": "^2.0.0-rc.23",
25 | "@vueuse/core": "^11.1.0",
26 | "@vueuse/nuxt": "^11.1.0",
27 | "nuxt": "^3.13.2",
28 | "nuxt-vitalizer": "^0.10.0"
29 | },
30 | "devDependencies": {
31 | "@antfu/eslint-config": "^3.8.0",
32 | "@azure/static-web-apps-cli": "^2.0.1",
33 | "@nuxt/eslint": "^0.6.0",
34 | "dotenv-cli": "^7.4.2",
35 | "eslint": "^9.13.0",
36 | "typescript": "5.6.3",
37 | "vue-tsc": "^2.1.6"
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/docs/app/app.vue:
--------------------------------------------------------------------------------
1 |
34 |
35 |
36 |
37 |
42 |
43 |
45 |
46 |
47 |
50 |
55 |
56 |
58 |
59 |
--------------------------------------------------------------------------------
/playground/pages/auth/login.vue:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
12 |
37 |
38 |
--------------------------------------------------------------------------------
/test/fixtures/oidcApp/nuxt.config.ts:
--------------------------------------------------------------------------------
1 | import { defineNuxtConfig } from 'nuxt/config'
2 | import nuxtOidcAuth from '../../../src/module'
3 |
4 | export default defineNuxtConfig({
5 | modules: [
6 | nuxtOidcAuth,
7 | ],
8 |
9 | telemetry: {
10 | enabled: false,
11 | },
12 |
13 | oidc: {
14 | defaultProvider: 'keycloak',
15 | providers: {
16 | keycloak: {
17 | audience: 'account',
18 | clientId: '',
19 | clientSecret: '',
20 | baseUrl: 'http://localhost:8080/realms/nuxt-oidc-test',
21 | redirectUri: 'http://localhost:3000/auth/keycloak/callback',
22 | userNameClaim: 'preferred_username',
23 | allowedCallbackRedirectUrls: [
24 | 'http://localhost',
25 | 'http://127.0.0.1',
26 | ],
27 | sessionConfiguration: {
28 | singleSignOut: true,
29 | },
30 | },
31 | },
32 | middleware: {
33 | globalMiddlewareEnabled: true,
34 | customLoginPage: true,
35 | },
36 | },
37 |
38 | devtools: {
39 | enabled: true,
40 | },
41 |
42 | imports: {
43 | autoImport: true,
44 | },
45 |
46 | nitro: {
47 | preset: 'node-server',
48 | storage: { // Local file system storage for demo purposes
49 | oidc: {
50 | driver: 'fs',
51 | base: 'playground/oidcstorage',
52 | },
53 | },
54 | },
55 |
56 | compatibilityDate: '2024-08-28',
57 | })
58 |
--------------------------------------------------------------------------------
/docs/content/3.server-utils/2.session-management.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Session management
3 | description: Nuxt session management
4 | ---
5 |
6 | ## Session expiration and refresh
7 |
8 | Nuxt OIDC Auth automatically checks if the session is expired and refreshes it if necessary. You can disable this behavior by setting `expirationCheck` and `automaticRefresh` to `false` in the `session` configuration.
9 | The session is automatically refreshed when the `session` object is accessed. You can also manually refresh the session using `refresh` from `useOidcAuth` on the client or on the server side by calling `refreshUserSession(event)`.
10 |
11 | Session expiration and refresh is handled completely server side, the exposed properties in the user session are automatically updated. You can theoretically register a hook that overwrites session fields like `loggedInAt`, but this is not recommended and will be overwritten with each refresh.
12 |
13 | ## Using the session in server side code
14 |
15 | You can access the user session in your server side code by using the `getUserSession` function from the `@nuxtjs/oidc-auth` module.
16 |
17 | ```ts
18 | import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
19 |
20 | export default eventHandler(async (event) => {
21 | const session = await getUserSession(event)
22 | return session.userName
23 | })
24 | ```
25 |
26 | Be careful to not expose any sensitive information from the handler code.
27 |
--------------------------------------------------------------------------------
/src/runtime/providers/zitadel.ts:
--------------------------------------------------------------------------------
1 | import { normalizeURL, withHttps, withoutTrailingSlash } from 'ufo'
2 | import { createProviderFetch, defineOidcProvider, type OidcProviderConfig } from '../server/utils/provider'
3 |
4 | type ZitadelRequiredFields = 'baseUrl' | 'clientId' | 'clientSecret'
5 |
6 | export const zitadel = defineOidcProvider
13 |
23 |
24 |
25 |
35 |
36 | 10 | ❌ Nonce
11 | ✅ State
12 | ❌ Access Token validation
13 | ❌ ID Token validation
14 | 15 | ## Introduction 16 | 17 | GitHub is not strictly an OIDC provider, but it can be used as one. Make sure that validation is disabled and that you keep the `skipAccessTokenParsing` option to `true`. 18 | 19 | Try to use a [GitHub App](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps), not the legacy OAuth app. They don't provide the same level of security, have no granular permissions, don't provide refresh tokens and are not tested. 20 | 21 | Make sure to set the callback URL in your OAuth app settings as `
19 |
24 | DevMode enabled!
25 |
26 |
32 | Dev Mode is not enabled. To enabled it, set
33 |
34 | devMode
35 |
36 |
37 | enabled
38 |
39 | to true.
