{"id":13539986,"url":"https://github.com/axa-group/oauth2-mock-server","last_synced_at":"2026-01-27T14:15:56.258Z","repository":{"id":32786457,"uuid":"141711997","full_name":"axa-group/oauth2-mock-server","owner":"axa-group","description":"A development and test oriented OAuth2 mock server","archived":false,"fork":false,"pushed_at":"2026-01-26T17:50:12.000Z","size":1996,"stargazers_count":227,"open_issues_count":15,"forks_count":57,"subscribers_count":10,"default_branch":"master","last_synced_at":"2026-01-27T04:40:14.036Z","etag":null,"topics":["hacktoberfest","mock-server","nodejs","oauth2","oauth2-server","testing"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/axa-group.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-07-20T12:55:47.000Z","updated_at":"2026-01-26T16:02:52.000Z","dependencies_parsed_at":"2026-01-26T18:03:55.746Z","dependency_job_id":null,"html_url":"https://github.com/axa-group/oauth2-mock-server","commit_stats":{"total_commits":152,"total_committers":16,"mean_commits":9.5,"dds":0.493421052631579,"last_synced_commit":"a6879ddfb319ace1635bb3f4ebf3ca6b340bf8f0"},"previous_names":[],"tags_count":38,"template":false,"template_full_name":null,"purl":"pkg:github/axa-group/oauth2-mock-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axa-group%2Foauth2-mock-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axa-group%2Foauth2-mock-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axa-group%2Foauth2-mock-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axa-group%2Foauth2-mock-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/axa-group","download_url":"https://codeload.github.com/axa-group/oauth2-mock-server/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axa-group%2Foauth2-mock-server/sbom","scorecard":{"id":219777,"data":{"date":"2025-08-11","repo":{"name":"github.com/axa-group/oauth2-mock-server","commit":"bacf8c6af265381bb1f5055b7094d3f94422dda2"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.3,"checks":[{"name":"Maintained","score":10,"reason":"19 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_ql.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/axa-group/oauth2-mock-server/code_ql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_ql.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/axa-group/oauth2-mock-server/code_ql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_ql.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/axa-group/oauth2-mock-server/code_ql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_ql.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/axa-group/oauth2-mock-server/code_ql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/axa-group/oauth2-mock-server/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/axa-group/oauth2-mock-server/main.yml/master?enable=pin","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/code_ql.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/code_ql.yml:29","Warn: no topLevel permission defined: .github/workflows/clear_closed_pr_cache.yml:1","Warn: no topLevel permission defined: .github/workflows/code_ql.yml:1","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: MIT License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T02:14:57.279Z","repository_id":32786457,"created_at":"2025-08-17T02:14:57.279Z","updated_at":"2025-08-17T02:14:57.279Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28814603,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T12:25:15.069Z","status":"ssl_error","status_checked_at":"2026-01-27T12:25:05.297Z","response_time":168,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","mock-server","nodejs","oauth2","oauth2-server","testing"],"created_at":"2024-08-01T09:01:36.724Z","updated_at":"2026-01-27T14:15:56.251Z","avatar_url":"https://github.com/axa-group.png","language":"TypeScript","funding_links":[],"categories":["TypeScript","nodejs"],"sub_categories":[],"readme":"# `oauth2-mock-server`\n\n[![npm package](https://img.shields.io/npm/v/oauth2-mock-server.svg?logo=npm)](https://www.npmjs.com/package/oauth2-mock-server)\n[![Node.js version](https://img.shields.io/node/v/oauth2-mock-server.svg)](https://nodejs.org/)\n\n\u003e _OAuth 2 mock server. Intended to be used for development or testing purposes._\n\nWhen developing an application that exposes or consumes APIs that are secured with an [OAuth 2](https://oauth.net/2/) authorization scheme, a mechanism for issuing access tokens is needed. Frequently, a developer needs to create custom code that fakes the creation of tokens for testing purposes, and these tokens cannot be properly verified, since there is no actual entity issuing those tokens.