IOServer OIDC
Drop-in OIDC/OAuth2 JWT authentication for IOServer applications. Protects HTTP routes and Socket.IO namespaces by verifying tokens issued by your auth-service via remote JWKS — no secrets to store, no key rotation to manage.
What it does
JWT verification via JWKS
RS256/ES256 tokens are verified against your auth-service's public key set. Keys are fetched once and cached in-process; rotation is handled automatically by jose.
HTTP and WebSocket in one package
OidcHttpMiddleware guards Fastify routes. OidcSocketMiddleware guards Socket.IO namespaces. Both follow the exact same token flow and inject the same user context.
User auto-provisioning
On first access, the middleware calls appHandle.users.findOrCreate() to create a local user record from the OIDC subject. Disabled accounts are rejected with 403.
Role-based access control
OidcSocketAdminMiddleware provides a ready-to-use admin guard. Chain it after OidcSocketMiddleware to restrict a Socket.IO namespace to admin users only.
Zero secret storage
Access tokens are verified in-memory on every request using the cached JWKS. No token is stored on disk or in a database on the application side.
Full TypeScript support
Ships with declaration files for OidcConfig, OidcUserContext, and OidcFeatures. ESM-only distribution; strict mode compatible.