Docs/Add Hardware-Backed Sign-In to Your Application/ Express.js (openid-client)
View as .md

Express.js (openid-client)

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

openid-client provides a certified OpenID Connect client for Node.js. Key configuration:

  • Use client.discovery() for automatic issuer metadata, then authorizationCodeGrant() with PKCE
  • Manual state, nonce, and PKCE code verifier management
  • Store tokens in express-session with saveUninitialized: false
  • Hardware attestation claims (hardware_verified, hardware_aaguid) are in the access token JWT (RFC 9068) — decode with Buffer.from(token.split('.')[1], 'base64url')

Example

web/express-openid — Complete working example with authorization code flow, PKCE, session management, and token introspection.