\n\nThe purpose of this package is to provide an easily configurable OAuth 2 server, that can be set up and teared down at will, and can be programmatically run while performing automated tests.\n\n\u003e **Warning:** This tool is _not_ intended to be used as an actual production grade OAuth 2 server. It lacks many features that would be required in a proper implementation.\n\n## Development prerequisites\n\n- [Node.js 20.19+](https://nodejs.org/)\n\n## How to use\n\n### Installation\n\nAdd it to your Node.js project as a development dependency:\n\n```shell\nnpm install --save-dev oauth2-mock-server\n```\n\n### Quickstart\n\nHere is an example for creating and running a server instance with a single random RSA key:\n\n```js\nimport { OAuth2Server } from 'oauth2-mock-server';\n// ...or in CommonJS style:\n// const { OAuth2Server } = require('oauth2-mock-server');\n\nlet server = new OAuth2Server();\n\n// Generate a new RSA key and add it to the keystore\nawait server.issuer.keys.generate('RS256');\n\n// Start the server\nawait server.start(8080, 'localhost');\nconsole.log('Issuer URL:', server.issuer.url); // -\u003e http://localhost:8080\n\n// Do some work with the server\n// ...\n\n// Stop the server\nawait server.stop();\n```\n\nAny number of existing JSON-formatted keys can be added to the keystore.\n\n```js\n// Add an existing JWK key to the keystore\nawait server.issuer.keys.add({\n  kid: 'some-key',\n  alg: 'RS256',\n  kty: 'RSA',\n  // ...\n});\n```\n\nJSON Web Tokens (JWT) can be built programmatically:\n\n```js\nimport axios from 'axios';\n\n// Build a new token\nlet token = await server.issuer.buildToken();\n\n// Call a remote API with the token\naxios\n  .get('https://server.example.com/api/endpoint', {\n    headers: {\n      authorization: `Bearer ${token}`,\n    },\n  })\n  .then((response) =\u003e {\n    /* ... */\n  })\n  .catch((error) =\u003e {\n    /* ... */\n  });\n```\n\n### Supported grant types\n\n- No authentication\n- Client Credentials grant\n- Resource Owner Password Credentials grant\n- Authorization Code grant, with Proof Key for Code Exchange (PKCE) support\n- Refresh token grant\n\n### Supported JWK formats\n\n| Algorithm         | kty | alg                 |\n| ----------------- | --- | ------------------- |\n| RSASSA-PKCS1-v1_5 | RSA | RS256, RS384, RS512 |\n| RSASSA-PSS        | RSA | PS256, PS384, PS512 |\n| ECDSA             | EC  | ES256, ES384, ES512 |\n| EdDSA             | OKP | Ed25519             |\n\n### Customization hooks\n\nIt also provides a convenient way, through event emitters, to programmatically customize the server processing. This is particularly useful when expecting the OIDC service to behave in a specific way on one single test.\n\n#### beforeTokenSigning\n\nTyped signature: `(token: MutableToken, req: TokenRequestIncomingMessage) =\u003e void`\n\n```js\n// Modify the expiration time on next produced token\nservice.once('beforeTokenSigning', (token, req) =\u003e {\n  const timestamp = Math.floor(Date.now() / 1000);\n  token.payload.exp = timestamp + 400;\n});\n```\n\n```js\nconst basicAuth = require('basic-auth');\n\n// Add the client ID to a token\nservice.once('beforeTokenSigning', (token, req) =\u003e {\n  const credentials = basicAuth(req);\n  const clientId = credentials ? credentials.name : req.body.client_id;\n  token.payload.client_id = clientId;\n});\n```\n\n#### beforeResponse\n\nTyped signature: `(tokenEndpointResponse: MutableResponse, req: TokenRequestIncomingMessage) =\u003e void`\n\n```js\n// Force the oidc service to provide an invalid_grant response\n// on next call to the token