npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

verdaccio-openid

v0.13.0

Published

A UI for OIDC authentication for Verdaccio, a fork of verdaccio-github-oauth-ui

Downloads

87

Readme

verdaccio-openid

npm npm npm npm

About

This is a Verdaccio plugin that offers OIDC OAuth integration for both the browser and the command line.

Compatibility

  • Verdaccio 5, 6
  • Node >=18
  • Browsers which support ES5

Setup

Install

  1. Install globally
npm install -g verdaccio-openid
  1. Install to Verdaccio plugins folder

npm >= 7

mkdir -p ./install-here/
npm install --global-style \
  --bin-links=false --save=false --package-lock=false \
  --omit=dev --omit=optional --omit=peer \
  --prefix ./install-here/ \
  verdaccio-openid@latest
mv ./install-here/node_modules/verdaccio-openid/ /path/to/verdaccio/plugins/

Verdaccio Config

Merge the below options with your existing Verdaccio config:

middlewares:
  openid:
    enabled: true

auth:
  openid:
    provider-host: https://example.com
    # configuration-uri: https://example.com/.well-known/openid-configuration
    # issuer: https://example.com
    # authorization-endpoint: https://example.com/oauth/authorize
    # token-endpoint: https://example.com/oauth/token
    # userinfo-endpoint: https://example.com/oauth/userinfo
    # jwks-uri: https://example.com/oauth/jwks
    # scope: openid email groups
    client-id: CLIENT_ID
    client-secret: CLIENT_SECRET
    username-claim: name
    # groups-claim: groups
    # provider-type: gitlab
    # store-type: file
    # store-config: ./store
    # authorized-groups:
    #  - access
    # group-users:
    #   animal:
    #     - tom
    #     - jack

Now you can use the openid-connect auth in the webUI.

Config Options

openid

| Config key | Value Type | Default | Required | Example | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | --------------------------- | -------- | ------------------------------------------------------ | | provider-hostThe host of the OIDC provider | string | | Yes | https://example.com | | configuration-uriThe URI of the OIDC provider configuration | string | | No | https://example.com/.well-known/openid-configuration | | issuerThe issuer of the OIDC provider | string | | No | https://example.com | | authorization-endpointThe authorization endpoint of the OIDC provider | string | | No | https://example.com/oauth/authorize | | token-endpointThe token endpoint of the OIDC provider | string | | No | https://example.com/oauth/token | | userinfo-endpointThe userinfo endpoint of the OIDC provider | string | | No | https://example.com/oauth/userinfo | | jwks-uriThe JWKS URI of the OIDC provider | string | | No | https://example.com/oauth/jwks | | scopeThe scope of the OIDC provider | string | openid | No | openid email groups | | client-idThe client ID of the OIDC provider | string | | Yes | your-client-id | | client-secretThe client secret of the OIDC provider | string | | Yes | your-client-secret | | username-claimThe claim to get the username from the ID token or userinfo endpoint response | string | sub | No | name | | groups-claimThe claim to get the groups from the ID token or userinfo endpoint response | string | | No | groups | | provider-typeThe provider type to get groups from the provider. Supported values: gitlab | string | | No | gitlab | | store-typeThe store type to store the OIDC state and caches. | "in-memory" | "redis" | "file" | in-memory | No | file | | store-configThe store configuration. | string | object | { ttl: 60000 } | No | ./store | | keep-passwd-loginKeep the htpasswd login dialog. If set to true, the htpasswd login dialog will be kept. | boolean | undefined | No | true | | login-button-textThe text of the OpenID connect login button | string | Login with OpenID Connect | No | Login with GitLab | | authorized-groupsThe groups that are allowed to login. Use true to ensure the user has at least one group, false means no groups check | string | string | boolean | false | No | true | | group-usersThe custom group users. If set, groups-claim and provider-type take no effect | object | | No | {"animal": ["Tom", "Jack"]} |

store-config

  1. in-memory

When using the in-memory store, the store-config is an object with the following properties:

| Config key | Description | Value Type | Default | Required | Example | | ---------- | ------------------------------------------------------------------------------------------------------------- | ---------------- | ------- | -------- | ------- | | ttl | The TTL of the OIDC state (ms). | number | string | 60000 | No | 1m | | ... | All options are passed to the @isaacs/ttlcache constructor. | any | | No | |

