Pure JS client using Implicit Flow

Testing OpenID Connect flow can be as simple as putting one file with a few functions on the client and calling the provider. Let me show.

01. Setup the provider

You can use the example project code to run your OIDC Provider at localhost:8000.

Go to the admin site and create a public client with a response_type id_token token and a redirect_uri http://localhost:3000.


Remember to create at least one RSA Key for the server with python manage.py creatersakey

02. Create the client

As relying party we are going to use a JS library created by Nat Sakimura. Here is the article.


<!DOCTYPE html>

    <title>OIDC RP</title>


        <h1>OpenID Connect RP Example</h1>
        <button id="login-button">Login</button>

    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.2/jquery.min.js"></script>
    <script src="https://www.sakimura.org/test/openidconnect.js"></script>

    <script type="text/javascript">
    $(function() {
        var clientInfo = {
            client_id : '',
            redirect_uri : 'http://localhost:3000'


        var providerInfo = OIDC.discover('http://localhost:8000');

        OIDC.storeInfo(providerInfo, clientInfo);

        // Restore configuration information.

        // Get Access Token
        var token = OIDC.getAccessToken();

        // Make userinfo request using access_token.
        if (token !== null) {
            $.get('http://localhost:8000/userinfo/?access_token='+token, function( data ) {
                alert('USERINFO: '+ JSON.stringify(data));

        // Make an authorization request if the user click the login button.
        $('#login-button').click(function (event) {
                scope : 'openid profile email',
                response_type : 'id_token token'



Remember that you must set your client_id (line 21).

03. Make an authorization request

By clicking the login button an authorization request has been made to the provider. After you accept it, the provider will redirect back to your previously registered redirect_uri with all the tokens requested.

04. Requesting user information

Now having the access_token in your hands you can request the user information by making a request to the /userinfo endpoint of the provider.

In this example we display information in the alert box.