This is a fork of a Verdaccio plugin that offers OIDC OAuth integration for both the browser and the command line.
This package differs from the verdaccio-openid package in that it doesn't throw an error when the oidc endpoint doesn't provide a roles claim.
- Verdaccio 5, 6
- Node 16, 18
- Chrome, Firefox, Firefox ESR, Edge, Safari
- Install globally
npm install -S verdaccio-openid- Install to Verdaccio plugins folder
npm >= 7
mkdir -p ./install-here/
npm install --global-style \
--bin-links=false --save=false --package-lock=false \
--omit=dev --omit=optional --omit=peer \
--prefix ./install-here/ \
verdaccio-openid@latest
mv ./install-here/node_modules/verdaccio-openid/ /path/to/verdaccio/plugins/Merge the below options with your existing Verdaccio config:
middlewares:
openid:
enabled: true
auth:
openid:
provider-host: https://example.com # required, the host of oidc provider
# configuration-uri: https://example.com/.well-known/openid-configuration # optional
# issuer: https://example.com # optional, jwt issuer, use 'provider-host' when empty
# authorization-endpoint: https://example.com/oauth/authorize # optional
# token-endpoint: https://example.com/oauth/token # optional
# userinfo-endpoint: https://example.com/oauth/userinfo # optional
# jwks-uri: https://example.com/oauth/jwks # optional
# scope: openid email groups # optional. custom scope, default is openid
client-id: CLIENT_ID # optional, you can set it with environment variable 'VERDACCIO_OPENID_CLIENT_ID'
client-secret: CLIENT_SECRET # optional, you can set it with environment variable 'VERDACCIO_OPENID_CLIENT_SECRET'
username-claim: name # optional. username claim in openid, or key to get username in userinfo endpoint response, default is sub
groups-claim: groups # optional. claim to get groups from
# provider-type: gitlab # optional. define this to get groups from gitlab api
# authorized-groups: # optional. user in array is allowed to login. use true to ensure user have at least one group, false means no groups check
# - access
# group-users: # optional. custom the group users. eg. animal group has user tom and jack. if set, 'groups-claim' and 'provider-type' take no effect
# animal:
# - tom
# - jackNow you can use the openid-connect auth in the webUI.
| Name | Description |
|---|---|
VERDACCIO_OPENID_CLIENT_ID |
OIDC client ID |
VERDACCIO_OPENID_CLIENT_SECRET |
OIDC client secret |
To set the token expiration time, follow the instructions in the Verdaccio docs.
security:
api:
jwt:
sign:
expiresIn: 7d # npm token expiration
web:
sign:
expiresIn: 7d # webUI token expiration- Web UI: https://your-registry.com/-/oauth/callback
- CLI: https://your-registry.com/-/oauth/callback/cli
npx verdaccio-openid@latest --registry http://your-registry.com