GenAuth - Node.js SDK OIDC module

OpenID Connect, referred to as OIDC, is an extension of OAuth 2.0, which mainly adds semantic user information fields.

Generate user login link for OIDC protocol

Generate user login link for OIDC protocol, through which users can access GenAuth's online login page.

AuthenticationClient().buildAuthorizeUrl(options);

Parameters

• options <object> Parameters to be filled in when initiating authorization login. For details, see Using OIDC Authorization Code Mode.
• options.scope <string> Requested permission items, optional, the default value for OIDC protocol is openid profile email phone address, and the default value for OAuth 2.0 protocol is user.
• options.nonce <string> Random string, optional, automatically generated by default.
• options.state <string> Random string, optional, automatically generated by default.
• options.responseMode <string> Response type, optional, optional values are query, fragment, form_post; the default value is query, which means sending the code to the callback address through browser redirection.
• options.responseType <string> Response type, optional, optional values are code, code id_token token, code id_token, code id_token, code token, id_token token, id_token, none; default is code, authorization code mode.
• options.redirectUri <string> Callback address, required, default is the redirectUri parameter when the SDK is initialized.
• options.codeChallenge <string> A string with a length greater than or equal to 43, sent to GenAuth as code_challenge.
• options.codeChallengeMethod <string> Can be plain or S256, indicating the digest algorithm used when calculating code_challenge, plain means no algorithm is used, S256 means code_challenge is calculated using SHA256.

Example

// Concatenate OIDC authorization links
const authenticationClient = new AuthenticationClient({
  appId: "Application ID",
  appHost: "https://{YOUR_DOMAIN}.genauth.ai",
  redirectUri: "Business callback address",
});
let url = client.buildAuthorizeUrl({ scope: "openid profile offline_access" });

// PKCE scenario usage example
// Generate a code_verifier
let codeChallenge = client.generateCodeChallenge();
// Calculate the SHA256 digest of code_verifier
let codeChallengeDigest = client.getCodeChallengeDigest({
  codeChallenge,
  method: "S256",
});
// Construct OIDC authorization code + PKCE mode login URL
let url2 = client.buildAuthorizeUrl({
  codeChallenge: codeChallengeDigest,
  codeChallengeMethod: "S256",
});

Sample data

https://oidc1.genauth.ai/oidc/auth?nonce=5485323897342262&state=7400704296715694&scope=openid+profile+offline_access&client_id=5f17a529f64fb009b794a2ff&response_mode=query&redirect_uri=https%3A%2F%2Fbaidu.com&response_type=code&prompt=consent

Code for Token

Use the authorization code Code to obtain the user's Token information.

AuthenticationClient().getAccessTokenByCode(code, options);

Parameters

• code <string> Authorization code Code. After the user successfully authenticates, GenAuth will send the authorization code Code to the callback address. For details, please see Use OIDC Authorization Code Mode. Each Code can only be used once.

• options <object> This parameter needs to be filled in when initiating PKCE authorization login. For details, please see Use OIDC Authorization Code + PKCE Mode.

• options.codeVerifier <string> The original value of the verification code, not the digest value.

Example

const authenticationClient = new AuthenticationClient({
  appId: "Application ID",
  secret: "Application key",
  appHost: "https://{YOUR_DOMAIN}.genauth.ai",
  redirectUri: "Business callback address",
});
let res = await authenticationClient.getAccessTokenByCode(
  "Authorization code code"
);
let res2 = await authenticationClient.getAccessTokenByCode(
  "Authorization code code",
  {
    codeVerifier: "code_challenge original value",
  }
);