40 |
41 |
45 | Current config:
46 |
47 |
63 |
54 | For more information check the
10 | ✅ Nonce
11 | ✅ State
12 | ❌ Access Token validation
13 | ✅ ID Token validation
14 | 15 | ## Introduction 16 | 17 | For Zitadel you have to provide at least the `baseUrl`, `clientId` and `clientSecret` properties. The `baseUrl` is used to dynamically create the `authorizationUrl`, `tokenUrl`, `logoutUrl` and `userInfoUrl`. 18 | The provider supports PKCE and Code authentication schemes. For PKCE just leave the clientSecret set to an empty string (''). 19 | 20 | ## Provider specific parameters 21 | 22 | This providers doesn't have specific parameters. 23 | 24 | ## Example Configuration 25 | 26 | ::callout{icon="i-carbon-warning-alt" color="amber"} 27 | Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables. 28 | :: 29 | 30 | ```typescript [nuxt.config.ts] 31 | zitadel: { 32 | clientId: '', 33 | clientSecret: '', // Works with PKCE and Code flow, just leave empty for PKCE 34 | redirectUri: 'http://localhost:3000/auth/zitadel/callback', // Replace with your domain 35 | baseUrl: '', // For example https://PROJECT.REGION.zitadel.cloud 36 | audience: '', // Specify for id token validation, normally same as clientId 37 | logoutRedirectUri: 'https://google.com', // Needs to be registered in Zitadel portal 38 | authenticationScheme: 'none', // Set this to 'header' if Code is used instead of PKCE 39 | }, 40 | ``` 41 | 42 | ### Environment variables 43 | 44 | Dotenv files are only for (local) development. Use a proper configuration management or injection system in production. 45 | 46 | ```ini [.env] 47 | NUXT_OIDC_PROVIDERS_ZITADEL_CLIENT_ID=123456789012345678 48 | NUXT_OIDC_PROVIDERS_ZITADEL_BASE_URL=https://PROJECT.us1.zitadel.cloud/ 49 | ``` 50 | -------------------------------------------------------------------------------- /client/components/ProviderConfigs.vue: -------------------------------------------------------------------------------- 1 | 19 | 20 | 21 |
30 |
35 |
42 |
43 |
61 |
62 |
17 | 
18 |
19 |
20 | Nuxt OIDC Auth
21 |
22 |
33 |
34 |
35 |
36 |
40 |
18 |
19 |
20 | Nuxt OIDC Auth
21 |
22 |
33 | 
19 |
32 |
44 |
65 |
66 |
--------------------------------------------------------------------------------
/src/runtime/providers/logto.ts:
--------------------------------------------------------------------------------
1 | import { normalizeURL, withHttps, withoutTrailingSlash } from 'ufo'
2 | import { createProviderFetch, defineOidcProvider } from '../server/utils/provider'
3 |
4 | interface LogtoProviderConfig {
5 | /**
6 | * Specifies the first screen that the user will see.
7 | * @default undefined
8 | */
9 | firstScreen?: string
10 | /**
11 | * Specifies the identifier types that the sign-in or sign-up form will accept.
12 | * @default undefined
13 | */
14 | identifier?: string
15 | /**
16 | * Populates the identifier field with the user's email address or username. (This is a OIDC standard parameter)
17 | * @default undefined
18 | */
19 | loginHint?: string
20 | /**
21 | * Indicates the type of user interaction that is required. Valid values are login, none, consent, and select_account.
22 | * @default undefined
23 | */
24 | prompt?: 'login' | 'none' | 'consent' | 'select_account'
25 | }
26 |
27 | type LogtoRequiredFields = 'baseUrl' | 'clientId' | 'clientSecret'
28 |
29 | export const logto = defineOidcProvider
45 |
64 |
46 | ![]()
62 |
63 |
47 | {{ title || alt }}
48 |
56 |
57 | 10 | ✅ Nonce
11 | ✅ State
12 | ❌ Access Token validation
13 | ❌ ID Token validation
14 | 15 | AWS Congito doesn't correctly implement the OAuth 2 standard and doesn't provide a `aud` field for the audience. Therefore it is not possible to verify the access or id token. 16 | 17 | ## Introduction 18 | 19 | For AWS Cognito you have to provide at least the `baseUrl`, `clientId`, `clientSecret` and `logoutRedirectUri` properties. The `baseUrl` is used to dynamically create the `authorizationUrl`, `tokenUrl`, `logoutUrl` and `userInfoUrl`. 20 | The only supported OAuth grant type is `Authorization code grant`. 21 | The final url should look something like this `https://cognito-idp.eu-north-1.amazonaws.com/eu-north-1_SOMEID/.well-known/openid-configuration`. 22 | You will also encounter an error, if you have not correctly registered the `redirectUri` under "Allowed callback URLs" or the `logoutRedirectUri` under "Allowed sign-out URLs". 23 | If you need additional scopes, specify them in the `scope` property in you nuxt config like `scope: ['openid', 'email', 'profile'],`. 24 | 25 | ## Example Configuration 26 | 27 | ::callout{icon="i-carbon-warning-alt" color="amber"} 28 | Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables. 29 | :: 30 | 31 | ```typescript [nuxt.config.ts] 32 | cognito: { 33 | clientId: '', 34 | redirectUri: 'http://localhost:3000/auth/cognito/callback', 35 | clientSecret: '', 36 | scope: ['openid', 'email', 'profile'], 37 | logoutRedirectUri: 'https://google.com', 38 | baseUrl: '', 39 | exposeIdToken: true, // This is necessary to validate the logout redirect. If you don't need the ID token and don't use a logout redirect, set this to false. 40 | }, 41 | ``` 42 | 43 | ### Environment variables 44 | 45 | Dotenv files are only for (local) development. Use a proper configuration management or injection system in production. 46 | 47 | ```ini [.env] 48 | NUXT_OIDC_PROVIDERS_COGNITO_CLIENT_ID=CLIENT_ID 49 | NUXT_OIDC_PROVIDERS_COGNITO_CLIENT_SECRET=CLIENT_SECRET 50 | NUXT_OIDC_PROVIDERS_COGNITO_BASE_URL=https://YOURAPP.auth.eu-north-1.amazoncognito.com 51 | ``` 52 | -------------------------------------------------------------------------------- /docs/public/favicon.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/content/2.provider/99.oidc.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Generic OIDC (advanced) 3 | description: Generic OIDC provider documentation 4 | icon: i-simple-icons-openid 5 | --- 6 | 7 | ## Introduction 8 | 9 | This is a generic OIDC provider that doesn't provide any preconfiguration or helpers to automatically generate URL. 10 | If your provider is not listed, you should be able to configure it with this provider. 11 | 12 | This is the generic providers default configuration: 13 | 14 | ```typescript 15 | const defaults: Partial
17 |
58 | If you don't define your secrets, Nuxt OIDC Auth will auto provide them in development, they will change
59 | on each server restart.
60 | Check your console for the following output:
61 |
69 |
79 |
18 |
26 | {{ oidcSecrets.tokenKey || 'Not set via. environment, please check your console output for the current value' }}
27 |
28 |
30 |
38 | {{ oidcSecrets.sessionSecret || 'Not set via. environment, please check your console output for the current value' }}
39 |
40 |
42 |
50 | {{ oidcSecrets.authSessionSecret || 'Not set via. environment, please check your console output for the current value' }}
51 |
52 |
70 | For more information check the
60 | 61 |
80 |
90 |
91 | 18 | 💾 Encrypted server side refresh/access token storage powered by Nitro storage
19 | 🔑 Token validation
20 | 🔒 Secured & sealed cookies sessions
21 | ⚙️ Presets for popular OIDC providers
22 | 📤 Global middleware with automatic redirection to default provider or a custom login page (see playground)
23 | 👤 `useOidcAuth` composable for getting the user information, logging in and out, refetching the current session and triggering a token refresh
24 | 🗂️ Multi provider support with auto registered routes (`/auth/
25 | 📝 Generic spec OpenID compatible connect provider with fully configurable OIDC flow (state, nonce, PKCE, token request, ...)
