diff --git a/types/openid-client/index.d.ts b/types/openid-client/index.d.ts
new file mode 100644
index 0000000000..805091997b
--- /dev/null
+++ b/types/openid-client/index.d.ts
@@ -0,0 +1,96 @@
+// Type definitions for openid-client 3.1
+// Project: https://github.com/panva/node-openid-client
+// Definitions by: ulrichb <https://github.com/ulrichb>
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+// TypeScript Version: 2.8
+
+/// <reference types="node" />
+
+import { IncomingMessage } from "http";
+
+// https://github.com/panva/node-openid-client/tree/master/docs#issuer
+
+export interface IssuerMetadata {
+    readonly issuer?: string;
+}
+
+export class Issuer {
+    static discover(issuer: string): Promise<Issuer>;
+
+    readonly metadata: IssuerMetadata;
+
+    readonly Client: typeof Client;
+}
+
+export interface ClientMetadata {
+    readonly client_id?: string;
+    readonly client_secret?: string;
+    readonly redirect_uris?: ReadonlyArray<string>;
+    readonly response_types?: ReadonlyArray<string>;
+    readonly post_logout_redirect_uris?: ReadonlyArray<string>;
+}
+
+export interface AuthorizationUrlParameters {
+    readonly redirect_uri?: string;
+    readonly response_type?: string;
+    readonly scope?: string;
+
+    readonly response_mode?: string;
+    readonly nonce?: string;
+    readonly resource?: string;
+    readonly code_challenge?: string;
+    readonly code_challenge_method?: string;
+}
+
+export interface EndSessionUrlParameters {
+    readonly id_token_hint?: string | TokenSet;
+    readonly post_logout_redirect_uri?: string;
+    readonly state?: string;
+}
+
+export class Client {
+    constructor(metadata: ClientMetadata);
+
+    readonly metadata: ClientMetadata;
+
+    authorizationUrl(parameters?: AuthorizationUrlParameters): string;
+
+    endSessionUrl(parameters?: EndSessionUrlParameters): string;
+
+    callbackParams(input: string | IncomingMessage): {};
+
+    callback(redirectUri: string, parameters: {}, checks?: {
+        readonly response_type?: string;
+        readonly state?: string;
+        readonly nonce?: string;
+        readonly code_verifier?: string;
+        readonly max_age?: number;
+    }): Promise<TokenSet>;
+
+    userinfo(accessToken: string | TokenSet): Promise<{ readonly [name: string]: {} | null | undefined }>;
+}
+
+export class TokenSet {
+    readonly access_token?: string;
+    readonly token_type?: string;
+    readonly id_token?: string;
+    readonly refresh_token?: string;
+
+    expired(): boolean;
+
+    claims(): { readonly [name: string]: {} | null | undefined };
+}
+
+export namespace generators {
+    // https://github.com/panva/node-openid-client/tree/master/docs#generators
+
+    function random(bytes?: number): string;
+
+    function state(bytes?: number): string;
+
+    function nonce(bytes?: number): string;
+
+    function codeVerifier(bytes?: number): string;
+
+    function codeChallenge(verifier: string): string;
+}
diff --git a/types/openid-client/openid-client-tests.ts b/types/openid-client/openid-client-tests.ts
new file mode 100644
index 0000000000..cf5a8e631f
--- /dev/null
+++ b/types/openid-client/openid-client-tests.ts
@@ -0,0 +1,39 @@
+import { IncomingMessage } from "http";
+import { Issuer, generators } from "openid-client";
+
+async (req: IncomingMessage) => {
+    const issuer = await Issuer.discover('https://accounts.google.com');
+    console.log('Discovered issuer %O', issuer.metadata.issuer);
+
+    const client = new issuer.Client({
+        client_id: 'c',
+        client_secret: 's',
+        redirect_uris: ['http://localhost:3000/cb'],
+        response_types: ['code'],
+    });
+    console.log(client.metadata.client_id);
+
+    const code_verifier = generators.codeVerifier();
+
+    const code_challenge = generators.codeChallenge(code_verifier);
+
+    client.authorizationUrl({
+        scope: 'openid email profile',
+        response_mode: 'form_post',
+        nonce: 'nonce',
+        resource: 'https://my.api.example.com/resource/32178',
+        code_challenge,
+        code_challenge_method: 'S256',
+    }).substring(0);
+
+    const params = client.callbackParams(req);
+    const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });
+    console.log(tokenSet.id_token, tokenSet.access_token, tokenSet.refresh_token);
+    console.log(tokenSet.expired(), tokenSet.claims()["some claim name"]);
+
+    await client.userinfo("access token");
+    const userinfo = await client.userinfo(tokenSet);
+    console.log(userinfo["some user info name"]);
+
+    client.endSessionUrl({ id_token_hint: "id_token_hint" }).substring(0);
+};
diff --git a/types/openid-client/tsconfig.json b/types/openid-client/tsconfig.json
new file mode 100644
index 0000000000..992abcaf27
--- /dev/null
+++ b/types/openid-client/tsconfig.json
@@ -0,0 +1,23 @@
+{
+    "compilerOptions": {
+        "module": "commonjs",
+        "lib": [
+            "es6"
+        ],
+        "noImplicitAny": true,
+        "noImplicitThis": true,
+        "strictNullChecks": true,
+        "strictFunctionTypes": true,
+        "baseUrl": "../",
+        "typeRoots": [
+            "../"
+        ],
+        "types": [],
+        "noEmit": true,
+        "forceConsistentCasingInFileNames": true
+    },
+    "files": [
+        "index.d.ts",
+        "openid-client-tests.ts"
+    ]
+}
diff --git a/types/openid-client/tslint.json b/types/openid-client/tslint.json
new file mode 100644
index 0000000000..3db14f85ea
--- /dev/null
+++ b/types/openid-client/tslint.json
@@ -0,0 +1 @@
+{ "extends": "dtslint/dt.json" }