react-oauth2-code-pkce ·
React package for OAuth2 Authorization Code flow with PKCE
Adhering to the RFCs recommendations, cryptographically sound, and with zero dependencies!
What is OAuth2 Authorization Code Flow with Proof Key for Code Exchange?
Short version;
The modern and secure way to do authentication for mobile and web applications!
Long version;
https://oauth.net/2/pkce/
https://datatracker.ietf.org/doc/html/rfc7636
Features
- Authorization provider-agnostic. Works equally well with all OAuth2 authentication servers following the OAuth2 spec
- Supports OpenID Connect (idTokens)
- Pre- and Post-login callbacks
- Session expired callback
- Silently refreshes short-lived access tokens in the background
- Decodes JWT's
- A total of ~440 lines of code, easy for anyone to audit and understand
Example
import { AuthContext, AuthProvider, TAuthConfig, TRefreshTokenExpiredEvent } from "react-oauth2-code-pkce"
const authConfig: TAuthConfig = {
clientId: 'myClientID',
authorizationEndpoint: 'https://myAuthProvider.com/auth',
tokenEndpoint: 'https://myAuthProvider.com/token',
redirectUri: 'http://localhost:3000/',
scope: 'someScope openid',
onRefreshTokenExpire: (event: TRefreshTokenExpiredEvent) => window.confirm('Session expired. Refresh page to continue using the site?') && event.login(),
}
const UserInfo = (): JSX.Element => {
const {token, tokenData} = useContext<IAuthContext>(AuthContext)
return <>
<h4>Access Token</h4>
<pre>{token}</pre>
<h4>User Information from JWT</h4>
<pre>{JSON.stringify(tokenData, null, 2)}</pre>
</>
}
ReactDOM.render(<AuthProvider authConfig={authConfig}>
<UserInfo/>
</AuthProvider>
, document.getElementById('root'),
)
For more advanced examples, see ./examples/
.
Install
The package is available on npmjs.com here; https://www.npmjs.com/package/react-oauth2-code-pkce
npm install react-oauth2-code-pkce
API
IAuthContext values
The object that's returned by useContext(AuthContext)
provides these values;
interface IAuthContext {
token: string
tokenData?: TTokenData
login: (state?: string) => void
logOut: (state?: string, logoutHint?: string) => void
error: string | null
idToken?: string
idTokenData?: TTokenData
loginInProgress: boolean
}
Configuration parameters
react-oauth2-code-pkce's goal is to "just work" with any authentication provider that either
supports the OAuth2 or OpenID Connect (OIDC) standards.
However, many authentication providers are not following these standards, or have extended them.
With this in mind, if you are experiencing any problems, a good place to start is to see if the provider expects some custom parameters.
If they do, these can be injected into the different calls with these configuration options;
extraAuthParameters
extraTokenParameters
extraLogoutParameters
The <AuthProvider>
takes a config
object that supports these parameters;
type TAuthConfig = {
clientId: string
authorizationEndpoint: string
tokenEndpoint: string
redirectUri: string
scope?: string
state?: string
logoutEndpoint?: string
logoutRedirect?: string
preLogin?: () => void
postLogin?: () => void
onRefreshTokenExpire?: (event: TRefreshTokenExpiredEvent) => void
decodeToken?: boolean
autoLogin?: boolean
clearURL?: boolean
extraAuthParameters?: { [key: string]: string | boolean | number }
extraTokenParameters?: { [key: string]: string | boolean | number }
extraLogoutParameters?: { [key: string]: string | boolean | number }
extraAuthParams?: { [key: string]: string | boolean | number }
tokenExpiresIn?: number
refreshTokenExpiresIn?: number
}
Common issues
After redirect back from auth provider with ?code
, no token request is made
If you are using libraries that intercept any fetch()
-requests made. For example @tanstack/react-query
. That can cause
issues for the AuthProviders token fetching. This can be solved by not wrapping the <AuthProvider>
in any such library.
This could also happend if some routes in your app are not wrapped by the <AuthProvider>
.
The page randomly refreshes in the middle of a session
This will happen if you haven't provided a callback-function for the onRefreshTokenExpire
config parameter, and the refresh token expires.
You probably want to implement some kind of "alert/message/banner", saying that the session has expired and that the user needs to login again.
Either by refreshing the page, or clicking a "Login-button".
Develop
- Update the 'authConfig' object in
src/index.js
with config from your authorization server and application - Install node_modules ->
$ yarn install
- Run ->
$ yarn start
Contribute
You are most welcome to create issues and pull requests :)