26 | 🕙 Session expiration check
27 | 28 | ## Installation 29 | 30 | ### Add `nuxt-oidc-auth` dependency to your project 31 | 32 | With nuxi 33 | 34 | ```bash 35 | pnpm dlx nuxi@latest module add nuxt-oidc-auth 36 | ``` 37 | 38 | or manually 39 | 40 | ```bash 41 | pnpm add -D nuxt-oidc-auth 42 | ``` 43 | 44 | Add `nuxt-oidc-auth` to the `modules` section of `nuxt.config.ts` 45 | 46 | ```js 47 | export default defineNuxtConfig({ 48 | modules: [ 49 | 'nuxt-oidc-auth' 50 | ] 51 | }) 52 | ``` 53 | 54 | ## ⚠️ Disclaimer 55 | 56 | This module is still in development, feedback and contributions are welcome! Use at your own risk. 57 | 58 | 59 | [npm-version-src]: https://img.shields.io/npm/v/nuxt-oidc-auth?labelColor=18181B&color=28CF8D 60 | [npm-version-href]: https://npmjs.com/package/nuxt-oidc-auth 61 | 62 | [npm-downloads-src]: https://img.shields.io/npm/dm/nuxt-oidc-auth?labelColor=18181B&color=28CF8D 63 | [npm-downloads-href]: https://npmjs.com/package/nuxt-oidc-auth 64 | 65 | [license-src]: https://img.shields.io/npm/l/nuxt-oidc-auth?labelColor=18181B&color=28CF8D 66 | [license-href]: https://npmjs.com/package/nuxt-oidc-auth 67 | 68 | [nuxt-src]: https://img.shields.io/badge/Nuxt-18181B?logo=nuxt.js 69 | [nuxt-href]: https://nuxt.com 70 | -------------------------------------------------------------------------------- /src/runtime/server/handler/logout.get.ts: -------------------------------------------------------------------------------- 1 | import type { H3Event } from 'h3' 2 | import type { OAuthConfig, ProviderKeys, UserSession } from '../../types' 3 | import type { OidcProviderConfig } from '../utils/provider' 4 | import { useRuntimeConfig } from '#imports' 5 | import { eventHandler, getQuery, getRequestURL, sendRedirect } from 'h3' 6 | import { withQuery } from 'ufo' 7 | import * as providerPresets from '../../providers' 8 | import { configMerger, convertObjectToSnakeCase } from '../utils/oidc' 9 | import { clearUserSession, getUserSession } from '../utils/session' 10 | 11 | export function logoutEventHandler({ onSuccess }: OAuthConfig
20 |
98 |
99 |
--------------------------------------------------------------------------------
/test/providers.test.ts:
--------------------------------------------------------------------------------
1 | import { fileURLToPath } from 'node:url'
2 | import { $fetch } from '@nuxt/test-utils'
3 | import { url } from '@nuxt/test-utils/e2e'
4 | import { expect, test } from '@nuxt/test-utils/playwright'
5 | import { providers } from './fixtures/providers'
6 |
7 | // TODO: Add test loop for each provider
8 |
9 | test.use({
10 | // @ts-expect-error Config overwrite
11 | nuxt: {
12 | rootDir: fileURLToPath(new URL('./fixtures/oidcApp', import.meta.url)),
13 | build: false,
14 | buildDir: fileURLToPath(new URL('./fixtures/oidcApp/', import.meta.url)),
15 | nuxtConfig: {
16 | runtimeConfig: {
17 | oidc: {
18 | providers: {
19 | keycloak: {
20 | logoutUrl: '',
21 | clientId: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID,
22 | clientSecret: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET,
23 | },
24 | },
25 | },
26 | },
27 | },
28 | },
29 | })
30 |
31 | test('redirects correctly', async () => {
32 | const rootUrl = url('/')
33 | const response = await fetch(rootUrl)
34 | expect(response.url).toMatch(url('/auth/login'))
35 | })
36 |
37 | test('excluded page is rendered', async () => {
38 | const excludedUrl = url('/excluded')
39 | const response = await fetch(excludedUrl)
40 | expect(response.url).toMatch(url('/excluded'))
41 | const html = await $fetch(excludedUrl)
42 | expect(html).toContain('Excluded page')
43 | })
44 |
45 | test('redirects to provider', async ({ page, goto }) => {
46 | const provider = 'keycloak'
47 | const providerUrl = url(`/auth/login`)
48 | await goto(providerUrl)
49 | await page.click(`button[name="${provider}"]`)
50 | await page.fill('input[name="username"]', 'testuser')
51 | await page.fill('input[name="password"]', 'p@ssword')
52 | await page.click('input[name="login"]')
53 | await page.waitForURL(url('/'))
54 | const currentProviderDiv = page.locator('div[name="currentProvider"]')
55 | expect(await currentProviderDiv.textContent()).toBe(provider)
56 | })
57 |
58 | test('can refresh', async ({ page, goto }) => {
59 | const provider = 'keycloak'
60 | const providerUrl = url(`/auth/login`)
61 | await goto(providerUrl)
62 | await page.click(`button[name="${provider}"]`)
63 | await page.fill('input[name="username"]', 'testuser')
64 | await page.fill('input[name="password"]', 'p@ssword')
65 | await page.click('input[name="login"]')
66 | await page.waitForURL(url('/'))
67 | const updatedAt = Number(await page.locator('div[name="updatedAt"]').textContent())
68 | await page.waitForTimeout(1000)
69 | await page.click('button[name="refresh"]')
70 | await page.waitForTimeout(100)
71 | const updatedAt2 = Number(await page.locator('div[name="updatedAt"]').textContent())
72 | expect(updatedAt2).toBeGreaterThan(updatedAt)
73 | })
74 |
75 | test('can logout', async ({ page, goto }) => {
76 | const provider = 'keycloak'
77 | const providerUrl = url(`/auth/login`)
78 | await goto(providerUrl)
79 | await page.click(`button[name="${provider}"]`)
80 | await page.fill('input[name="username"]', 'testuser')
81 | await page.fill('input[name="password"]', 'p@ssword')
82 | await page.click('input[name="login"]')
83 | await page.click('button[name="logout"]')
84 | expect(page.url()).toMatch(/^http:\/\/localhost:8080/)
85 | })
86 |
--------------------------------------------------------------------------------
/src/runtime/providers/microsoft.ts:
--------------------------------------------------------------------------------
1 | import { createProviderFetch, defineOidcProvider } from '../server/utils/provider'
2 |
3 | type MicrosoftRequiredFields = 'clientId' | 'clientSecret'
4 |
5 | interface MicrosoftAdditionalFields {
6 | /**
7 | * Optional. Indicates the type of user interaction that is required. Valid values are `login`, `none`, `consent`, and `select_account`.