Example data

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW 93SExRLVZNcVEifQ.eyJqdGkiOiJsdzg0NW5zdGcwS3EtMTlodVpQOHYiLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMm Y2YWM2ZjMiLCJpYXQiOjE2MTU4ODM1ODYsImV4cCI6MTYxNTg4NzE4Niwic2NvcGUiOiJlbWFpbCBvcGVuaWQgcHJvZ mlsZSBwaG9uZSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRm YjAwOWI3OTRhMmZmIn0.VvYKBcWcr8iIi1b37ugWQ9hsvog4_7EqDQyFqwhIuvM0NHlHH3Bhw83EQIKSNfbWV4nv3ih feNGPLMzslbQr-wwjnWZTLMYl1bcn7IdVtD_kTN3Zz10MwF5td-VQ7UndU28wJ0HE1mo6E8QH93kYGckS5FSZXmCBa0 M5H59Jec_a1MHI1MZrr_V9cZ9EfeF97V-PcqU8JVAwDZclCJ3mWY_Mb65RnMR9yEVqUZzJStmaXGMuRIzjkm2pklqt0 CtQQJfzECXq_4USpwRXDiYLWILYPUCcO6hGxDjhMEd8IcxdG51TQP-w1UM6LyIRn61uSJvDsz8zg5dStDKyocypiA",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3QzQDEyMy5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInN1YiI6IjVmZj cwMWQ4NDZiOTIwM2UyZjZhYzZmMyIsImJpcnRoZGF0ZSI6bnVsbCwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6IlUiLCJnaXZlbl9uYW1lIjpudWx sLCJsb2NhbGUiOm51bGwsIm1pZGRsZV9uYW1lIjpudWxsLCJuYW1lIjpudWxsLCJuaWNrbmFtZSI6bnVsbCwicGljdHVyZSI6Imh0dHBzOi8vZmlsZXM uYXV0aGluZy5jby9hdXRoaW5nLWNvbnNvbGUvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInByb2ZpbGUi Om51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTAzLTE1VDA1OjU0OjU0LjY4NVoiLCJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwicGhvbmVfbnVt YmVyIjpudWxsLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJub25jZSI6IjcwVEU3eW9NVFEiLCJhdF9oYXNoIjoiUFNnOGw5eDRldGxmLXA4U DdjYnVoQSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiaXNzMiI6Imh0dHBzOi8vYmFpZHUuY29tIiwiYXVkIjoiNWYxN2E1M jlmNjRmYjAwOWI3OTRhMmZmIiwiZXhwIjoxNjE1ODg3MTg3LCJpYXQiOjE2MTU4ODM1ODh9.OlX-FP7znIEqx0YpnOQ8kxadMe1toHDj1KPVm0dbEVc",
  "scope": "email openid profile phone",
  "token_type": "Bearer"
}

Field explanation:

Field name	Meaning
token_type	Token type, fixed value Bearer
scope	Authorization scope, authorized user permission items
id_token	Id token, issued by GenAuthId token
expires_in	Access token expiration time
access_token	Access token, Access token issued by GenAuth

Token exchange for user information

Use Access token to obtain user information.

AuthenticationClient().getUserInfoByAccessToken("access_token");

Parameters

• access_token <string> Access token, the content of the Access token exchanged with the authorization code Code. For details, see Using OIDC Authorization Code Mode.

Example

const authenticationClient = new AuthenticationClient({
  appId: "Application ID",
  secret: "Application key",
  appHost: "https://{YOUR_DOMAIN}.genauth.ai",
  redirectUri: "Business callback address",
});
let res = await authenticationClient.getUserInfoByAccessToken("Access token");

Example data

{
  "address": {
    "country": null,
    "postal_code": null,
    "region": null,
    "formatted": null
  },
  "birthdate": null,
  "family_name": null,
  "gender": "U",
  "given_name": null,
  "locale": null,
  "middle_name": null,
  "name": null,
  "nickname": null,
  "picture": "https://files.authing.co/authing-console/default-user-avatar.png",
  "preferred_username": null,
  "profile": null,
  "updated_at": "2021-03-03T06:17:14.485Z",
  "website": null,
  "zoneinfo": null,
  "email": "test1@genauth.ai",
  "email_verified": false,
  "sub": "603f184cec4505e2868431fc", // Abbreviation of subject, user ID
  "phone_number": null,
  "phone_number_verified": false
}

Field explanation:

Field name	Translation
sub	Abbreviation of subject, unique identifier, usually user ID
name	Name
given_name	Name
family_name	family name
middle_name	middle name
nickname	nickname
preferred_username	name you want to be called
profile	basic information
picture	avatar
website	website link
email	email address
email_verified	whether the email address is verified
gender	gender
birthdate	birthday
zoneinfo	time zone
locale	region
phone_number	mobile number
phone_number_verified	verified mobile number
address	address object
address.formatted	detailed address
address.street_address	street address
address.locality	city
address.region	province
address.postal_code	postal code
address.country	country
updated_at	information update time

Refresh Access Token

Use Refresh token Get a new Access token.

