This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.

Features

The following features are currently in scope and implemented in this software:

Authorization Server Metadata discovery
Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
Refresh Token, Device Authorization, and Client Credentials Grants
Demonstrating Proof-of-Possession at the Application Layer (DPoP)
Token Introspection and Revocation
Pushed Authorization Requests (PAR)
UserInfo and Protected Resource Requests
Authorization Server Issuer Identification
JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo

Certification

Filip Skokan has certified that this software conforms to the Basic RP Conformance Profile of the OpenID Connect™ protocol.

💗 Help the project

Dependencies: 0

oauth4webapi has no dependencies and it exports tree-shakeable ESM.

Documentation

oauth4webapi is distributed via npmjs.com, deno.land/x, cdnjs.com, jsdelivr.com, and github.com.

Examples

example ESM import

import * as oauth2 from 'oauth4webapi'

example Deno import

import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.4.3/mod.ts'

Authorization Code Flow - OpenID Connect source, or plain OAuth 2 source
Public Client Authorization Code Flow - source | diff from code flow
Private Key JWT Client Authentication - source | diff from code flow
DPoP - source | diff from code flow
Pushed Authorization Request (PAR) - source | diff from code flow
Client Credentials Grant - source
Device Authorization Grant - source
FAPI 2.0 (Private Key JWT, PAR, DPoP) - source
FAPI 2.0 Message Signing (Private Key JWT, PAR, DPoP, JAR, JARM) - source | diff

Supported Runtimes

The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):

Browsers
Bun
Cloudflare Workers
Deno
Electron
Node.js (runtime flags may be needed)
Vercel's Edge Runtime

Out of scope

The following features are currently out of scope:

CommonJS
Implicit, Hybrid, and Resource Owner Password Credentials Flows
Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
JSON Web Encryption (JWE)
Automatic polyfills of any kind

Keywords

FAQs

What is oauth4webapi?

Is oauth4webapi popular?

Is oauth4webapi well maintained?

Package last updated on 06 Jan 2024

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install