foster/oauth4webapi
0
0
Fork 0
mirror of https://github.com/panva/oauth4webapi.git synced 2025-03-14 22:07:36 -04:00
Code Issues Activity
Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
1039 commits 9 branches 99 tags 4.6 MiB
TypeScript 97.8%
JavaScript 1.6%
Shell 0.6%
Find a file
Exact
Filip Skokan 4096393a57 refactor: remove an always false switch case
2025-03-13 16:17:36 +01:00
.github chore: update bug report issue template 2025-02-23 14:17:40 +01:00
conformance test: remove generic use 2025-02-22 15:59:07 +01:00
docs docs: bump typedoc 2025-03-01 13:38:18 +01:00
examples example: add CIBA example 2025-02-19 11:54:35 +01:00
patches chore: upgrade dependencies, typescript, and docs 2024-12-02 16:39:46 +01:00
sponsor chore: updated sponsor logo 2024-10-07 09:00:05 +02:00
src refactor: remove an always false switch case 2025-03-13 16:17:36 +01:00
tap test: allow npm identifiers and use sloppy imports in tap:deno 2025-03-12 09:01:37 +01:00
test feat: add Client-Initiated Backchannel Authentication 2025-02-17 11:38:45 +01:00
.electron_flags.sh test: show warnings 2025-02-19 14:42:23 +01:00
.gitignore chore: update .gitignore 2024-01-12 11:22:55 +01:00
.node_flags.sh chore: bump packages 2025-02-22 15:56:11 +01:00
.postbump.cjs chore: lint dotfiles and md 2024-10-17 11:36:29 +02:00
.prettierrc.json style: force multiline jsdoc 2024-02-02 09:15:48 +01:00
.release-notes.cjs build: add default title to gh release 2023-04-21 23:07:57 +02:00
.versionrc.json chore: add documentation updates to future changelogs 2024-01-03 11:31:54 +01:00
ava.config.mjs test(conformance): add tls1.2 cipher list 2022-11-02 18:48:15 +01:00
CHANGELOG.md chore(release): 3.3.1 2025-03-10 08:53:13 +01:00
check-examples.sh ci: add a job for checking the markdown examples 2024-10-07 09:13:04 +02:00
CODE_OF_CONDUCT.md chore: github dotfiles 2022-03-16 21:43:46 +01:00
CONTRIBUTING.md chore: github dotfiles 2022-03-16 21:43:46 +01:00
jsr.json chore(release): 3.3.1 2025-03-10 08:53:13 +01:00
LICENSE.md initial commit 2022-03-16 16:50:55 +01:00
mod.ts refactor(deno): add mod.ts to deno.land/x 2022-11-20 19:33:47 +01:00
package-lock.json chore: bump packages 2025-03-11 14:42:09 +01:00
package.json chore: bump packages 2025-03-11 14:42:09 +01:00
README.md docs: drop cdnjs and denoland/x links in README 2025-03-10 08:56:06 +01:00
SECURITY.md chore: add SECURITY.md 2025-02-23 14:01:50 +01:00
tsconfig.docs.json ci: add a job for checking the markdown examples 2024-10-07 09:13:04 +02:00
tsconfig.json chore: bump packages 2025-03-01 13:35:52 +01:00
typedoc.json chore: lint dotfiles and md 2024-10-17 11:36:29 +02:00

README.md

oauth4webapi

Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.

Features

The following features are currently in scope and implemented in this software:

  • Authorization Server Metadata discovery
  • Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
  • Refresh Token, Device Authorization, Client-Initiated Backchannel Authentication (CIBA), and Client Credentials Grants
  • Demonstrating Proof-of-Possession at the Application Layer (DPoP)
  • Token Introspection and Revocation
  • Pushed Authorization Requests (PAR)
  • UserInfo and Protected Resource Requests
  • Authorization Server Issuer Identification
  • JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
  • Validating incoming JWT Access Tokens

Sponsor

Auth0 by Okta

If you want to quickly add authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. Create an Auth0 account; it's free!

Certification

OpenID Certification

Filip Skokan has certified that this software conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.

💗 Help the project

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.

Dependencies: 0

oauth4webapi has no dependencies and it exports tree-shakeable ESM.

API Reference

oauth4webapi is distributed via npmjs.com, jsr.io, jsdelivr.com, and github.com.

Examples

example ESM import1

import * as oauth from 'oauth4webapi'
  • Authorization Code Flow (OAuth 2.0) - source
  • Authorization Code Flow (OpenID Connect) - source | diff
  • Extensions
  • Client Authentication
    • Client Secret in HTTP Authorization Header - source
    • Client Secret in HTTP Body - source | diff
    • Private Key JWT Client Authentication - source | diff
    • Public Client - source | diff
  • Other Grants
    • Client Credentials Grant - source
    • Client-Initiated Backchannel Authentication Grant (CIBA) - source
    • Device Authorization Grant - source
    • Refresh Token Grant - source | diff
  • FAPI

Supported Runtimes

The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):

  • Browsers
  • Bun
  • Cloudflare Workers
  • Deno
  • Electron
  • Node.js2
  • Vercel's Edge Runtime

Supported Versions

Version Security Fixes 🔑 Other Bug Fixes 🐞 New Features
v3.x

  1. CJS style let oauth = require('oauth4webapi') is possible in Node.js versions where process.features.require_module is true by default (^20.19.0 || ^22.12.0 || >= 23.0.0) or with the --experimental-require-module Node.js CLI flag. ↩︎

  2. Node.js v20.x as baseline is required ↩︎