8 | * @default 'login'
9 | */
10 | prompt?: 'login' | 'none' | 'consent' | 'select_account'
11 | /**
12 | * Optional. You can use this parameter to pre-fill the username and email address field of the sign-in page for the user. Apps can use this parameter during reauthentication, after already extracting the login_hint optional claim from an earlier sign-in.
13 | * @default undefined
14 | */
15 | loginHint?: string
16 | /**
17 | * Optional. Enables sign-out to occur without prompting the user to select an account. To use logout_hint, enable the login_hint optional claim in your client application and use the value of the login_hint optional claim as the logout_hint parameter.
18 | * @default undefined
19 | */
20 | logoutHint?: string
21 | /**
22 | * Optional. If included, the app skips the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience.
23 | * @default undefined
24 | */
25 | domainHint?: string
26 | }
27 |
28 | interface MicrosoftProviderConfig {
29 | /**
30 | * Required. The tenant id is used to automatically configure the correct endpoint urls for the Microsoft provider to work.
31 | * @default 'login'
32 | */
33 | tenantId: 'login' | 'none' | 'consent' | 'select_account'
34 | }
35 |
36 | export const microsoft = defineOidcProvider
21 |
42 | 22 | Login with 23 |
24 | 31 | 41 |
43 |
81 | 44 | Session controls 45 |
46 |Logged in: {{ loggedIn }}
47 |Current provider: {{ currentProvider }}
48 | 56 | 64 | 72 | 80 |
82 |
97 | 83 | User object 84 |
85 |
89 |
90 | {{ `${key}` }}
91 |
92 |
96 | 93 | {{ value }} 94 |
95 |10 | ✅ Nonce
11 | ✅ State
12 | ❌ Access Token validation
13 | ❌ ID Token validation
14 | 15 | ## Introduction 16 | 17 | PayPal doesn't support modern security standards like PKCE and is lacking OIDC features like logout redirect functionality. 18 | The developer center can be confusing sometimes, make sure to use the correct users for testing and the right credentials. 19 | 20 | You have to enable the "Login with PayPal" functionality first before being able to use PayPal for login: 21 | 22 | ::contentImage{src="/content/paypal-enable_login.png" alt="Enable Login with PayPal"} 23 | :: 24 | 25 | ### Scopes 26 | 27 | By default the PayPal provider used the `openid` scope. If you need more use information, you can add standard OIDC scopes (like `profile` or `email`) or custom PayPal ones like `https://uri.paypal.com/services/paypalattributes`. 28 | Before adding additional scopes, make sure you have checked at least one of the following checkboxes. 29 | 30 | ::contentImage{src="/content/paypal-scopes.png" alt="PayPal Scopes"} 31 | :: 32 | 33 | ### Sandbox 34 | 35 | For testing, PayPal provides test accounts and endpoints that are separate from PayPals production infrastructure. 36 | 37 | ::callout{icon="i-carbon-warning-alt" color="amber"} 38 | For testing use the account with type **Personal** from **Testing Tools** -> **Sandbox Accounts**. Trying to use a business account will always fail to retrieve information from the userinfo endpoint. This is unfortunately undocumented. 39 | :: 40 | 41 | ## Provider specific parameters 42 | 43 | This providers doesn't have specific parameters. 44 | 45 | ## Example Configuration 46 | 47 | ::callout{icon="i-carbon-warning-alt" color="amber"} 48 | Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables. 49 | :: 50 | 51 | ```typescript [nuxt.config.ts] 52 | paypal: { 53 | clientId: '', 54 | clientSecret: '', 55 | scope: ['openid', 'profile'], 56 | authorizationUrl: 'https://www.sandbox.paypal.com/signin/authorize?flowEntry=static', // Replace depending on sandbox or production environment 57 | tokenUrl: 'https://api-m.sandbox.paypal.com/v1/oauth2/token', // Replace depending on sandbox or production environment 58 | userInfoUrl: 'https://api-m.sandbox.paypal.com/v1/identity/openidconnect/userinfo?schema=openid', // Replace depending on sandbox or production environment 59 | redirectUri: 'http://127.0.0.1:3000/auth/paypal/callback', // PayPal doesn't support localhost for http, only 127.0.0.1 60 | }, 61 | ``` 62 | 63 | ### Environment variables 64 | 65 | Dotenv files are only for (local) development. Use a proper configuration management or injection system in production. 66 | 67 | PayPal only supports IPs for local development, so you have to set the redirectUri to 127.0.0.1 and set Nuxt to expose on that address via. the `.env` `HOST` entry. 68 | 69 | ::contentImage{src="/content/paypal-redirect.png" alt="PayPal Scopes"} 70 | :: 71 | 72 | ```ini [.env] 73 | # Only enable the HOST entry when testing PAYPAL 74 | HOST=127.0.0.1 75 | NUXT_OIDC_PROVIDERS_PAYPAL_CLIENT_ID=CLIENT_ID 76 | NUXT_OIDC_PROVIDERS_PAYPAL_CLIENT_SECRET=CLIENT_SECRET 77 | ``` -------------------------------------------------------------------------------- /src/runtime/server/handler/dev.ts: -------------------------------------------------------------------------------- 1 | import type { H3Event } from 'h3' 2 | import type { OAuthConfig, UserSession } from '../../types' 3 | import { useRuntimeConfig } from '#imports' 4 | import { deleteCookie, eventHandler, sendRedirect } from 'h3' 5 | import { SignJWT } from 'jose' 6 | import { subtle } from 'uncrypto' 7 | import { useOidcLogger } from '../utils/oidc' 8 | import { generateRandomUrlSafeString } from '../utils/security' 9 | import { setUserSession, useAuthSession } from '../utils/session' 10 | 11 | export function devEventHandler({ onSuccess }: OAuthConfig
10 | ❌ Nonce
11 | ✅ State
12 | ✅ Access Token validation
13 | ❌ ID Token validation
14 | 15 | ## Introduction 16 | 17 | ## Provider specific parameters 18 | 19 | Additional parameters to be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`: 20 | 21 | | Option | Type | Default | Description | 22 | |---|---|---|---| 23 | | connection | `string` | - | Optional. Forces the user to sign in with a specific connection. For example, you can pass a value of github to send the user directly to GitHub to log in with their GitHub account. When not specified, the user sees the Auth0 Lock screen with all configured connections. You can see a list of your configured connections on the Connections tab of your application. | 24 | | organization | `string` | - | Optional. ID of the organization to use when authenticating a user. When not provided, if your application is configured to Display Organization Prompt, the user will be able to enter the organization name when authenticating. | 25 | | invitation | `string` | - | Optional. Ticket ID of the organization invitation. When inviting a member to an Organization, your application should handle invitation acceptance by forwarding the invitation and organization key-value pairs when the user accepts the invitation. | 26 | | loginHint | `string` | - | Optional. Populates the username/email field for the login or signup page when redirecting to Auth0. Supported by the Universal Login experience. | 27 | | audience | `string` | - | Optional. The unique identifier of the API your web app wants to access. | 28 | 29 | Depending on the settings of your apps `Credentials` tab, set `authenticationScheme` to `body` for 'Client Secret (Post)', set to `header` for 'Client Secret (Basic)', set to `''` for 'None' 30 | 31 | ## Example Configuration 32 | 33 | ::callout{icon="i-carbon-warning-alt" color="amber"} 34 | Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables. 