Product
Introducing Webhook Events for Pull Request Scans
Add real-time Socket webhook events to your workflows to automatically receive pull request scan results and security alerts in real time.
By Jeppe Hasseriis -  Oct 22, 2025
🚀 DAY 2 OF LAUNCH WEEK: Unify Your Security Stack with Socket Basics.Learn more →
bedrock-oauth2-client
Advanced tools
Bedrock OAuth 2.0 Client (bedrock-oauth2-client)
A bedrock module that creates and manages an OAuth2 client, that will make it easy to make http-client API calls to OAuth2-protected endpoints.
Table of Contents
Background
A Bedrock helper library intended to work with OAuth 2.0 bearer token protected API endpoints
(see for example authorize-access-token-middleware).
For use with client_credentials grant types only, for Server-to-Server use cases.
- RFC6749 The OAuth 2.0 Authorization Framework specification.
Security
TBD
Install
- Node.js 12+ is required.
NPM
To install via NPM:
npm install --save bedrock-oauth2-client
Development
To install locally (for development):
git clone https://github.com/digitalbazaar/bedrock-oauth2-client.git
cd bedrock-oauth2-client
npm install
Usage
Configuration
Create a configs/authorization.js config file. For example:
import bedrock from 'bedrock';
const {config} = bedrock;
config['your-bedrock-project'].authorization = [{
issuer: config['your-bedrock-project'].services.issuerUrl,
protocol: 'oauth2_client_grant',
// Pre-registered CLIENT_ID and CLIENT_SECRET
client_id: '...',
client_secret: '...',
// API endpoint to make a Client Credentials grant POST request to
token_endpoint: `${config['your-bedrock-project'].services.issuerUrl}/token`,
pkce: false,
grant_type: 'client_credentials',
scope: ['your.custom.scope']
}];
And add the corresponding entry to lib/config.js:
await import(path.join(config.paths.config, 'authorization.js'));
Requesting an Access Token on startup
On the bedrock.start event, for example in lib/config.js, request the access token from the required issuer.
if(!process.env.CI) {
bedrock.events.on('bedrock.start', async () => {
const issuer = config['bedrock-oauth2-client'].services.issuerUrl;
config['bedrock-oauth2-client'].exampleIssuerOAuth2Access.accessToken =
await refreshAccessToken({issuer});
});
}
On Access Token Expiration/Revocation
Fetching a new access token on server startup (and re-authorizing another access token when the LRU Cache expires) should prevent tokens from expiring. However, there are other events beyond the client control -- issuer keys being rotated, scopes being changed or revoked, etc. For these cases, you also need automated logic that tries to refresh an access token if it encounters an appropriate error.
When to Retry
If error is invalid_token AND name is ConstraintError (this covers Expired, Revoked, and Issuer Key Rotated
cases), check to see if max number of retries is exceeded (for that issuer). If not, retry the authorization flow and
fetch another access token.
If name is DataError or on any other error encountered during authorization flow -- do not retry. Continue throwing
a 503 Service Unavailable error any time an access token is required for this issuer.
Expanded Errors
Example OAuth 2 error response (the error, error_description and error_uri fields are dictated by the OAuth 2.0
spec, and the name property is Bedrock-specific):
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="invalid_token"
error_description="The access token expired"
Content-type: application/json
{
"error": "invalid_token",
"error_description": "The access token expired",
"name": "ConstraintError"
}
Bedrock-specific invalid_token conditions:
- Expired -
ConstraintError - Not found -
NotFoundError - Malformed JSON -
DataError - Malformed JWT (access token) -
DataError - Invalid signature (issuer key rotated, for example) -
ConstraintError(was: DataError) - Revoked -
ConstraintError
Contribute
See the contribute file!
PRs accepted.
If editing the Readme, please conform to the standard-readme specification.
Commercial Support
Commercial support for this library is available upon request from Digital Bazaar: support@digitalbazaar.com
License
Bedrock Non-Commercial License v1.0 © Digital Bazaar
4.0.1 - 2022-02-23
Fixed
- Exit with error code
1on unrecoverable error instead of doing graceful clean exit.
Keywords
FAQs
Bedrock OAuth2 Client
The npm package bedrock-oauth2-client receives a total of 1 weekly downloads. As such, bedrock-oauth2-client popularity was classified as not popular.
We found that bedrock-oauth2-client demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Package last updated on 23 Feb 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys
The Socket Threat Research Team uncovered malicious NuGet packages typosquatting the popular Nethereum project to steal wallet keys.
By Kirill Boychenko -  Oct 22, 2025
Product
Unify Your Security Stack with Socket Basics
A single platform for static analysis, secrets detection, container scanning, and CVE checks—built on trusted open source tools, ready to run out of the box.
By Douglas Coburn, Eli Insua -  Oct 21, 2025