The oidc-client has been archived

[osmanskaya]

The library oidc-client which this library depends on, has recently been archived. So it isn't actively maintained anymore

Do you have any specific plans for the future regarding maintenance and continuation of this library?

[perarnborg]

Yes, I saw this a while ago and I have been contemplating on how this package should be moved forward.

It comes as no big surprise, since the creator of oidc-client has been heroically struggling to keep up with incoming issues for some time.

This project is for now actively maintained, I use it myself for a couple of live applications. But since a big portion of the functionality in here comes from oidc-client it is definitely worth noting the fact that oidc-client is archived.

I am unfortunately not in a position where I can take on managing oidc-client, and I have not seen anyone else take up the flag.

One idea I have is to instead make a new browser client package that only would support code+PKCE flow. Since implicit flow is now not recommended for anyone this would make sense to me.

After that I would make a new vue(x) package that uses that and this package would be archived as well.

This would be a task that would take some time and it is not something that I have started on yet.

Community input on this idea and of course any other suggestions would be appreciated! ☺️

[theoriginalstove]

I personally like the route of creating a new browser client package that you described would be ideal. I would be more than happy to help out in that effort as well as helping with the new vuex package since my team relies on this package quite heavily.

I also saw there was a fork (quite possibly more to be honest) of the original oidc-client to port over to Typescript. It might make sense to port over to an implementation that the rest of the JS/TS community comes up with.

In the end, I think either route will require a heavy lift from the community.

[Santobert]

First of all, thanks for this great library. I did some research and found a (from my view) promising fork here: https://github.com/authts/oidc-client-ts

This may be the fork, @TheOriginalStove mentioned earlier.

[perarnborg]

Hi again, here is an update from the maintainer. 😄

https://github.com/authts/oidc-client-ts is indeed a good alternative to oidc-client. mmizutani has provided a PR (#187) with a switch of dependency project that I am evaluating to merge. It would break support of the implicit flow in the next major version bump, community input on this is welcome. Your can voice your opinion in that PR or in this issue!

I myself am also working on an alternative oauth client: https://github.com/Aventyret/lionel-oauth-client which is licensed under MIT and is free to use by anyone (still a work in progress right now though).

The rational behind this is that there are some behaviours and api things that I want to have a bit differently in my own projects.

That library will come with it's own wrappers for vue etcetera, so my plan is to let this library live on as long as it seems to be used. I migration to oidc-client-ts might be a good way forward for that.

[Santobert]

While I personally still use vuex-oidc in a vue2 typescript project and would really appreciate the change in dependencies to a more active backend library, I think a way forward should also take into account that vuex has been officially replaced by pinia and therefore vuex-oidc should be made compatible with it.

Thus a rewrite, as mentioned by @perarnborg, might be an easier solution than migrating vuex-oidc to oidc-client-ts and then making it compatible with pinia. Of course, I myself have no idea what kind of effort is needed to achieve both. However, the switch to oidc-client-ts seems straightforward (https://github.com/perarnborg/vuex-oidc/pull/187).

The bottom line is that I would like to see the switch to oidc-client-ts as a temporary solution, but further migrations will have to be considered in the future. Personally, I wouldn't mind a breaking change along the way.

[manpreet-compro]

From library size perspective oidc-client-ts has major improvements compared to oidc-client, thus reducing overall bundle size for the application @perarnborg - will it be possible to switch to oidc-client-ts for time being till a new library/package is put in place as you mentioned in comments above. Thanks

[perarnborg]

@manpreet-compro Yes, I will most likely switch the dependency in this project's next major version bump.

My timeplan for that is to start looking and hopefully publish by the end of this month.

[mediafreakch]

@perarnborg Is there any way this can be expedited? As I understand there's a PR open which would only require your review and approval (#187).

[perarnborg]

Yes. Unfortunately my initial tests of the PR did not work with the sample implementation. I need to look in to why that was, but unfortunately I am pressed for time due to other engagements.

Help is welcome, if someone else wants to try out the PR to validite that it works as expected!

[mediafreakch]

I tested the PR against the example repo. See here for the conclusion.