35 | :: 36 | 37 | ```typescript [nuxt.config.ts] 38 | auth0: { 39 | audience: 'test-api-oidc', // In case you need access to an API registered in Auth0 40 | redirectUri: 'http://localhost:3000/auth/auth0/callback', 41 | baseUrl: '', // For example https://dev-xyz.eu.auth0.com or leave blank for environment 42 | clientId: '', // Leave blank to use environment variable 43 | clientSecret: '', // Leave blank to use environment variable 44 | scope: ['openid', 'offline_access', 'profile', 'email'], 45 | additionalTokenParameters: { // In case you need access to an API registered in Auth0 46 | audience: 'test-api-oidc', 47 | }, 48 | additionalAuthParameters: { // In case you need access to an API registered in Auth0 49 | audience: 'test-api-oidc', 50 | }, 51 | }, 52 | ``` 53 | 54 | Make sure these grants are enabled in Auth0: 55 | 56 | ::contentImage{src="/content/auth0-grants.png" alt="Auth0 grant config"} 57 | :: 58 | 59 | ### Environment variables 60 | 61 | Dotenv files are only for (local) development. Use a proper configuration management or injection system in production. 62 | 63 | ```ini [.env] 64 | NUXT_OIDC_PROVIDERS_AUTH0_CLIENT_SECRET=CLIENT_SECRET 65 | NUXT_OIDC_PROVIDERS_AUTH0_CLIENT_ID=CLIENT_ID 66 | NUXT_OIDC_PROVIDERS_AUTH0_BASE_URL=https://dev-xyz.eu.auth0.com 67 | ``` 68 | -------------------------------------------------------------------------------- /docs/app/assets/browser.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /docs/app/assets/landing.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/content/2.provider/6.keycloak.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: KeyCloak 3 | description: KeyCloak provider documentation 4 | icon: i-simple-icons-keycloak 5 | --- 6 | 7 | ## Feature/OIDC support 8 | 9 | ✅ PKCE
10 | ✅ Nonce
11 | ❌ State
12 | ✅ Access Token validation
13 | ❌ ID Token validation
14 | 15 | ## Introduction 16 | 17 | KeyCloak is an open-source identity and access management solution that provides features like single sign-on (SSO), social login, and user management, making it a popular choice for securing applications. This provider has tested defaults for KeyCloak to offer seamless OpenID Connect (OIDC) authentication with minimal necessary configuration. 18 | 19 | ## Example Configurations 20 | 21 | ::callout{icon="i-carbon-warning-alt" color="amber"} 22 | Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables. 23 | :: 24 | 25 | ### Minimal 26 | 27 | ```typescript [nuxt.config.ts] 28 | keycloak: { 29 | audience: 'account', 30 | baseUrl: '', 31 | clientId: '', 32 | clientSecret: '', 33 | redirectUri: 'http://localhost:3000/auth/keycloak/callback', 34 | }, 35 | ``` 36 | 37 | ### Use logout url 38 | 39 | The to redirect to a specific url after logout, use the `logoutRedirectUri` configuration. 40 | You have to specifically allow a redirect uri, if you want your application to redirect to there after logout: 41 | 42 | ::contentImage{src="/content/keycloak-logoutredirect.png" alt="KeyCloak logout redirect"} 43 | :: 44 | 45 | ```typescript [nuxt.config.ts] 46 | keycloak: { 47 | audience: 'account', 48 | baseUrl: '', 49 | clientId: '', 50 | clientSecret: '', 51 | redirectUri: 'http://localhost:3000/auth/keycloak/callback', 52 | userNameClaim: 'preferred_username', 53 | logoutRedirectUri: 'http://localhost:3000', // Target of your post logout redirection 54 | }, 55 | ``` 56 | 57 | By default, the following settings are already set internally, but can be overwritten, if needed: 58 | 59 | - `logoutUrl`: `protocol/openid-connect/logout`, 60 | - `logoutRedirectParameterName`: `post_logout_redirect_uri`, 61 | 62 | ::callout{icon="i-carbon-warning-alt" color="amber"} 63 | If you want to use the post logout redirect feature, you should not set `exposeIdToken` to `false`, because the ID token is required to hand over to the post logout redirect url. 64 | :: 65 | 66 | ### Environment variables 67 | 68 | Dotenv files are only for (local) development. Use a proper configuration management or injection system in production. 69 | 70 | ```ini [.env] 71 | NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET=CLIENT_SECRET 72 | NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID=CLIENT_ID 73 | NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL=http://localhost:8080/realms/nuxt-oidc-test # For local keycloak instance 74 | ``` 75 | 76 | ## Provider specific parameters 77 | 78 | Additional parameters to be used in additionalAuthParameters, additionalTokenParameters or additionalLogoutParameters: 79 | 80 | | Option | Type | Default | Description | 81 | |---|---|---|---| 82 | | realm | `string` | - | Optional. This parameter allows to slightly customize the login flow on the KeyCloak server side. For example, enforce displaying the login screen in case of value login. | 83 | | realm | `string` | - | Optional. Used to pre-fill the username/email field on the login form. | 84 | | realm | `string` | - | Optional. Used to tell KeyCloak to skip showing the login page and automatically redirect to the specified identity provider instead. | 85 | | realm | `string` | - | Optional. Sets the 'ui_locales' query param. | 86 | 87 | For more information on these parameters, check the [KeyCloak documentation](https://www.keycloak.org/docs/latest/securing_apps/#methods). 88 | 89 | For KeyCloak you have to provide at least the `baseUrl`, `clientId` and `clientSecret` properties. The `baseUrl` is used to dynamically create the `authorizationUrl`, `tokenUrl`, `logoutUrl` and `userInfoUrl`. 90 | Please include the realm you want to use in the `baseUrl` (e.g. `https://
49 |
53 |
54 |
105 |
106 |
110 |
111 |
117 |
118 |
119 |
120 |
--------------------------------------------------------------------------------
/docs/content/1.getting-started/3.security.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Security
3 | description: Security is a main priority
4 | ---
5 |
6 | ## Background
7 |
8 | In this library, we’ve chosen to implement OAuth and OpenID flows from the ground up to provide flexibility and meet specific requirements and to be flexible. Not only has every OIDC providr it's own needs, but we also want to stay as close to the standards defined by [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) and [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749) specifications.