AuthenticationClient().getNewAccessTokenByRefreshToken(refreshToken);

Parameters

• refreshToken <string> Refresh token, which can be obtained from the refresh_token in the return value of the AuthenticationClient.getAccessTokenByCode method. For details, see Refresh Access token.

Example

const authenticationClient = new AuthenticationClient({
  appId: "Application ID",
  secret: "Application key",
  appHost: "https://{YOUR_DOMAIN}.genauth.ai",
  redirectUri: "Business callback address",
});
let res = await authenticationClient.getNewAccessTokenByRefreshToken(
  "Access token"
);

Sample data

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW 93SExRLVZNcVEifQ.eyJqdGkiOiJZUHB4NUVEWGlQWVJvNUFQWXAzci0iLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY 2YWM2ZjMiLCJpYXQiOjE2MTQwOTE0OTksImV4cCI6MTYxNDA5NTA5OSwic2NvcGUiOiJvZmZsaW5lX2FjY2VzcyBwcm 9maWxlIG9wZW5pZCIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNj RmYjAwOWI3OTRhMmZmIn0.ZN_SlfVg1oNMz7uAK-5K84dqqqmlZehmAPOLytOR9HnLHImKJ9VO5u1hRsAjGCob0kMUV 5wVxQhX3EFks7FtMamiX2Jvn-NYh4V_5T6l3LFf4uoKF6AykAg483nG3EEENuGgQo15bBszsoCGqFnNmUd0T4Cgxx0zb xXPxMdp_dcE14KzmNz1w-Qg3yVeYmSTZFdcLtZA2BYnVEa7LYA2yA3DgawwAcRmrlyEfnvCO3uY2TcsTKEAfQ-QgVIG RWOfyUE5f-_X3TolliO1fXnwZBdxEKMXLGW5E2bPVcePyiV0upYbUnQ079UxBlEiWlgeW_rpkTPXDxHAgiE488gtlg",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJiaXJ0aGRhdG UiOm51bGwsImZhbWlseV9uYW1lIjpudWxsLCJnZW5kZXIiOiJVIiwiZ2l2ZW5fbmFtZSI6bnVsbCwibG9jYWxlIjpudWxsLCJ taWRkbGVfbmFtZSI6bnVsbCwibmFtZSI6bnVsbCwibmlja25hbWUiOm51bGwsInBpY3R1cmUiOiJodHRwczovL2ZpbGVzLmF1 dGhpbmcuY28vYXV0aGluZy1jb25zb2xlL2RlZmF1bHQtdXNlci1hdmF0YXIucG5nIiwicHJlZmVycmVkX3VzZXJuYW1lIjpudWxsLCJwcm9maWxlIjpudWxsLCJ1cGRhdGVkX2F0IjoiMjAyMS0wMi0yM1QxNDo0NDoxOC4wODVaIiwid2Vic2l0ZSI6bn VsbCwiem9uZWluZm8iOm51bGwsImF0X2hhc2giOiIxaWRJSUxaWExpZkRscXJMY3ZNeV9BIiwiS0VZIjoiVkFMVUUiLCJ hdWQiOiI1ZjE3YTUyOWY2NGZiMDA5Yjc5NGEyZmYiLCJleHAiOjE2MTQwOTUwOTgsImlhdCI6MTYxNDA5MTQ5OSwiaXN zIjoiaHR0cHM6Ly9vaWRjMS5hdXRoaW5nLmNuL29pZGMifQ._H59237sqpsY0OgyY_RM7CvuG6cFo1x03y-DBhd5hik",
  "refresh_token": "3T49f4Y48szoMmwBXragjqLwQZC4QhgnsM5Oy2WfmU-",
  "scope": "openid offline_access profile",
  "token_type": "Bearer"
}

Check the status of the Access Token or Refresh token > Check the status of the Access token or Refresh token. ```js

AuthenticationClient().introspectToken(token);

### Parameter - `token` \<string\> Access token or Refresh token, which can be obtained from access_token, refresh_token in the return value of the AuthenticationClient.getAccessTokenByCode method .

