BeID
DashboardOntwikkelaarsportaal

Node.js / Express (openid-client)

openid-client is een OpenID-gecertificeerde bibliotheek. Ze regelt discovery, PKCE en tokenvalidatie voor je.

1. Installeren

Terminal
npm install openid-client express express-session

2. Client opzetten

auth.js
import * as client from "openid-client";

const server = new URL("https://id.becyber.nl");
const config = await client.discovery(
  server,
  process.env.BEID_CLIENT_ID,
  process.env.BEID_CLIENT_SECRET,
);

3. Login starten (met PKCE)

routes.js
app.get("/login", async (req, res) => {
  const codeVerifier = client.randomPKCECodeVerifier();
  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
  req.session.codeVerifier = codeVerifier;
  req.session.state = client.randomState();

  const url = client.buildAuthorizationUrl(config, {
    redirect_uri: "https://jouw-app.nl/callback",
    scope: "openid profile email kyc",
    code_challenge: codeChallenge,
    code_challenge_method: "S256",
    state: req.session.state,
  });
  res.redirect(url.href);
});

4. Callback afhandelen

routes.js
app.get("/callback", async (req, res) => {
  const tokens = await client.authorizationCodeGrant(
    config,
    new URL(req.url, "https://jouw-app.nl"),
    {
      pkceCodeVerifier: req.session.codeVerifier,
      expectedState: req.session.state,
    },
  );
  const claims = tokens.claims(); // sub, email, name, groups, kyc_status, ...
  req.session.user = { id: claims.sub, email: claims.email, groups: claims.groups };
  res.redirect("/");
});
authorizationCodeGrant valideert de handtekening via de JWKS en controleert iss, aud, exp en de PKCE/state. Lees daarna pas de claims uit.
Next.jsPHP / Laravel
BeID met Node.js / Express (openid-client) — BeID Documentatie · BeID