Okta Node.js OIDC-RP Sample

by jpf

GitHub Readme.md


This app provides a test client that acts as a Relying Party (RP) for OpenID Connect.

Implemented specs & features

The following client/RP features from OpenID Connect/OAuth2.0 specifications are implemented by the app.

Deploy to Heroku


  1. The name of your Okta org (e.g. http://example.okta.com)
  2. A Client ID and Client Secret:
    • Applications>Add Application
    • Click the "Create New App" button
    • Select "Web" as the Platform
    • Select "OpenID Connect" and click the "Create" button
    • Enter a name for the application such as "Sample OIDC App" and click "Save"
    • Enter a "Login Redirect URL", use http://localhost:8080 for now (You'll change this later)
    • Navigate to the Assignments tab for the application and use Assign > "Assign to Groups" to assign the app to the Everyone group
    • Navigate back to the General tab. You'll use the "Client ID" and Client Secret values on Heroku

Once you know your Okta org, Client ID, and Client Secret click the button below and follow the prompts:



npm install

OAuth Client Registration

An OAuth 2.0 Client needs to be registered for this application with your OpenID Provider (OP).

Parameter Default Value Description response_types code Requests an authorization code for the OAuth2 Authorization Response (Authorization Code flow) grant_types authorization_code Authorization Code flow redirect_uris http://localhost:7080/oauth/callback Callback for OAuth2 Authorization Response post_logout_redirect_uris http://localhost:7080/logout/callback Callback for OIDC RP-initiated logout

Note: These values match defaults, changing command-line arguments may require additional client registration configuration

Sample Dynamic Client Registration

The following example shows OAuth client registration for an OP that supports OAuth 2.0 Dynamic Client Registration Protocol

  "client_name": "Simple OIDC RP",
  "client_uri": null,
  "logo_uri": null,
  "redirect_uris": [
  "post_logout_redirect_uris": [
  "response_types": [
  "grant_types": [
  "token_endpoint_auth_method": "client_secret_basic",
  "application_type": "web"


node server.js --iss {url} --cid {client_id} --cs {client_secret}

  --port, -p                Web Server Listener Port                                        [required]  [default: 7080]
  --issuer, --iss           OpenID Connect Provider (OP) Issuer URL                         [required]
  --clientId, --cid         Client ID registered for RP at the OP                           [required]
  --clientSecret, --cs      Client Secret registered for RP at the OP                       [required]
  --scope, --scp            OAuth 2.0 Scopes to request from OP (openid must be specified)  [required]  [default: "openid email phone address profile"]
  --responseType            OAuth 2.0 Response Type(s) for Authentication Request to OP     [required]  [default: "code"]
  --responseMode            OAuth 2.0 Response Mode for Authentication Response from OP     [required]  [default: "form_post"]
  --httpsPrivateKey, --key  Web Server TLS/SSL Private Key (pem)
  --httpsCert, --cert       Web Server TLS/SSL Certificate (pem)
  --https                   Enables HTTPS Listener (requires key and cert params)           [required]  [default: false]

Note: You must register the Relying Party (RP) as a client at the OpenID Provider (OP) manually to obtain a client_id and client_secret. The default redirect_uri for the client is http://localhost:7080/oauth/callback.


node server.js --iss https://example.okta.com --cid YRBDFADvhbcsuwGJfP96 --cs 296iRuRznZFupE1F1yjxIw7y-kSYeGGtUJIfGJqo

Default Routes

Route Description /login Initiates an OIDC authentication request to the OpenID Provider (OP) /login/force Initiates an OIDC authentication request with max_age=0 to force re-authentication with the OpenID Provider (OP) /logout Initiates an OIDC logout request to the OpenID Provider (OP) /logout/callback Callback for RP-initiated logout (post_logout_redirect_uris) /profile Displays the claims and userinfo for the authenticated user /oauth/callback Callback for OAuth2 Authorization Response (redirect_uri)