spa

spa

An example OIDC SPA (single page application) that supports both the authorization code (with optional PKCE) and implicit OIDC flows.

Running the example app

go build

Without any flags, the app will use the authorization code flow.

./spa

With the -pkce flag, the app will use the authorization code with PKCE flow.

./spa -pkce

With the -implicit flag, the app will use the implicit flow.

./spa -implicit

With the -max-age flag, the cli will require an authentication not older than the max-age specified in seconds.

./cli -max-age <seconds>

Require environment variables

• OIDC_CLIENT_ID: Your Relying Party client id.
• OIDC_CLIENT_SECRET: Your Rely Party secret (this is not required for implicit flows or authorization code with PKCE flows)
• OIDC_ISSUER: The OIDC issuer identifier (aka the discover URL)
• OIDC_PORT: The port you'd like to use for your callback HTTP listener.

OIDC Provider

You must configure your provider's allowed callbacks to include: http://localhost:{OIDC_PORT}/callback (where OIDC_PORT equals whatever you've set the OIDC_PORT environment variable equal to).

For example, if you set OIDC_PORT equal to 3000 the you must configure your provider to allow callbacks to: http://localhost:3000/callback

OIDC Provider PKCE support.

Many providers require you to explicitly enable the authorization code with PKCE. Auth0 for example requires you to set your application type as: Native or Single Page Application if you wish to use PKCE.