@sourceregistry/sveltekit-oidc 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -33,6 +33,7 @@ export const oidc = createOIDC({
33
33
  loginPath: '/auth/login',
34
34
  redirectPath: '/auth/callback',
35
35
  scope: ['openid', 'profile', 'email', 'offline_access'],
36
+ clockSkewSeconds: 30,
36
37
  fetchUserInfo: true,
37
38
  backChannelLogoutStore: createInMemoryBackChannelLogoutStore(),
38
39
  transformSession(session) {
@@ -175,6 +176,7 @@ Set these environment variables to enable it:
175
176
  ## Notes
176
177
 
177
178
  - `cookieSecret` should be a strong random secret and must stay stable across instances.
179
+ - `clockSkewSeconds` defaults to `30` and tolerates small clock drift between your app and the identity provider.
178
180
  - `createInMemoryBackChannelLogoutStore()` is suitable for local development or single-instance deployments. Use Redis, SQL, or another shared store for production.
179
181
  - The library validates `id_token` and `logout_token` values through `@sourceregistry/node-jwt` and provider JWKS metadata.
180
182
  - `groups` are normalized onto the session from `groups` and `roles` claims when present.
@@ -8,6 +8,7 @@ import { absoluteUrl, base64UrlEncode, buildCookieOptions, collectGroups, create
8
8
  export { createInMemoryBackChannelLogoutStore, createInMemorySessionStore } from './store.js';
9
9
  export function createOIDC(options) {
10
10
  const cookieOptions = buildCookieOptions(options.cookieOptions);
11
+ const clockSkewSeconds = options.clockSkewSeconds ?? 30;
11
12
  const refreshToleranceSeconds = options.refreshToleranceSeconds ?? 30;
12
13
  const sessionCookieName = options.sessionCookieName ?? 'oidc_session';
13
14
  const stateCookieName = options.stateCookieName ?? 'oidc_auth_state';
@@ -195,7 +196,8 @@ export function createOIDC(options) {
195
196
  const claims = await verifyJwtWithJwks(idToken, {
196
197
  issuer: metadata.issuer,
197
198
  audience: options.clientId,
198
- algorithms: metadata.id_token_signing_alg_values_supported
199
+ algorithms: metadata.id_token_signing_alg_values_supported,
200
+ clockSkew: clockSkewSeconds
199
201
  });
200
202
  const transformedClaims = options.transformClaims ? await options.transformClaims(claims) : claims;
201
203
  if (transformedClaims.nonce !== nonce) {
@@ -207,7 +209,8 @@ export function createOIDC(options) {
207
209
  const metadata = await getMetadata();
208
210
  const claims = await verifyJwtWithJwks(logoutToken, {
209
211
  issuer: metadata.issuer,
210
- audience: options.clientId
212
+ audience: options.clientId,
213
+ clockSkew: clockSkewSeconds
211
214
  });
212
215
  if (!claims.events?.['http://schemas.openid.net/event/backchannel-logout']) {
213
216
  throw error(400, { message: 'Invalid logout_token events claim' });
@@ -151,6 +151,7 @@ export type OIDCOptions = {
151
151
  stateCookieName?: string;
152
152
  cookieSecret: string;
153
153
  cookieOptions?: Partial<CookieOptions>;
154
+ clockSkewSeconds?: number;
154
155
  refreshToleranceSeconds?: number;
155
156
  defaultLoginRedirect?: string;
156
157
  defaultLogoutRedirect?: string;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sourceregistry/sveltekit-oidc",
3
- "version": "1.1.0",
3
+ "version": "1.1.1",
4
4
  "description": "OIDC authentication helpers for SvelteKit applications.",
5
5
  "license": "Apache-2.0",
6
6
  "scripts": {