@resuely/astro-oidc-rp

Astro integration that injects OIDC login/callback/logout routes, a middleware that sets Astro.locals.user, and type augmentation.

Install

npm install @resuely/astro-oidc-rp

Usage (astro.config.mjs)

import { defineConfig } from "astro/config";
import resuelyOidc from "@resuely/astro-oidc-rp";

export default defineConfig({
  integrations: [
    resuelyOidc({
      issuer: { env: "OIDC_ISSUER", fallback: "https://your-idp" },
      clientId: { env: "OIDC_CLIENT_ID" },
      cookie: { signingSecret: { env: "OIDC_SIGNING_SECRET" } },
      protected: ["/app/*", "/me"],
    }),
  ],
});

Injected routes (defaults):

• Login: /login
• Callback: /oidc/callback
• Logout: /logout
• Logout callback: /logout/callback

Options

issuer: { env: string; fallback?: string }; // required
clientId: { env: string; fallback?: string }; // required
scopes?: string; // default: "openid email profile"
routes?: {
  login?: string;
  callback?: string;
  logout?: string;
  logoutCallback?: string;
};
redirectUri?: { mode: "infer-from-request" } | { absolute: string };
cookie: {
  name?: string;
  sameSite?: "Lax" | "Strict" | "None";
  secure?: boolean;
  domain?: string;
  path?: string;
  signingSecret: { env: string };
  maxAgeSec?: number;
};
protected?: string[]; // path patterns

Types: Astro.locals

Enable type augmentation by referencing the package export:

Add to your tsconfig.json:

{
  "compilerOptions": {
    "types": ["@resuely/astro-oidc-rp/astro-locals"]
  }
}

Then Astro.locals.user is typed as:

{ sub: string; email?: string } | null | undefined

Security notes

• Always provide a strong cookie.signingSecret.
• Cookies are Secure by default; for local HTTP development you may need cookie.secure: false.
• The init cookie used during login is short-lived (5 minutes) and set HttpOnly + SameSite=Lax.

Build & Publish

Build:

npm run build

Publish:

npm publish --access public

License

MIT