https://github.com/panva/node-openid-client/tree/v2.x Important！ WARNING: Node.js 12 or higher is required for openid-client@3 and above. For older Node.js versions use openid-client@2. So watch https://github.com/panva/node-openid-client/tree/v2.x node.js package use “openid-client”: “2.5.0”, client.authorizationCallback have bug, nonce mismatch always have this error even see https://github.com/panva/node-openid-client/issues/150 Correct way https://github.com/panva/node-openid-client/blob/f1b4282ac50f7e15fc195f66bf76409af4ec4b6b/lib/client.js see if (params.code) { Can know use grant https://github.com/panva/node-openid-client/tree/v2.x#custom-token-endpoint-grants const hydraconfig= { "oidurl": "https://openid.hydra:9001", "redirectUri": "https://t.tt:9010/callback", "clientid": "auth-code-client", "clientsecretid": "secret" } //openid-client================ const { Issuer } = require('openid-client') const hydraIssuer = await Issuer.discover(hydraconfig.oidurl) // => Promise .then(function (hydradiscoverIssuer) { console.log('Discovered issuer %s %O', hydradiscoverIssuer.issuer, hydradiscoverIssuer.metadata); return hydradiscoverIssuer }); const client = new hydraIssuer.Client({ client_id: hydraconfig.clientid, client_secret: hydraconfig.clientsecretid }); var tokenset = await client.grant({ grant_type: 'authorization_code', code: code, redirect_uri: hydraconfig.redirectUri, code_verifier: '', //No value, because real use in Hydra login-consent. Not use client.authorizationUrl or client.authorizationPost }); console.log(tokenset)

console.log(‘show value string, object %s %O’, var.string, var.object);

Before posts about Hydra get access token is use golang HydraOauthConfig.Exchange(ctx, code). This is easy way. But on front website like vue or other framework how to get access token. Use REST Client to test POST https://openid.hydra:9001/oauth2/token Authorization: Basic YXV0aC1jb2RlLWNsaWVudDpzZWNyZXQ= Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=cuNw76aEuckIJJyVssk2LJvqdLXffT-8Kx1s0tYFt6Y.v0Dxc2_yT9ga8c2moKx0fDbwRFVgwryAt5BJM7lOJlM #&redirect_uri=https://certfront/oid/test/callback #&scope=openid,offline #&client_id=auth-code-client #&code_verifier= #&state=gczxkznmjkrksgytsemvwgkf Import is： Authorization: Basic https://github.com/ory/hydra/issues/631 Not Authorization: Bearer base64(urlencode(client_id):urlencode(client_secret)) YXV0aC1jb2RlLWNsaWVudDpzZWNyZXQ= => auth-code-client:secret code is callback code. When you login-consent finish step then callback to your set callback URL. Watch URL inside have code= example: https://t.tt:9010/callback?code=cuNw76aEuckIJJyVssk2LJvqdLXffT-8Kx1s0tYFt6Y.v0Dxc2_yT9ga8c2moKx0fDbwRFVgwryAt5BJM7lOJlM&scope=openid%20offline&state=gczxkznmjkrksgytsemvwgkf ...

https://peach.ebu.io/technical/tutorials/tuto-oauth2-client/ https://www.pveller.com/oauth2-with-passport-10-steps-recipe/ http://www.hitotec.com/authentification-oauth-avec-passportjs-pour-une-api-rest/ https://www.shangyang.me/2018/03/11/javascript-nodejs-passport-04-deepinto-oauth2-authenticate-process/ https://blog.yorkxin.org/2013/09/30/oauth2-4-1-auth-code-grant-flow.html

https://blog.miniasp.com/post/2019/02/25/Creating-Self-signed-Certificate-using-OpenSSL 目前這個方式比較靠普 建立 ssl.conf 設定檔 [req] prompt = no default_md = sha256 default_bits = 2048 distinguished_name = dn x509_extensions = v3_req [dn] C = TW ST = Taiwan L = Taipei O = Duotify Inc. OU = IT Department emailAddress = admin@example.com CN = localhost [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = *.localhost DNS.2 = localhost DNS.3 = 192.168.2.100 openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf