Skip to content

OAuth 2 / OpenID Connect for JavaScript Runtimes

License

Notifications You must be signed in to change notification settings

vijayth2-cerebras/oauth4webapi

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OAuth 2 / OpenID Connect for JavaScript Runtimes

This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.

Features

The following features are currently in scope and implemented in this software:

  • Authorization Server Metadata discovery
  • Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
  • Refresh Token, Device Authorization, and Client Credentials Grants
  • Demonstrating Proof-of-Possession at the Application Layer (DPoP)
  • Token Introspection and Revocation
  • Pushed Authorization Requests (PAR)
  • UserInfo and Protected Resource Requests
  • Authorization Server Issuer Identification
  • JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
  • Validating incoming JWT Access Tokens

OpenID Certification

Filip Skokan has certified that this software conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.

Dependencies: 0

oauth4webapi has no dependencies and it exports tree-shakeable ESM.

oauth4webapi is distributed via npmjs.com, deno.land/x, cdnjs.com, jsdelivr.com, and github.com.

example ESM import

import * as oauth from 'oauth4webapi'

example Deno import

import * as oauth from 'https://deno.land/x/oauth4webapi@v2.11.1/mod.ts'
  • Authorization Code Flow (OAuth 2.0) - source
  • Authorization Code Flow (OpenID Connect) - source | diff
  • Extensions
  • Client Authentication
    • Client Secret in HTTP Authorization Header - source
    • Client Secret in HTTP Body - source | diff
    • Private Key JWT Client Authentication - source | diff
    • Public Client - source | diff
  • Other Grants
  • FAPI
    • FAPI 1.0 Advanced (Private Key JWT, MTLS, JAR) - source | diff
    • FAPI 2.0 Security Profile (Private Key JWT, PAR, DPoP) - source | diff

Supported Runtimes

The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):

Out of scope

The following features are currently out of scope:

  • CommonJS
  • Implicit, Hybrid, and Resource Owner Password Credentials Flows
  • JSON Web Encryption (JWE)
  • Automatic polyfills of any kind

About

OAuth 2 / OpenID Connect for JavaScript Runtimes

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 80.9%
  • JavaScript 17.8%
  • Shell 1.3%