9 |
10 | However, we strictly avoided writing our own cryptographic functions, instead relying on the well-tested libraries [jose](https://github.com/panva/jose) for token validation and [noble-ciphers](https://github.com/paulmillr/noble-ciphers) for cryptographic operations. Both of which are 0-dependency libraries.
11 |
12 | This approach ensures that while we retain control over the authentication flows, we benefit from the security guarantees provided by audited and widely trusted cryptographic implementations, which are essential to avoid vulnerabilities and security flaws.
13 |
14 | ## OAuth 2.0
15 |
16 | This module only implements the `Authorization Code Flow` and optionally the `Hybrid Flow` in a confidential client scenario as detailed in the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth).
17 | We will not support the `Implicit Flow` in the future, as it should not be used anymore and was practically superseded by the `Authorization Code Flow`.
18 | We will also not support the `Client Credential Flow`, as it is not part of OIDC, but of OAuth2 and is correctly named `Client Credentials Grant`. It is basically just an exchange of credentials for a token, is not meant for user authentication and can easily be implemented using a simple `fetch` request.
19 |
20 | ## Nuxt
21 |
22 | This module only works with SSR (server-side rendering) enabled as it uses server API routes. You cannot use this module with `nuxt generate` or `ssr` turned off. We are currently investigating if and how to support prerendering.
23 |
24 | ## Session encryption
25 |
26 | We store sensitive data, especially the refresh_token, access_token and id_token in an encrypted persistent session object. This library uses the [Nitro storage layer](https://nitro.unjs.io/guide/storage) to interact with data and uses the `oidc` namespace.
27 | Here is an example configuration. You can also replace the storage by any supported Nitro storage providers like redis, just keep in mind that the underlying storage has impact on the authentication process duration depending on its latency.
28 |
29 | ```typescript [nuxt.config.ts]
30 | nitro: {
31 | preset: 'node-server',
32 | storage: { // Use local file system storage for dev quick setup
33 | oidc: {
34 | driver: 'fs',
35 | base: 'oidcstorage',
36 | },
37 | },
38 | },
39 | ```
40 |
41 | ### Configure secrets
42 |
43 | Nuxt OIDC Auth uses three different secrets to encrypt the user session, the individual auth sessions and the persistent server side token store. You can set them using environment variables or in the `.env` file.
44 | All of the secrets are auto generated if not set, but should be set manually in production. This is especially important for the session storage, as it won't be accessible anymore if the secret changes, for example, after a server restart.
45 |
46 | If you need a reference how you could generate random secrets or keys, we created an example as a starting point: [Secrets generation example](https://stackblitz.com/edit/nuxt-oidc-auth-keygen?file=index.js)
47 |
48 | - NUXT_OIDC_TOKEN_KEY (random key): This needs to be a random cryptographic AES key in base64. Used to encrypt the server side token store. You can generate a key in JS with `await subtle.exportKey('raw', await subtle.generateKey({ name: 'AES-GCM', length: 256, }, true, ['encrypt', 'decrypt']))`. You just have to encode it to base64 afterwards.
49 | - NUXT_OIDC_SESSION_SECRET (random string): This should be a at least 48 characters random string. It is used to encrypt the user session.
50 | - NUXT_OIDC_AUTH_SESSION_SECRET (random string): This should be a at least 48 characters random string. It is used to encrypt the individual sessions during OAuth flows.
51 |
52 | Add a `NUXT_OIDC_SESSION_SECRET` env variable with at least 48 characters in the `.env` file.
53 |
54 | ```ini
55 | # .env
56 | NUXT_OIDC_TOKEN_KEY=base64_encoded_key
57 | NUXT_OIDC_SESSION_SECRET=48_characters_random_string
58 | NUXT_OIDC_AUTH_SESSION_SECRET=48_characters_random_string
59 | ```
60 |
61 | ## Token validation
62 |
63 | ID and access token validation involves verifying the integrity and claims of the ID token (usually a JWT) to authenticate the user, and validating the access token by checking its signature, expiration, issuer, and audience to ensure it grants appropriate permissions for resource access. This is critical to prevent token tampering, misuse, and unauthorized access to protected APIs or services.
64 |
65 | We use the well known and tested jose library for token validation.
66 | Tokens will only be validated if the `clientId` or the optional audience (`aud`) field is part of the access_token (or id_token if existent) audiences.
67 |
68 | ::callout{icon="i-carbon-warning-alt" color="amber"}
69 | Even if `validateAccessToken` or `validateIdToken` is set, but the audience doesn't match, the token should not and will not be validated.
70 | ::
71 |
72 | Some providers like Entra or Zitadel don't or just in certain cases provide a parsable JWT access token. Validation will fail for these and should be disable, even if the audience is set.
73 |
--------------------------------------------------------------------------------
/docs/content/2.provider/8.microsoft.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Microsoft
3 | description: Microsoft provider documentation
4 | icon: i-simple-icons-microsoft
5 | ---
6 |
7 | ## Feature/OIDC support
8 |
9 | ✅ PKCE
55 | Nuxt OIDC
Auth 56 |
57 |
58 |
59 |
60 | Auth 56 |
61 | Nuxt OIDC Auth provides seamless OpenID Connect compatible authentication for your SSR Nuxt Apps.
