// the find
AxaFrance/oidc-client
Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
An OIDC/OAuth2 client library for browser-based apps, with a React wrapper and a clever Service Worker trick that keeps tokens out of JavaScript-accessible memory. Aimed at frontend teams who want PKCE + DPoP security without rolling their own auth flow. Maintained by AXA France and actively updated.
- The Service Worker intercepts fetch requests and injects tokens transparently, so access/refresh tokens never touch `window` or `localStorage` — a real security improvement over the typical approach, not just marketing.
- DPoP (Demonstrating Proof of Possession) support is included, which binds tokens to the browser context and is still rare in frontend OIDC libs.
- Framework-agnostic core (`@axa-fr/oidc-client`) is cleanly separated from the React wrapper, making it usable in Vue/Svelte/vanilla JS even though first-class wrappers for those aren't shipped yet.
- Multiple migration guides (v3→v4 through v6→v7) and a detailed FAQ exist, which suggests real production use with actual breaking-change management.
- The Service Worker file (`OidcServiceWorker.js`) must be manually kept in sync with the package version via a postinstall script — easy to forget in a monorepo or when using lockfile-only updates, and the consequences (silent auth breakage) are non-obvious.
- Vue, Angular, and Svelte wrappers are listed as 'looking for contributors', meaning you get the raw core API for those frameworks with no official integration story.
- Test coverage is sparse relative to the complexity of the auth state machine — there are spec files for some utilities but the core `oidc.ts` and `renewTokens.ts` logic appears largely untested.
- The NextJS demo uses the Pages Router with plain JS, not App Router with TypeScript, which is well behind current Next.js patterns and gives little guidance on SSR token handling or the RSC boundary.