OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes
This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.
Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable OpenID Connect is also supported.
In Scope & Implemented
- Authorization Server Metadata discovery
- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
- Refresh Token, Device Authorization, and Client Credentials Grants
- Demonstrating Proof-of-Possession at the Application Layer (DPoP)
- Token Introspection and Revocation
- Pushed Authorization Requests (PAR)
- UserInfo and Protected Resource Requests
- Authorization Server Issuer Identification
- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
Filip Skokan has certified that this software conforms to the Basic RP Conformance Profile of the OpenID Connect™ protocol.
Dependencies: 0
example
ESM import
import * as oauth2 from 'oauth4webapi'
example
Deno import
import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.0.2/mod.ts'
Supported Runtimes
The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects
These are (this is not an exhaustive list):
Out of scope
- CommonJS
- Implicit, Hybrid, and Resource Owner Password Credentials Flows
- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
- JSON Web Encryption (JWE)
- Automatic polyfills of any kind