Thrown when OAuth 2.0 Authorization Error Response is encountered.

Throw when a server responds with an "OAuth-style" error JSON body

Thrown when a server responds with WWW-Authenticate challenges, typically because of expired tokens, or bad client authentication

By default the module only allows interactions with HTTPS endpoints. Setting this option to true removes that restriction.

Use to adjust the assumed current time. Positive and negative finite values representing seconds are allowed. Default is 0 (Date.now() + 0 seconds is used).

Use to set allowed clock tolerance when checking DateTime JWT Claims. Only positive finite values representing seconds are allowed. Default is 30 (30 seconds).

When configured on an interface that extends HttpRequestOptions, this applies to options parameter for functions that may trigger HTTP requests, this replaces the use of global fetch. As a fetch replacement the arguments and expected return are the same as fetch.

Use this as a value to processAuthorizationCodeResponse oidc.expectedNonce parameter to indicate no nonce ID Token claim value is expected, i.e. no nonce parameter value was sent with the authorization request.

Use this as a value to validateAuthResponse expectedState parameter to indicate no state parameter value is expected, i.e. no state parameter value was sent with the authorization request.

Assigned as OperationProcessingError.code when a request is about to made to a non-TLS secured HTTP endpoint and allowInsecureRequests is not provided.

Assigned as OperationProcessingError.code during validateJwtAccessToken when the request or its contents are invalid.

Assigned as OperationProcessingError.code when authorization server responses are invalid.

Assigned as OperationProcessingError.code when the AS configuration has invalid metadata.

Assigned as OperationProcessingError.code when a !Response JSON body attribute is not of a given expected value.

Use to add support for decrypting JWEs the client encounters, namely

DANGER ZONE - This option has security implications that must be understood, assessed for applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be writable by your own code.

Assigned as OperationProcessingError.code when a JWT claim is not of a given expected value.

Assigned as OperationProcessingError.code when a JWT NumericDate comparison with the current timestamp fails.

Assigned as OperationProcessingError.code when a JWT UserInfo Response was expected but a regular JSON one was given instead.

Assigned as OperationProcessingError.code when a JWT signature validation fails to select an applicable key.

Assigned as OperationProcessingError.code when the AS configuration is missing metadata.

Use to mutate JWT header and payload before they are signed. Its intended use is working around non-conform server behaviours, such as modifying JWT "aud" (audience) claims, or otherwise changing fixed claims used by this library.

Assigned as OperationProcessingError.code when the following fails to parse as JSON

Assigned as OperationProcessingError.code when a request is about to made to a non-HTTP(S) endpoint.

Assigned as OperationProcessingError.code when a !Response does not have the expected success HTTP Status Code as defined by its specification.

Assigned as OperationProcessingError.code when a !Response does not have the expected application/json response-type HTTP Header.

Use this as a value to processAuthorizationCodeResponse oidc.maxAge parameter to indicate no auth_time ID Token claim value check should be performed.

DANGER ZONE - This option has security implications that must be understood, assessed for applicability, and accepted before use.

DANGER ZONE - This option has security implications that must be understood, assessed for applicability, and accepted before use.

Performs an Authorization Code grant request at the AuthorizationServer.token_endpoint | as.token_endpoint.

Calculates the PKCE code_challenge value to send with an authorization request using the S256 PKCE Code Challenge Method transformation.

Performs a Client Credentials Grant request at the AuthorizationServer.token_endpoint | as.token_endpoint.

client_secret_basic uses the HTTP Basic authentication scheme to send client_id and client_secret in an Authorization HTTP Header.

client_secret_jwt uses the HTTP request body to send client_id, client_assertion_type, and client_assertion as application/x-www-form-urlencoded body parameters. HMAC is used for the assertion's authenticity and integrity.

client_secret_post uses the HTTP request body to send client_id and client_secret as application/x-www-form-urlencoded body parameters

Performs a Device Authorization Request at the AuthorizationServer.device_authorization_endpoint | as.device_authorization_endpoint.

Performs a Device Authorization Grant request at the AuthorizationServer.token_endpoint | as.token_endpoint.

Performs an authorization server metadata discovery using one of two DiscoveryRequestOptions.algorithm | transformation algorithms applied to the issuerIdentifier argument.