### Example ```javascript
const authenticationClient = new AuthenticationClient({
appId: "Application ID",
secret: "Application key",
appHost: "https://{YOUR_DOMAIN}.genauth.ai",
redirectUri: "Business callback address",
});
let res = await authenticationClient.introspectToken(
"Access token or Refresh token"
);

Sample data Returns when the token is valid:

{
  "active": true,
  "sub": "60097f4d5bc08f75da104d18", // abbreviation of subject, which is the user ID
  "client_id": "60097391b1358c17c5fb0f4e",
  "exp": 1612445888,
  "iat": 1611236288,
  "iss": "https://core.littleimp.cn/oidc",
  "jti": "TV4J0gAbe4KR4-8CtYcOa",
  "scope": "openid profile email phone offline_access",
  "token_type": "Bearer"
}

When the token is invalid, it returns:

{
  "active": false
}

An error will be thrown if the verification process fails.

Online verification of ID Token or Access Token Validity > Verify the ID token or Access token through the online interface provided by GenAuth. A network request will be generated.

AuthenticationClient().validateToken(options);

Parameter - options.idToken <string> ID Token, which can be obtained from id_token in the return value of the AuthenticationClient.getAccessTokenByCode method.

• options.accessToken <string> Access token, which can be obtained from access_token in the return value of the AuthenticationClient.getAccessTokenByCode method.### Example```javascript const authenticationClient = new AuthenticationClient({ appId: "Application ID", }); let res = await authing.validateToken({ idToken: "ID Token" });

### Example When the data id_token is verified to be legal, it returns:

```json
{
"sub": "5f64afd1ad501364e3b43c1e", // abbreviation of subject, which is the user ID
"birthdate": null,
"family_name": null,
"gender": "U",
" given_name": null,
"locale": null,
"middle_name": null,
"name": null,
"nickname": null,
"picture": "https://usercontents.genauth.ai/authing-avatar.png" ,
"preferred_username": "test1",
"profile": null,
"updated_at": "2020-09-27T06:06:29.853Z",
"website": null,
"zoneinfo": null,
"email": "test1@123.com",
"email_verified": false,
"phone_number" : null,
"phone_number_verified": false,
"nonce": "CQsguqUdl7",
"at_hash": "10iOtwuTNtyQLzlNYXAHeg",
"aud": "5f17a529f64fb009b794a2ff",
"exp": 1601460494,
"iat": 1601456894,
"iss": " https://oidc1.genauth.ai/oidc"
}

When the ID token is verified invalid, it returns:

{ "code": 400, "message": "id_token format is incorrect" }

{ "code": 400, "message": "id_token is illegal" }

Access token is verified to be legal and returns:

{
  "jti": "K5TYewNhvdGBdHiRifMyW",
  "sub": "5f64afd1ad501364e3b43c1e", // Abbreviation of subject, which is user ID
  "iat": 1601456894,
  "exp": 1601460494,
  "scope": "openid profile email phone",
  "iss": "https://oidc1.genauth.ai/oidc",
  "aud": "5f17a529f64fb009b794a2ff"
}

Access token Return when verification is illegal:

{ "code": 400, "message": "access_token format is incorrect" }

{ "code": 400, "message": "access_token is illegal" }

Revoke Access Token or Refresh token

Revoke Access token or Refresh token. The holder of Access token or Refresh token can notify GenAuth that the token is no longer needed and hope that GenAuth will revoke it.

AuthenticationClient().revokeToken(token);

Parameter - token <string> Access token or Refresh token, which can be obtained from access_token or refresh_token in the return value of the AuthenticationClient.getAccessTokenByCode method.

Example ```javascript

const authenticationClient = new AuthenticationClient({ appId: "Application ID", secret: "Application key", appHost: "https://{YOUR_DOMAIN}.genauth.ai", redirectUri: "Business Callback address", }); let res = await authenticationClient.revokeToken( "Access token or Refresh token" );

### Returns true when sample data is successfully withdrawn.

Throws an error when withdrawal fails.

## Splice logout URL

> Concatenate the logout URL.

```js
AuthenticationClient().buildLogoutUrl(options);

Parameters - options <string> Logout configuration items.

• expert <boolean> Whether to enable expert mode, the default is false.
• redirectUri <string> The redirect address after logout.
• idToken <string> The user's idToken.

