Skip to main content

Menu

v0.6.4

OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes

View DocumentationView Source

Repository

panva/oauth4webapi

Current version released

2 years ago

Versions

OAuth 2 / OpenID Connect Client for Web APIs runtime

This is a collection of bits and pieces upon which a more streamlined Client module may be written.

In Scope & Implemented

Authorization Server Metadata discovery
OpenID Connect 1.0 and OAuth 2.0 Authorization Code Flow
PKCE
Refresh Token Grant
Device Authorization Grant
Client Credentials Grant
Demonstrating Proof-of-Possession at the Application Layer (DPoP)
Token Introspection
JWT Token Introspection
Token Revocation
JWT Secured Authorization Response Mode (JARM)
Confidential and Public Client
JWT-Secured Authorization Request (JAR)
Pushed Authorization Requests (PAR)
UserInfo Requests (Bearer and DPoP)
JWT UserInfo Responses
Protected Resource Requests (Bearer and DPoP)
Authorization Server Issuer Identification

Dependencies: 0

Documentation

Examples

example ESM import

import * as oauth2 from '@panva/oauth4webapi'

example Deno import

import * as oauth2 from 'https://deno.land/x/doauth/src/index.ts'

Authorization Code Flow - OpenID Connect source, or plain OAuth 2.0 source
Private Key JWT Client Authentication - source | diff from code flow
DPoP - source | diff from code flow
Pushed Authorization Request (PAR) - source | diff from code flow
JWT Authorization Response Mode (JARM) - source | diff from code flow
Client Credentials Grant - source
Device Authorization Grant - source

Runtime requirements

The supported javascript runtimes include ones that

are reasonably up to date ECMAScript (targets ES2020, but may be further transpiled for compatibility)
support required Web API globals and standard built-in objects
- Fetch API and its related globals fetch, Response, Headers
- Web Crypto API and its related globals crypto, CryptoKey
- Encoding API and its related globals TextEncoder, TextDecoder
- URL API and its related globals URL, URLSearchParams
- atob and btoa
- Uint8Array

Other than browsers the supported runtimes are

Deno (^1.21.0)
Cloudflare Workers
Vercel Edge Functions
Next.js Middlewares
Electron (renderer process)

Pending runtime support

Node.js - once fetch and Web Crypto API are available as globals
Electron (main process) - once fetch and Web Crypto API are available as globals

Out of scope

CommonJS
OAuth 2.0 & OpenID Connect Implicit Flows
OAuth 2.0 Resource Owner Password Credentials
OpenID Connect Hybrid Flows
MTLS (because fetch does not support client certificates)
JWS HMAC Signed Responses
JWE Encrypted Messages