Express Migration Steps - Vault Vision

Step 1

Determine the 3 routes that will be used to:

  • Start a login (usually something like /login)

  • Start a logout (usually something like /logout)

  • Receive the user after a successful signup or login (usually something like /oidc/auth_callback)

Step 2 - Create an Account at Vault Vision

Create an account at this Register location. Register

Configure the Vault Vision tenant and application. Navigate to Getting Started

Step 3 - Update the application to use the determined URLs

Update the URL values in the (Vault Vision Management Panel)[] for your application.

Step 4 add the OIDC open source client library

npm install openid-client

Step 5 copy the environment variables

Copy over the env vars from the (Vault Vision Management Panel)[] into your react application, something like:

const appHostUrl = process.env.APP_HOST_URL;
const tenantFqdn = process.env.TENANT_FQDN;
const post_authorize_redirect = process.env.POST_AUTHORIZE_CALLBACK; //configure this in authorized web app redirect uris
const post_logout_callback = process.env.POST_LOGOUT_CALLBACK;
const tenantUrl = "https://" + tenantFqdn;
const redirect_uri = appHostUrl + post_authorize_redirect;
const post_logout_redirectUrl = [appHostUrl + post_logout_callback];
const client_id = process.env.CLIENT_ID;
const client_secret = process.env.CLIENT_SECRET;

Step 6 create a OIDC client using the open source library (vaultVisionIssuer) => {
  console.log('Discovered issuer %s %O', vaultVisionIssuer.issuer, vaultVisionIssuer.metadata);

  client = new vaultVisionIssuer.Client({
    client_id: client_id,
    client_secret: client_secret,
    redirect_uris: [redirect_uri],
    response_types: ['code'],
    // id_token_signed_response_alg (default "RS256")
    // token_endpoint_auth_method (default "client_secret_basic")


Step 7 create a login route

Something similar to

// create the login get and post routes
app.get('/login', (req, res) => {
  console.log('Inside GET /login callback function')

  const nonce = generators.nonce();
  const state = generators.state();
  const code_verifier = generators.codeVerifier();
  req.session.code_verifier = code_verifier
  req.session.nonce = nonce
  req.session.state = state

  const code_challenge = generators.codeChallenge(code_verifier);

  let redirectURL = client.authorizationUrl({
    scope: 'openid email profile',
    resource: redirect_uri,
    code_challenge_method: 'S256',
    nonce: nonce,
    state: state,
  console.log("redirctURL: " + redirectURL)

Step 8 create a logout route

app.get('/logout', (req, res) => {

Step 9 create a callback route

app.all(post_authorize_redirect, (req, res) => {
  console.log('Inside GET /postauthorize callback function')
  console.log("request session id: " + req.sessionID)
  const params = client.callbackParams(req);
      code_verifier: req.session.code_verifier,
      state: req.session.state,
      nonce: req.session.nonce,
  .then( (tokenSet) => {
    req.session.sessionTokens = tokenSet; =;
    console.log('received and validated tokens %j', tokenSet);
    console.log('validated ID Token claims %j',;

    if (tokenSet.access_token) {
      .then((userinfo) => {
        req.session.userinfo = userinfo
        userLookup[userinfo.sub] =

    res.cookie("jwt", JSON.stringify(tokenSet.id_token), {
      secure: false,
      httpOnly: true,
      expires: 0


Step 10 import users, and assign a new forigen key

Once users are imported into the Vault Vision tenant, take the returned table of users with the new assign Vault Vision subscriberId and attach that as a forigen key into your user table.

Step 11 update any session creation and tear down

New user sessions should be created in the oidc callback, and destroyed in the start logout route.