{"id":22268126,"url":"https://github.com/curityio/oauth-agent-node-nextjs","last_synced_at":"2025-07-28T12:31:03.693Z","repository":{"id":40682764,"uuid":"507928264","full_name":"curityio/oauth-agent-node-nextjs","owner":"curityio","description":"A Node.js OAuth Agent for the Next.js web server, providing API driven OAuth and OpenID Connect for SPAs","archived":false,"fork":false,"pushed_at":"2024-06-14T16:50:19.000Z","size":228,"stargazers_count":12,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-06-14T18:17:34.142Z","etag":null,"topics":["nextjs","oauth-agent","oauth2","openid-connect","spa","token-handler"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/nextjs-oauth-agent/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-27T13:49:23.000Z","updated_at":"2024-06-14T16:50:22.000Z","dependencies_parsed_at":"2024-06-14T18:09:03.017Z","dependency_job_id":"723ccdd9-be70-490b-a52b-109dcf150f49","html_url":"https://github.com/curityio/oauth-agent-node-nextjs","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Foauth-agent-node-nextjs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Foauth-agent-node-nextjs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Foauth-agent-node-nextjs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Foauth-agent-node-nextjs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/oauth-agent-node-nextjs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227905532,"owners_count":17837906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nextjs","oauth-agent","oauth2","openid-connect","spa","token-handler"],"created_at":"2024-12-03T11:11:38.197Z","updated_at":"2024-12-03T11:11:39.164Z","avatar_url":"https://github.com/curityio.png","language":"TypeScript","readme":"# A Next.js OAuth Agent for SPAs\n\n[![Quality](https://img.shields.io/badge/quality-test-yellow)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n\n## Overview\n\nThe OAuth Agent acts as a modern `Back End for Front End (BFF)` for Single Page Applications.\\\nThis implementation demonstrates the standard pattern for SPAs:\n\n- Strong browser security with `HTTP only` and `SameSite=strict` cookies\n- The OpenID Connect flow uses Authorization Code Flow with [PKCE](https://curity.io/resources/learn/pkce/) and a client secret\n\n![Logical Components](/doc/logical-components.png)\n\n## Architecture\n\nThe following endpoints are used so that the SPA uses simple one-liners to perform its OAuth work:\n\n| Endpoint | Description |\n|-------------------|--------------------------------------------------------------------------------------|\n| POST /login/start | Start a login by providing the request URL to the SPA and setting temporary cookies. |\n| POST /login/end | Complete a login and issuing secure cookies for the SPA containing encrypted tokens. |\n| GET /userInfo | Return information from the User Info endpoint for the SPA to display. |\n| GET /claims | Return ID token claims such as `auth_time` and `acr`. |\n| POST /refresh | Refresh an access token and rewrite cookies. |\n| POST /logout | Clear cookies and return an end session request URL. |\n\nFor further details see the [Architecture](/doc/Architecture.md) article.\n\n## OAuth Agent Development\n\nSee the [Setup](/doc/Setup.md) article for details on productive OAuth Agent development.\\\nThis enables a test driven approach to developing the OAuth Agent, without the need for a browser.\n\n## Deploying on Vercel\n\nA simple way for deploying a Next.js app is to use the https [Vercel](https://vercel.com) platform. All you need to do is to connect your repository to the Vercel dashboard and set proper environment variables. These are the variables used in the `src/config.ts` file. The app can then be deployed and is ready for use.\n\nRemember that the OAuth Agent needs to be deployed to the same parent domain as the SPA, so that cookies can be properly recognized as first-party. This means that you need to either configure your own domain in Vercel, or put the OAuth Agent behind a reverse proxy.\n\n### Environment variables\n\nThe following variables are used by the configuration of the OAuth Agent:\n\n| Variable | Description | Default |\n|--------------------------|----------------------------------------------------------------------------------------|--------------------------------------------------------------------|\n| CLIENT_ID | The OAuth client ID. | 'spa-client' |\n| CLIENT_SECRET | The client secret. | 'Password1' |\n| REDIRECT_URI | The URI of the SPA. | 'http://www.example.local/' |\n| POST_LOGOUT_REDIRECT_URI | The URI to which the user is redirected after logout. | 'http://www.example.local/' |\n| SCOPE | The OAuth scope parameter. | 'openid profile' |\n| COOKIE_ENCRYPTION_KEY | The encryption key.* | '4e4636356d65563e4c73233847503e3b21436e6f7629724950526f4b5e2e4e50' |\n| COOKIE_NAME_PREFIX | The prefix of cookies set by the OAuth Agent. | 'example' |\n| COOKIE_DOMAIN | The domain for which cookies are issued. This should be the domain of the OAuth Agent. | 'api.example.local' |\n| TRUSTED_WEB_ORIGIN | The origin of the SPA. Requests from other Origins will be rejected. | 'http://www.example.local' |\n| CORS_ENABLED | True when the agent runs in a different subdomain of the web origin, false otherwise | 'true' |\n| ISSUER | The issuer of the Authorization Server. | 'http://login.example.local:8443/oauth/v2/oauth-anonymous' |\n| AUTHORIZE_ENDPOINT | The authorization endpoint of the Authorization Server. | 'http://login.example.local:8443/oauth/v2/oauth-authorize' |\n| LOGOUT_ENDPOINT | The logout endpoint of the Authorization Server. | 'http://login.example.local:8443/oauth/v2/oauth-session/logout' |\n| TOKEN_ENDPOINT | The token endpoint of the Authorization Server. | 'http://login.example.local:8443/oauth/v2/oauth-token' |\n| USERINFO_ENDPOINT | The userinfo endpoint of the Authorization Server. | 'http://login.example.local:8443/oauth/v2/oauth-userinfo' |\n| PORT | The port where the OAuth Agent runs. This setting is only used by tests. | '3000' |\n\n* A 64-character hex string. See [this info](https://curity.io/resources/learn/token-handler-deployment-example/#cookie-encryption-keys) to learn more about the key and how it can be generated.\n\n## End-to-End SPA Flow\n\nSee the below article for details on how to run the end-to-end solution in a browser:\n\n- [SPA Code Example](https://github.com/curityio/spa-using-token-handler)\n\nThe end-to-end solution, by default, uses our [Express implementation of the OAuth Agent](https://github.com/curityio/oauth-agent-node-express).\nIf you want to run it with this Next.js implementation, then a few things would have to be changed manually in the build\nand deployment scripts. In this repository, you will find a `Dockerfile` that can be used with the scripts provided in the End-to-End example.\n\n## Website Documentation\n\nSee the [Curity Token Handler Design Overview](https://curity.io/resources/learn/token-handler-overview/) for further token handler information.\n\n## More Information\n\nPlease visit [curity.io](https://curity.io/) for more information about the Curity Identity Server.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Foauth-agent-node-nextjs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Foauth-agent-node-nextjs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Foauth-agent-node-nextjs/lists"}