62 | It supports
63 |
80 |
81 |
99 |
104 |
82 |
89 |
90 |
83 | 
84 | 
85 |
86 |
87 |
88 |
84 |
85 |
86 |
91 |
97 |
98 |
92 |
93 |
94 |
95 |
96 |
93 |
94 |
95 | 10 | ✅ Nonce
11 | ✅ State
12 | ❌ Access Token validation
13 | ✅ ID Token validation
14 | 15 | ## Introduction 16 | 17 | This is the simplified Microsoft provider for social login with a Microsoft Account (MSA). You need access to the Azure portal (portal.azure.com) to configure an app registration and get the required properties. 18 | Learn how to creat an app registration [here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret). 19 | Be sure that you select one of the bottom two options if you want persoanl Microsoft accounts to be able to login to your application: 20 | 21 | ::contentImage{src="/content/microsoft-accounttype.png" alt="Microsoft account types"} 22 | :: 23 | 24 | Choose 'Web' as the target platform under `Manage` -> `Authentication` -> `Platform configurations` 25 | 26 | ::contentImage{src="/content/microsoft-platform.png" alt="Microsoft Platform configurations"} 27 | :: 28 | 29 | This provider uses the predefined userInfo url `https://graph.microsoft.com/v1.0/me` to get user information for an account. 30 | 31 | ## Example Configurations 32 | 33 | ::callout{icon="i-carbon-warning-alt" color="amber"} 34 | Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables. 35 | :: 36 | 37 | ### Minimal 38 | 39 | ```typescript [nuxt.config.ts] 40 | entra: { 41 | redirectUri: 'http://localhost:3000/auth/microsoft/callback', 42 | clientId: '', 43 | clientSecret: '', 44 | }, 45 | ``` 46 | 47 | ### Get user information 48 | 49 | You can also add the `profile` or another OIDC common scope. `User.Read` as a delegated permission is configured by default in **API permissons**. 50 | 51 | ```typescript [nuxt.config.ts] 52 | entra: { 53 | redirectUri: 'http://localhost:3000/auth/microsoft/callback', 54 | clientId: '', 55 | clientSecret: '', 56 | responseType: 'code', 57 | scope: ['openid', 'User.Read'], 58 | }, 59 | ``` 60 | 61 | ### Get additonal user information with ID token 62 | 63 | To be able to use the ID token, make sure you have set the checkbox at **Manage** -> **Authentication** -> **Implicit grant and hybrid flows** -> `ID tokens (used for implicit and hybrid flows)`. 64 | To add additional claims you want to use, configure them on your app registration under **Manage** -> **Token configuration** and add them by using the `optionalClaims: ['name', 'preferred_username'],` parameter. 65 | The default setting is `optionalClaims: ['name', 'preferred_username'],`. 66 | 67 | ```typescript [nuxt.config.ts] 68 | entra: { 69 | redirectUri: 'http://localhost:3000/auth/microsoft/callback', 70 | clientId: '', 71 | clientSecret: '', 72 | responseType: 'code id_token', 73 | scope: ['openid', 'User.Read'], 74 | }, 75 | ``` 76 | 77 | ### Offline access/refresh token 78 | 79 | In order to get a refresh token, you need to add the "Microsoft Graph" delegated permission `offline_access` and add it to the scopes. 80 | **Manage** -> **API permissions** -> `Add a permission` 81 | 82 | ::contentImage{src="/content/microsoft-scopes.png" alt="Microsoft account types"} 83 | :: 84 | 85 | ```typescript [nuxt.config.ts] 86 | entra: { 87 | redirectUri: 'http://localhost:3000/auth/microsoft/callback', 88 | clientId: '', 89 | clientSecret: '', 90 | responseType: 'code id_token', 91 | scope: ['openid', 'User.Read', 'offline_access'], 92 | }, 93 | ``` 94 | 95 | ### Environment variables 96 | 97 | Dotenv files are only for (local) development. Use a proper configuration management or injection system in production. 98 | 99 | ```ini [.env] 100 | NUXT_OIDC_PROVIDERS_MICROSOFT_CLIENT_SECRET=CLIENT_SECRET 101 | NUXT_OIDC_PROVIDERS_MICROSOFT_CLIENT_ID=CLIENT_ID 102 | ``` 103 | 104 | ## Provider specific parameters 105 | 106 | | Option | Type | Default | Description | 107 | |---|---|---|---| 108 | | tenantId | `string` | - | Required. The tenant id is used to automatically configure the correct endpoint urls for the Microsoft provider to work. | 109 | | prompt | `string` | 'login' | Optional. Indicates the type of user interaction that is required. Valid values are `login`, `none`, `consent`, and `select_account`. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. | 110 | | loginHint | `string` | - | Optional. You can use this parameter to pre-fill the username and email address field of the sign-in page for the user. Apps can use this parameter during reauthentication, after already extracting the login_hint optional claim from an earlier sign-in. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. | 111 | | logoutHint | `string` | - | Optional. Enables sign-out to occur without prompting the user to select an account. To use logout_hint, enable the login_hint optional claim in your client application and use the value of the login_hint optional claim as the logout_hint parameter. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. | 112 | | domainHint | `string` | - | Optional. If included, the app skips the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. | 113 | -------------------------------------------------------------------------------- /playground/nuxt.config.ts: -------------------------------------------------------------------------------- 1 | import { defineNuxtConfig } from 'nuxt/config' 2 | 3 | export default defineNuxtConfig({ 4 | modules: [ 5 | '../src/module', 6 | '@unocss/nuxt', 7 | '@nuxtjs/color-mode', 8 | ], 9 | 10 | telemetry: false, 11 | 12 | oidc: { 13 | defaultProvider: 'github', 14 | providers: { 15 | entra: { 16 | redirectUri: 'http://localhost:3000/auth/entra/callback', 17 | clientId: '', 18 | clientSecret: '', 19 | authorizationUrl: 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize', 20 | tokenUrl: 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token', 21 | userNameClaim: 'unique_name', 22 | nonce: true, 23 | responseType: 'code id_token', 24 | scope: ['profile', 'openid', 'offline_access', 'email'], 25 | logoutUrl: '', 26 | optionalClaims: ['unique_name', 'family_name', 'given_name', 'login_hint'], 27 | audience: '', 28 | additionalAuthParameters: { 29 | resource: '', 30 | prompt: 'select_account', 31 | }, 32 | additionalLogoutParameters: { 33 | logoutHint: '', 34 | }, 35 | allowedCallbackRedirectUrls: [ 36 | 'http://localhost:4000/auth/entra/callback', 37 | ], 38 | allowedClientAuthParameters: [ 39 | 'test', 40 | ], 41 | validateAccessToken: true, 42 | }, 43 | auth0: { 44 | audience: 'test-api-oidc', 45 | responseType: 'code', 46 | redirectUri: 'http://localhost:3000/auth/auth0/callback', 47 | baseUrl: '', 48 | clientId: '', 49 | clientSecret: '', 50 | scope: ['openid', 'offline_access', 'profile', 'email'], 51 | additionalTokenParameters: { 52 | audience: 'test-api-oidc', 53 | }, 54 | additionalAuthParameters: { 55 | audience: 'test-api-oidc', 56 | }, 57 | }, 58 | github: { 59 | redirectUri: 'http://localhost:3000/auth/github/callback', 60 | clientId: '', 61 | clientSecret: '', 62 | filterUserInfo: ['login', 'id', 'avatar_url', 'name', 'email'], 63 | }, 64 | keycloak: { 65 | audience: 'account', 66 | baseUrl: '', 67 | clientId: '', 68 | clientSecret: '', 69 | redirectUri: 'http://localhost:3000/auth/keycloak/callback', 70 | userNameClaim: 'preferred_username', 71 | logoutRedirectUri: 'http://localhost:3000', 72 | // For testing Single sign-out 73 | sessionConfiguration: { 74 | singleSignOut: true, 75 | }, 76 | }, 77 | cognito: { 78 | clientId: '', 79 | redirectUri: 'http://localhost:3000/auth/cognito/callback', 80 | clientSecret: '', 81 | scope: ['openid', 'email', 'profile'], 82 | logoutRedirectUri: 'https://google.com', 83 | baseUrl: '', 84 | exposeIdToken: true, 85 | }, 86 | zitadel: { 87 | clientId: '', 88 | clientSecret: '', // Works with PKCE and Code flow, just leave empty for PKCE 89 | redirectUri: 'http://localhost:3000/auth/zitadel/callback', 90 | baseUrl: '', 91 | audience: '', // Specify for id token validation, normally same as clientId 92 | logoutRedirectUri: 'https://google.com', // Needs to be registered in Zitadel portal 93 | authenticationScheme: 'none', // Set this to 'header' if Code is used instead of PKCE 94 | }, 95 | paypal: { 96 | clientId: '', 97 | clientSecret: '', 98 | scope: ['openid', 'profile'], 99 | authorizationUrl: 'https://www.sandbox.paypal.com/signin/authorize?flowEntry=static', 100 | tokenUrl: 'https://api-m.sandbox.paypal.com/v1/oauth2/token', 101 | userInfoUrl: 'https://api-m.sandbox.paypal.com/v1/identity/openidconnect/userinfo?schema=openid', 102 | redirectUri: 'http://127.0.0.1:3000/auth/paypal/callback', 103 | }, 104 | microsoft: { 105 | clientId: '', 106 | clientSecret: '', 107 | redirectUri: 'http://localhost:3000/auth/microsoft/callback', 108 | }, 109 | logto: { 110 | baseUrl: '', 111 | clientId: '', 112 | clientSecret: '', 113 | redirectUri: 'http://localhost:3000/auth/logto/callback', 114 | logoutRedirectUri: 'http://localhost:3000', 115 | }, 116 | }, 117 | session: { 118 | expirationCheck: true, 119 | automaticRefresh: true, 120 | expirationThreshold: 3600, 121 | }, 122 | middleware: { 123 | globalMiddlewareEnabled: true, 124 | customLoginPage: true, 125 | }, 126 | devMode: { 127 | enabled: false, 128 | generateAccessToken: true, 129 | userName: 'Test User', 130 | userInfo: { providerName: 'test' }, 131 | claims: { customclaim01: 'foo', customclaim02: 'bar' }, 132 | issuer: 'dev-issuer', 133 | audience: 'dev-app', 134 | subject: 'dev-user', 135 | }, 136 | }, 137 | 138 | colorMode: { 139 | classSuffix: '', 140 | preference: 'dark', 141 | }, 142 | 143 | unocss: { 144 | preflight: true, 145 | configFile: 'uno.config.ts', 146 | }, 147 | 148 | devtools: { 149 | enabled: true, 150 | }, 151 | 152 | imports: { 153 | autoImport: true, 154 | }, 155 | 156 | nitro: { 157 | preset: 'node-server', 158 | storage: { // Local file system storage for demo purposes 159 | oidc: { 160 | driver: 'fs', 161 | base: 'playground/oidcstorage', 162 | }, 163 | }, 164 | }, 165 | 166 | compatibilityDate: '2024-08-28', 167 | }) 168 | -------------------------------------------------------------------------------- /src/runtime/server/utils/oidc.ts: -------------------------------------------------------------------------------- 1 | import type { H3Event } from 'h3' 2 | import type { RefreshTokenRequest, TokenRequest, TokenRespose, UserSession } from '../../types' 3 | import { createConsola } from 'consola' 4 | import { createDefu } from 'defu' 5 | import { sendRedirect } from 'h3' 6 | import { snakeCase } from 'scule' 7 | import { normalizeURL } from 'ufo' 8 | import { textToBase64 } from 'undio' 9 | import { createProviderFetch, type OidcProviderConfig } from './provider' 10 | import { parseJwtToken } from './security' 11 | import { clearUserSession } from './session' 12 | 13 | export function useOidcLogger() { 14 | return createConsola().withDefaults({ tag: 'nuxt-oidc-auth', message: '[nuxt-oidc-auth]:' }) 15 | } 16 | 17 | // Custom defu config merger to replace default values instead of merging them, except for requiredProperties 18 | export const configMerger = createDefu((obj, key, value) => { 19 | if (Array.isArray(obj[key]) && Array.isArray(value)) { 20 | obj[key] = key === 'requiredProperties' ? Array.from(new Set(obj[key].concat(value))) : value as any 21 | return true 22 | } 23 | }) 24 | 25 | export async function refreshAccessToken(refreshToken: string, config: OidcProviderConfig) { 26 | const logger = useOidcLogger() 27 | const customFetch = await createProviderFetch(config) 28 | // Construct request header object 29 | const headers: HeadersInit = {} 30 | 31 | // Validate if authentication information should be send in header or body 32 | if (config.authenticationScheme === 'header') { 33 | const encodedCredentials = textToBase64(`${config.clientId}:${config.clientSecret}`, { dataURL: false }) 34 | headers.authorization = `Basic ${encodedCredentials}` 35 | } 36 | 37 | // Construct form data for refresh token request 38 | const requestBody: RefreshTokenRequest = { 39 | client_id: config.clientId, 40 | refresh_token: refreshToken, 41 | grant_type: 'refresh_token', 42 | ...(config.scopeInTokenRequest && config.scope) && { scope: config.excludeOfflineScopeFromTokenRequest ? config.scope.filter(s => s !== 'offline_access').join(' ') : config.scope.join(' ') }, 43 | ...(config.authenticationScheme === 'body') && { client_secret: normalizeURL(config.clientSecret) }, 44 | } 45 | // Make refresh token request 46 | let tokenResponse: TokenRespose 47 | try { 48 | tokenResponse = await customFetch( 49 | config.tokenUrl, 50 | { 51 | method: 'POST', 52 | headers, 53 | body: convertTokenRequestToType(requestBody, config.tokenRequestType), 54 | }, 55 | ) 56 | } 57 | catch (error: any) { 58 | throw new Error(error?.data ? `${error.data.error}: ${error.data.error_description}` : error) 59 | } 60 | 61 | // Construct tokens object 62 | const tokens: Record<'refreshToken' | 'accessToken' | 'idToken', string> = { 63 | refreshToken: tokenResponse.refresh_token || refreshToken, 64 | accessToken: tokenResponse.access_token, 65 | idToken: tokenResponse.id_token || '', 66 | } 67 | 68 | const accessToken = parseJwtToken(tokenResponse.access_token, !!config.skipAccessTokenParsing) 69 | 70 | // Construct user object 71 | const user: Omit