@awwong1/oauth4webapi
v1.0.0TypeScript
OAuth 2 / OpenID Connect for JavaScript Runtimes
0/weekUpdated 1 years agoMITUnpacked: 157.3 KB
Published by Filip Skokan
npm install @awwong1/oauth4webapi> NOTE: This is a fork of the original panva/oauth4webapi repository with a modification to output commonjs. See also https://github.com/auth0/nextjs-auth0/issues/1752
OAuth 2 / OpenID Connect for JavaScript Runtimes
This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.
Features
The following features are currently in scope and implemented in this software:
- Authorization Server Metadata discovery
- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
- Refresh Token, Device Authorization, and Client Credentials Grants
- Demonstrating Proof-of-Possession at the Application Layer (DPoP)
- Token Introspection and Revocation
- Pushed Authorization Requests (PAR)
- UserInfo and Protected Resource Requests
- Authorization Server Issuer Identification
- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
- Validating incoming JWT Access Tokens
Certification
Filip Skokan has certified that this software conforms to the Basic, FAPI 1.0 Advanced, FAPI 2.0 Security Profile, and FAPI 2.0 Message Signing Relying Party Conformance Profiles of the OpenID Connectâ„¢ protocol.
💗 Help the project
Dependencies: 0
oauth4webapi has no dependencies and it exports tree-shakeable ESM.
API Reference
oauth4webapi is distributed via npmjs.com, deno.land/x, cdnjs.com, jsdelivr.com, and github.com.
Examples
example ESM import
``js`
import * as oauth2 from 'oauth4webapi'
example Deno import
`js``
import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.10.4/mod.ts'
- Authorization Code Flow (OAuth 2.0) - source
- Authorization Code Flow (OpenID Connect) - source | diff
- Extensions
- DPoP - source | diff
- JWT Secured Authorization Request (JAR) - source | diff
- JWT Secured Authorization Response Mode (JARM) - source | diff
- Pushed Authorization Request (PAR) - source | diff
- Client Authentication
- Client Secret in HTTP Authorization Header - source
- Client Secret in HTTP Body - source | diff
- Private Key JWT Client Authentication - source | diff
- Public Client - source | diff
- Other Grants
- Client Credentials Grant - source
- Device Authorization Grant - source
- Refresh Token Grant - source | diff
- FAPI
- FAPI 1.0 Advanced (Private Key JWT, MTLS, JAR) - source | diff
- FAPI 2.0 Security Profile (Private Key JWT, PAR, DPoP) - source | diff
Supported Runtimes
The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are _(but are not limited to)_:
- Browsers
- Bun
- Cloudflare Workers
- Deno
- Electron
- Node.js (runtime flags may be needed)
- Vercel's Edge Runtime
Out of scope
The following features are currently out of scope:
- Implicit, Hybrid, and Resource Owner Password Credentials Flows
- JSON Web Encryption (JWE)
- Automatic polyfills of any kind