Example of using the front-end universal logout link to log out:

// Concatenate the front-end universal logout link const authenticationClient = new AuthenticationClient({
appId: "Application ID",
appHost: "https://{YOUR_DOMAIN}. genauth.ai",
redirectUri: "Business callback address",
});
let url = authenticationClient.buildLogoutUrl({
redirectUri: "https://www.genauth.ai",
});

Log out using the OIDC protocol standard link, The current user's ID token needs to be passed in, and the logout callback address must be consistent with the console configuration:

// Splice the logout link that complies with the OIDC protocol standard const authenticationClient = new AuthenticationClient ({
appId: "Application ID",
secret: "Application key",
appHost: "https://{YOUR_DOMAIN}.genauth.ai",
redirectUri: "Business callback address",
protocol: "oidc",
});
let url = authenticationClient.buildLogoutUrl({
expert: true,
idToken: "idToken of the user to be logged out",
redirectUri: "https://www.genauth.ai",
});

Get Access Token in Client Credentials Mode

Use Programming Access Account to get an Access Token with permissions.

AuthenticationClient().getAccessTokenByClientCredentials(scope, options);

Parameters

• scope <string> Permission items, space-separated strings, each representing a permission. For details, see [Machine-to-machine (M2M) authorization](/en/genauth/guides/authorization/m2m-authz#Getting Permissioned-accesstoken).

• options, AK and SK information of programmatic access account.

• options.accessKey, programmatic access account AccessKey.

• options.secretKey, programmatic access account SecretKey.

Example

const authenticationClient = new AuthenticationClient({
  appId: "Application ID",
  secret: "Application key",
  redirectUri: "Business callback address",
});
let res = await authenticationClient.getAccessTokenByClientCredentials(
  "email openid profile phone",
  {
    accessKey: "Programming access account AK",
    secretKey: "Programming access account SK",
  }
);

Sample data

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW 93SExRLVZNcVEifQ.eyJqdGkiOiJsdzg0NW5zdGcwS3EtMTlodVpQOHYiLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMm Y2YWM2ZjMiLCJpYXQiOjE2MTU4ODM1ODYsImV4cCI6MTYxNTg4NzE4Niwic2NvcGUiOiJlbWFpbCBvcGVuaWQgcHJvZ mlsZSBwaG9uZSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRm YjAwOWI3OTRhMmZmIn0.VvYKBcWcr8iIi1b37ugWQ9hsvog4_7EqDQyFqwhIuvM0NHlHH3Bhw83EQIKSNfbWV4nv3ih feNGPLMzslbQr-wwjnWZTLMYl1bcn7IdVtD_kTN3Zz10MwF5td-VQ7UndU28wJ0HE1mo6E8QH93kYGckS5FSZXmCBa0 M5H59Jec_a1MHI1MZrr_V9cZ9EfeF97V-PcqU8JVAwDZclCJ3mWY_Mb65RnMR9yEVqUZzJStmaXGMuRIzjkm2pklqt0CtQQJfzECXq_4USpwRXDiYLWILYPUCcO6hGxDjhMEd8IcxdG51TQP-w1UM6LyIRn61uSJvDsz8zg5dStDKyocypiA",
  "expires_in": 3600,
  "scope": "email openid profile phone",
  "token_type": "Bearer"
}

Generate PKCE verification code

Generate a PKCE verification code.

AuthenticationClient().generateCodeChallenge();

Example

let codeChallenge = client.generateCodeChallenge();

Example data

VrpGRU_3FQ5au1TqCvzeh1nTij7HkcnpP1qWzJMGX_Y

Generate PKCE checksum digest value

Generate a PKCE checksum.

AuthenticationClient().getCodeChallengeDigest(options);

Parameters

• options, PKCE checksum, digest algorithm parameters.
• options.codeChallenge, the original value of code_challenge to generate the digest value, a random string with a length greater than or equal to 43.
• options.method, can be plain or S256, indicating the digest algorithm used when calculating code_challenge. plain means returning as is without any algorithm, and S256 means using SHA256 to calculate the code_challenge digest.

Example

// Generate a code_verifier
let codeChallenge = client.generateCodeChallenge();
// Calculate the SHA256 digest of code_verifier
let codeChallengeDigest = client.getCodeChallengeDigest({
  codeChallenge,
  method: "S256",
});

Example data

Bu6RP796BBiAwGwdUpHpKfhmQqahszBcGep8qT31XOy