endpoint\nservice.once('beforeResponse', (tokenEndpointResponse, req) =\u003e {\n  tokenEndpointResponse.body = {\n    error: 'invalid_grant',\n  };\n  tokenEndpointResponse.statusCode = 400;\n});\n```\n\n#### beforeUserinfo\n\nTyped signature: `(userInfoResponse: MutableResponse, req: IncomingMessage) =\u003e void`\n\n```js\n// Force the oidc service to provide an error\n// on next call to userinfo endpoint\nservice.once('beforeUserinfo', (userInfoResponse, req) =\u003e {\n  userInfoResponse.body = {\n    error: 'invalid_token',\n    error_message: 'token is expired',\n  };\n  userInfoResponse.statusCode = 401;\n});\n```\n\n#### beforeRevoke\n\nTyped signature: `(revokeResponse: StatusCodeMutableResponse, req: IncomingMessage) =\u003e void`\n\n```js\n// Simulates a custom token revocation result code\nservice.once('beforeRevoke', (revokeResponse, req) =\u003e {\n  revokeResponse.statusCode = 418;\n});\n```\n\n#### beforeAuthorizeRedirect\n\nTyped signature: `(authorizeRedirectUri: MutableRedirectUri, req: IncomingMessage) =\u003e void`\n\n```js\n// Modify the uri and query parameters\n// before the authorization redirect\nservice.once('beforeAuthorizeRedirect', (authorizeRedirectUri, req) =\u003e {\n  authorizeRedirectUri.url.searchParams.set('foo', 'bar');\n});\n```\n\n#### beforePostLogoutRedirect\n\nTyped signature: `(postLogoutRedirectUri: MutableRedirectUri, req: IncomingMessage) =\u003e void`\n\n```js\n// Modify the uri and query parameters\n// before the post_logout_redirect_uri redirect\nservice.once('beforePostLogoutRedirect', (postLogoutRedirectUri, req) =\u003e {\n  postLogoutRedirectUri.url.searchParams.set('foo', 'bar');\n});\n```\n\n#### beforeIntrospect\n\nTyped signature: `(introspectResponse: MutableResponse, req: IncomingMessage) =\u003e void`\n\n```js\n// Simulate a custom token introspection response body\nservice.once('beforeIntrospect', (introspectResponse, req) =\u003e {\n  introspectResponse.body = {\n    active: true,\n    scope: 'read write email',\n    client_id: '\u003cclient_id\u003e',\n    username: 'dummy',\n    exp: 1643712575,\n  };\n});\n```\n\n### HTTPS support\n\nIt also provides basic HTTPS support, an optional cert and key can be supplied to start the server with SSL/TLS using the in-built NodeJS [HTTPS](https://nodejs.org/api/https.html) module.\n\nWe recommend using a package to create a locally trusted certificate, like [mkcert](https://github.com/FiloSottile/mkcert).\n\n```js\nlet server = new OAuth2Server(\n  'test-assets/mock-auth/key.pem',\n  'test-assets/mock-auth/cert.pem'\n);\n```\n\nNOTE: Enabling HTTPS will also update the issuer URL to reflect the current protocol.\n\n## Supported endpoints\n\n### GET `/.well-known/openid-configuration`\n\nReturns the [OpenID Provider Configuration Information](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) for the server.\n\n### GET `/jwks`\n\nReturns the JSON Web Key Set (JWKS) of all the keys configured in the server.\n\n### POST `/token`\n\nIssues access tokens.\n\n### GET `/authorize`\n\nSimulates the user authentication. It will automatically redirect to the callback endpoint sent as parameter.\nIt currently supports only 'code' response_type.\n\n### GET `/userinfo`\n\nProvides extra userinfo claims.\n\n### POST `/revoke`\n\nSimulates a token revocation. This endpoint should always return 200 as stated by [RFC 7009](https://tools.ietf.org/html/rfc7009#section-2.2).\n\n### GET `/endsession`\n\nSimulates the end session endpoint. It will automatically redirect to the post_logout_redirect_uri sent as parameter.\n\n### POST `/introspect`\n\nSimulates the [token introspection endpoint](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/).\n\n## Command-Line Interface\n\nThe server can be run from the command line.\n\n```shell\nnpx oauth2-mock-server --help\n```\n\n## Attributions\n\n- [`jose`](https://www.npmjs.com/package/jose)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faxa-group%2Foauth2-mock-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faxa-group%2Foauth2-mock-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faxa-group%2Foauth2-mock-server/lists"}