Creates an OIDC Provider based on the provided configuration and parameters. The provider will be cached and returned on subsequent calls. Cookie and JWT keys will be stored in an internal storage so they can be re-used over multiple threads. Necessary claims for Solid OIDC interactions will be added. Routes will be updated based on the baseUrl and oidcPath.


  • IdentityProviderFactory




adapterFactory: AdapterFactory
baseUrl: string
config: Configuration
credentialStorage: KeyValueStorage<string, ClientCredentials>
errorHandler: ErrorHandler
interactionHandler: InteractionHandler
jwtAlg: "ES256" = 'ES256'
logger: Logger = ...
oidcPath: string
provider?: Provider
responseWriter: ResponseWriter
showStackTrace: boolean
storage: KeyValueStorage<string, unknown>


  • In the configureErrors function below, we configure the renderError function of the provider configuration. This function is called by the OIDC provider library to render errors, but only does this if the accept header is HTML. Otherwise, it just returns the error object iself as a JSON object. See

    In this function we override the ctx.accepts function to make the above code think HTML is always requested there. This way we have full control over error representation as configured in configureErrors. We still check the accept headers ourselves so there still is content negotiation on the output, the client will not simply always receive HTML.

    Should this part of the OIDC library code ever change, our function will break, at which point behaviour will simply revert to what it was before.


    • provider: Provider

    Returns void

  • Creates the route string as required by the oidc-provider library. In case base URL is, oidcPath is /idp and relative is device/auth, this would result in /foo/idp/device/auth.


    • relative: string

    Returns string

  • Gets a provider from the factory. Multiple calls to this function should return providers that produce the same results. This is mostly relevant for signing keys.

    Returns Promise<Provider>

  • Checks if the given token is an access token. The AccessToken interface is not exported so we have to access it like this.


    • token: any

    Returns token is undefined | AccessToken