Returns a wrapper / handle around a CryptoKeyPair that is used for negotiating and proving proof-of-possession to sender-constrain OAuth 2.0 tokens via DPoP at the Authorization Server and Resource Server.

Generates a CryptoKeyPair for a given JWS alg Algorithm identifier.

Generate random code_verifier value.

Generate random nonce value.

Generate random state value.

Performs any Grant request at the AuthorizationServer.token_endpoint | as.token_endpoint. The purpose is to be able to execute grant requests such as Token Exchange Grant Type, JWT Bearer Token Grant Type, or SAML 2.0 Bearer Assertion Grant Type.

Returns ID Token claims validated during processRefreshTokenResponse or processDeviceCodeResponse. To optionally validate its JWS Signature use validateApplicationLevelSignature

Performs an Introspection Request at the AuthorizationServer.introspection_endpoint | as.introspection_endpoint.

Used to determine if a rejected error indicates the need to retry the request due to an expired/missing nonce.

Generates a signed JWT-Secured Authorization Request (JAR).

none (public client) uses the HTTP request body to send only client_id as application/x-www-form-urlencoded body parameter.

private_key_jwt uses the HTTP request body to send client_id, client_assertion_type, and client_assertion as application/x-www-form-urlencoded body parameters. Digital signature is used for the assertion's authenticity and integrity.

Validates Authorization Code Grant !Response instance to be one coming from the AuthorizationServer.token_endpoint | as.token_endpoint.

Validates Client Credentials Grant !Response instance to be one coming from the AuthorizationServer.token_endpoint | as.token_endpoint.

Validates !Response instance to be one coming from the AuthorizationServer.device_authorization_endpoint | as.device_authorization_endpoint.

Validates Device Authorization Grant !Response instance to be one coming from the AuthorizationServer.token_endpoint | as.token_endpoint.

Validates !Response instance to be one coming from the authorization server's well-known discovery endpoint.

Validates Token Endpoint !Response instance to be one coming from the AuthorizationServer.token_endpoint | as.token_endpoint.

Validates !Response instance to be one coming from the AuthorizationServer.introspection_endpoint | as.introspection_endpoint.

Validates !Response instance to be one coming from the AuthorizationServer.pushed_authorization_request_endpoint | as.pushed_authorization_request_endpoint.

Validates Refresh Token Grant !Response instance to be one coming from the AuthorizationServer.token_endpoint | as.token_endpoint.

Validates !Response instance to be one coming from the AuthorizationServer.revocation_endpoint | as.revocation_endpoint.

Validates !Response instance to be one coming from the AuthorizationServer.userinfo_endpoint | as.userinfo_endpoint.

Performs a protected resource request at an arbitrary URL.

Performs a Pushed Authorization Request at the AuthorizationServer.pushed_authorization_request_endpoint | as.pushed_authorization_request_endpoint.

Performs a Refresh Token Grant request at the AuthorizationServer.token_endpoint | as.token_endpoint.

Performs a Revocation Request at the AuthorizationServer.revocation_endpoint | as.revocation_endpoint.

tls_client_auth uses the HTTP request body to send only client_id as application/x-www-form-urlencoded body parameter and the mTLS key and certificate is configured through customFetch.

Performs a UserInfo Request at the AuthorizationServer.userinfo_endpoint | as.userinfo_endpoint.

Validates the JWS Signature of either a JWT !Response.body or TokenEndpointResponse.id_token of a processed !Response

Validates an OAuth 2.0 Authorization Response or Authorization Error Response message returned from the authorization server's AuthorizationServer.authorization_endpoint | as.authorization_endpoint.

Same as validateAuthResponse but for code id_token authorization responses.

Same as validateAuthResponse but for FAPI 1.0 Advanced Detached Signature authorization responses.

Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given !Request as per RFC 6750, RFC 9068, and RFC 9449.

Same as validateAuthResponse but for signed JARM responses.

Authorization Server Metadata

Recognized Client Metadata that have an effect on the exposed functionality.

DPoP handle, obtained from DPoP

Interface to pass an asymmetric private key and, optionally, its associated JWK Key ID to be added as a kid JOSE Header Parameter.

Implementation of the Client's Authentication Method at the Authorization Server.

JSON Array

JSON Object

JSON Primitives

JSON Values

JWS alg Algorithm identifiers from the JSON Web Signature and Encryption Algorithms IANA registry for which Digital Signature validation is implemented.