  1. redis

When using the redis store, the store-config is a string with the Redis connection string or an object with the following properties:

| Config key | Description | Value Type | Default | Required | Example | | ---------- | ------------------------------------------------------------------------------------------- | ------------------------------ | ------- | -------- | ------------------------------------- | | ttl | The TTL of the OIDC state (ms). | number | string | 60000 | No | 1m | | username | The username of the Redis connection. | string | | No | your-username | | password | The password of the Redis connection. | string | | No | your-password | | host | The host of the Redis connection. | string | | No | localhost | | port | The port of the Redis connection. | number | | No | 6379 | | nodes | The nodes of the Redis Cluster connection. | (object | string | number)[] | | No | [{ host: 'localhost', port: 6379 }] | | ... | All options are passed to the ioredis constructor. | any | | No | |

The username and password can be set with the VERDACCIO_OPENID_STORE_CONFIG_USERNAME and VERDACCIO_OPENID_STORE_CONFIG_PASSWORD environment variables. Or you can use your own environment variable names.

Config example:

auth:
  openid:
    store-type: redis
    store-config: redis://your-username:your-password@localhost:6379
auth:
  openid:
    store-type: redis
    store-config:
      ttl: 60000
      username: your-username
      password: your-password
      host: localhost
      port: 6379

When using Redis Cluster, you should use the nodes property:

auth:
  openid:
    store-type: redis
    store-config:
      ttl: 1m
      username: your-username
      password: your-password
      nodes:
        - host: localhost
          port: 6379
        - host: localhost
          port: 6380
      redisOptions:
        # ... other ioredis options
  1. file

When using the file store, the store-config is a string with the file path to store the OIDC state or an object with the following properties:

| Config key | Description | Value Type | Default | Required | Example | | ---------- | ----------------------------------------------------------------------------------------------------- | ---------------- | ------- | -------- | --------- | | ttl | The TTL of the OIDC state (ms). | number | string | 60000 | No | 1m | | dir | The directory to store the OIDC state. | string | | No | ./store | | ... | All options are passed to the node-persist constructor. | any | | No | |

Config example:

auth:
  openid:
    store-type: file
    store-config: ./store
auth:
  openid:
    store-type: file
    store-config:
      ttl: 60000
      dir: ./store

keep-passwd-login

If you want to keep the htpasswd login dialog, set the keep-passwd-login to true.

By default, if auth.htpasswd.file is set, the htpasswd login dialog will be keep.

With this, you can use both the htpasswd login and the OIDC login.

Login Dialog

Environment Variables

You can set each config with environment variables to avoid storing sensitive information in the config file. Every config can be set with an environment variable name, matching the regex /^[a-zA-Z_][a-zA-Z0-9_]*$/.

auth:
  openid:
    client-id: MY_CLIENT_ID
    client-secret: MY_CLIENT_SECRET

If the config value is not set, the plugin will try to read the value from the environment variable. The default environment variable name is VERDACCIO_OPENID_ followed by the config key in uppercase and snake case.

| Config Key | Environment Name | Value Example | | ----------------- | ------------------------------------ | -------------------------------------------------------------- | | client-id | VERDACCIO_OPENID_CLIENT_ID | your-client-id | | client-secret | VERDACCIO_OPENID_CLIENT_SECRET | your-client-secret | | provider-host | VERDACCIO_OPENID_PROVIDER_HOST | https://example.com | | authorized-groups | VERDACCIO_OPENID_AUTHORIZED_GROUPS | true | | group-users | VERDACCIO_OPENID_GROUP_USERS | {"group1": ["user1", "user2"], "group2": ["user3", "user4"]} | | [key] | VERDACCIO_OPENID_[KEY] | other config value is the same as above |

The environment value can be a string or a JSON string. If it is a JSON string, the plugin will parse it to a JSON object.

Note: The environment variable will take precedence over the config value. That means if the config value is like an environment variable name(matching above regex), and the environment variable is set, the plugin will use the environment variable value.

Dotenv files

You can use a .env file to set the environment variables. The plugin will read the .env file in the HOME directory and the directory where the Verdaccio process is started.

The load order is:

  1. $HOME/.env
  2. $HOME/.env.openid
  3. $PWD/.env
  4. $PWD/.env.openid

Token Expiration

To set the token expiration time, follow the instructions in the Verdaccio docs.

security:
  api:
    jwt:
      sign:
        expiresIn: 7d # npm token expiration
  web:
    sign:
      expiresIn: 7d # webUI token expiration

OpenID Callback URL

  • Web UI: https://your-registry.com/-/oauth/callback
  • CLI: https://your-registry.com/-/oauth/callback/cli

Auth with CLI

npx verdaccio-openid@latest --registry http://your-registry.com