Typescript issue with nodenext module resolution, bump openid-client version ?

[hugo-daclon]

Checklist

• The issue can be reproduced in the express-openid-connect sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When using this package with TypeScript configured to NodeNext module resolution, which is the recommended value, we face an issue with three types, the most annoying for me being IdTokenClaims.

This problem is on openid-client's side, and they already fixed it in version 5.1.6 (cf this commit line 33 of the package.json).

So now the issue is on your side. The version used in this project is ^4.9.1 which is 2 whole major version behind the latest one (6.6.2 as of this issue's creation). It should be fixed by bumping the openid-client version, though there might

Reproduction

1. Create a project with express-openid-connect, express and typescript
2. Set tsconfig.json to have the following configuration:

   {
       "compilerOptions": {
           "moduleResolution": "nodeNext",
           "module": "NodeNext",
       }
   }

3. Create the following file

   import express from "express";
   
   import expressOpenidConnect from "express-openid-connect";
   const { auth } = expressOpenidConnect;
   
   const app = express();
   app.use(
     auth({
       issuerBaseURL: process.env.OIDC_ISSUER_BASEURL,
       baseURL: process.env.OIDC_BASEURL,
       clientID: process.env.OIDC_CLIENT_ID,
       secret: process.env.OIDC_ENCRYPTION_SECRET,
       clientSecret: process.env.OIDC_CLIENT_SECRET,
       attemptSilentLogin: true,
       idpLogout: true,
       authorizationParams: {
         response_type: "code",
         scope: "openid profile email",
       },
       routes: {
         callback: "/auth/redirect",
         login: "/auth/login",
         logout: "/auth/logout",
       },
     })
   );
   app.use((req, _res, next) => {
     console.debug("idTokenClaims", req.oidc.idTokenClaims);
     if (!req.oidc.idTokenClaims.email) {
       throw new Error("Aucun utilisateur détecté, merci de contacter le support technique.");
     }
     next()
   });

4. Here is the issue :
   

Additional context

I'd like to avoid changing the module to ESNext and moduleResolution to node as much as possible, as I don't really know the impact.

This also raises another question: openid-client should be one of, if not the most important dependency of this project. So why has it not been updated for nearly 4 years even though this project is still actively maintained. It seems voluntary (cf. #491), but I don't get why.

express-openid-connect version

express-openid-connect@2.18.1

Express version

express@5.1.0

Node.js version

v22.17.1

[kushalshit27]

Thank you for reporting this issue! Our team is currently investigating the issue.

[jaredtbates]

We're running into the same issue - using moduleResolution: "bundler" and the outdated openid-client version doesn't support it.

[aks96]

Hey @jaredtbates appreciate your patience, we are under going migration for openid-client v4 to v6. That should fix this issue. We will update once we are live with the particular version

[Lomilar]

Very exciting! (No more Jose 2.0.7!)