Skip to content
oidc-provider

Accounts

The authorization server MUST be able to locate an account and once found the account object MUST contain an accountId property as well as a claims() function returning an object with claims that correspond to the claims the authorization server supports. The provider MUST be configured with an account discovery method by implementing the findAccount function. The claims() function MAY return a Promise that is later resolved or rejected.

import * as oidc from "oidc-provider";


const provider = new oidc.Provider("http://localhost:3000", {
  async findAccount(ctx, id) {
    return {
      accountId: id,
      async claims(use, scope) {
        return { sub: id };
      },
    };
  },
});

findAccount

Section titled “findAccount”

Account Loading and Claims Resolution

Specifies a function that shall be invoked to load an account and retrieve its available claims during authorization server operations. This function enables the authorization server to resolve end-user account information based on the provided account identifier. The function MUST return a Promise that resolves to an account object containing an accountId property and a claims() method that returns an object with claims corresponding to the claims supported by the issuer. The claims() method may also return a Promise that shall be resolved or rejected according to account availability and authorization server policy.

default value:

async function findAccount(ctx, sub, token) {
  // @param ctx - koa request context
  // @param sub {string} - account identifier (subject)
  // @param token - is a reference to the token used for which a given account is being loaded,
  //   is undefined in scenarios where claims are returned from authorization endpoint
  return {
    accountId: sub,
    // @param use {string} - can either be "id_token" or "userinfo", depending on
    //   where the specific claims are intended to be put in
    // @param scope {string} - the intended scope, while oidc-provider will mask
    //   claims depending on the scope automatically you might want to skip
    //   loading some claims from external resources or through db projection etc. based on this
    //   detail or not return them in ID Tokens but only UserInfo and so on
    // @param claims {object} - the part of the claims authorization parameter for either
    //   "id_token" or "userinfo" (depends on the "use" param)
    // @param rejected {Array[String]} - claim names that were rejected by the end-user, you might
    //   want to skip loading some claims from external resources or through db projection
    async claims(use, scope, claims, rejected) {
      return { sub };
    },
  };
}