OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes

This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.

Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable OpenID Connect is also supported.

In Scope & Implemented

Authorization Server Metadata discovery
Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
Refresh Token, Device Authorization, and Client Credentials Grants
Demonstrating Proof-of-Possession at the Application Layer (DPoP)
Token Introspection and Revocation
Pushed Authorization Requests (PAR)
UserInfo and Protected Resource Requests
Authorization Server Issuer Identification
JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo

Certification

Filip Skokan has certified that this software conforms to the Basic RP Conformance Profile of the OpenID Connect™ protocol.

💗 Help the project

Dependencies: 0

Documentation

Examples

example ESM import

import * as oauth2 from 'oauth4webapi'

example Deno import

import * as oauth2 from 'https://deno.land/x/oauth4webapi/src/index.ts'

Authorization Code Flow - OpenID Connect source, or plain OAuth 2 source
Public Client Authorization Code Flow - source | diff from code flow
Private Key JWT Client Authentication - source | diff from code flow
DPoP - source | diff from code flow
Pushed Authorization Request (PAR) - source | diff from code flow
Client Credentials Grant - source
Device Authorization Grant - source
FAPI 2.0 (Private Key JWT, PAR, DPoP) - source
FAPI 2.0 Message Signing (Private Key JWT, PAR, DPoP, JAR, JARM) - source | diff

Runtime requirements

The supported JavaScript runtimes include ones that

are reasonably up to date ECMAScript (targets ES2020, but may be further transpiled for compatibility)
support required Web API globals and standard built-in objects
- Fetch API and its related globals fetch, Response, Headers
- Web Crypto API and its related globals crypto, CryptoKey
- Encoding API and its related globals TextEncoder, TextDecoder
- URL API and its related globals URL, URLSearchParams
- atob and btoa
- Uint8Array
These are (not an exhaustive list):
- Browsers
- Cloudflare Workers
- Deno
- Electron
- Next.js Middlewares
- Node.js (runtime flags may be needed)
- Vercel Edge Functions

Out of scope

CommonJS
Implicit, Hybrid, and Resource Owner Password Credentials Flows
Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
JSON Web Encryption (JWE)
JSON Web Signature (JWS) rarely used algorithms and HMAC
Automatic polyfills of any kind

	conformance	34 KB
	docs	106 KB
	examples	40 KB
	patches	6 KB
	src	112 KB
	tap	31 KB
	test	135 KB
	ava.config.mjs	170 B
	CHANGELOG.md	12 KB
	CODE_OF_CONDUCT.md	5 KB
	CONTRIBUTING.md	962 B
	LICENSE.md	1 KB
	package-lock.json	712 KB
	package.json	2 KB
	README.md	5 KB
	tsconfig.json	533 B
	typedoc.json	582 B
Close hidden itemsShow hidden 7 items
	.github	20 KB
	.gitignore	2 KB
	.mdn_links.cjs	355 B
	.node_flags.sh	318 B
	.postbump.cjs	388 B
	.prettierrc.json	248 B
	.versionrc.json	695 B