{"id":15827642,"url":"https://github.com/defless/oauth-2.1-example","last_synced_at":"2026-02-09T04:35:23.910Z","repository":{"id":42574956,"uuid":"417910324","full_name":"defless/OAuth-2.1-example","owner":"defless","description":"OAuth 2.1 integration with fastify API","archived":false,"fork":false,"pushed_at":"2024-04-25T17:40:03.000Z","size":686,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-10-12T10:26:01.128Z","etag":null,"topics":["api-rest","fastify","oauth2","pkce","pkce-flow","pkce-oauth","third-party"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/defless.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-16T18:13:04.000Z","updated_at":"2024-04-25T17:44:51.000Z","dependencies_parsed_at":"2024-10-26T22:01:54.654Z","dependency_job_id":null,"html_url":"https://github.com/defless/OAuth-2.1-example","commit_stats":{"total_commits":70,"total_committers":3,"mean_commits":"23.333333333333332","dds":"0.37142857142857144","last_synced_commit":"783b65915557bc4beb9b53635364923fdc6d8494"},"previous_names":["defless/oauth-2.1-example"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defless%2FOAuth-2.1-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defless%2FOAuth-2.1-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defless%2FOAuth-2.1-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defless%2FOAuth-2.1-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/defless","download_url":"https://codeload.github.com/defless/OAuth-2.1-example/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243685506,"owners_count":20330980,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-rest","fastify","oauth2","pkce","pkce-flow","pkce-oauth","third-party"],"created_at":"2024-10-05T10:08:13.916Z","updated_at":"2026-02-09T04:35:23.882Z","avatar_url":"https://github.com/defless.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OAuth 2.1 implementation sandbox 🔐\n\nThis repository is an object lesson of an [OAuth 2.1](https://oauth.net/2/) protocol integration on a basic **Fastify API**. I made it for learning purposes, so feel free\nto contribute ! 🙃\n\n## Table of Contents\n* [Installation](#installation)\n* [What is OAuth ?](#what-is-oauth)\n* [How to use this repository ?](#how-to-use-this-repository)\n* [Try it](#try-it)\n\n\n## Installation\n\nTo start, just clone this repository and then use:\n\n```bash\nyarn install # or using pnpm: pnpm install\n```\n\nBefore starting the node server, be sure to have a `.env` file matching `.env.example`. (I will come back after on the specific values to setup in it)\n\nThen just run the following start command:\n\n```bash\nyarn dev # or using pnpm: pnpm dev\n```\n\nThe auth server is by default listening on port 3000 \u003c/br\u003e\n\n## What is OAuth\n\n### OAuth 2.0 \n\nI won't reinvent the wheel so I suggest you to read the [The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749) from the Internet Engineering Task Force. It's maybe not the most beautiful documentation but it's by far one of the most complete and accurate.\n\nHere's the basic protocol flow:\n\n```\n +--------+ +---------------+\n | |--(A)------- Authorization Grant ---------\u003e| |\n | | | |\n | |\u003c-(B)----------- Access Token -------------| |\n | | \u0026 Refresh Token | |\n | | | |\n | | +----------+ | |\n | |--(C)---- Access Token ----\u003e| | | |\n | | | | | |\n | |\u003c-(D)- Protected Resource --| Resource | | Authorization |\n | Client | | Server | | Server |\n | |--(E)---- Access Token ----\u003e| | | |\n | | | | | |\n | |\u003c-(F)- Invalid Token Error -| | | |\n | | +----------+ | |\n | | | |\n | |--(G)----------- Refresh Token -----------\u003e| |\n | | | |\n | |\u003c-(H)----------- Access Token -------------| |\n +--------+ \u0026 Optional Refresh Token +---------------+\n\n```\n\n### And what about 2.1 🧐\n\nOAuth 2.1 is an in-progress effort to consolidate and simplify the most commonly used features of OAuth 2.0. You can go [here](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10) for more details.\n\nBut the main changes are the following: \n\n - The authorization code grant is extended with the functionality from PKCE (Proof-Key for Code Exchange)\n\n - Redirect URIs must be compared using exact string matching\n \n - The Implicit grant (response_type=token) is omitted\n \n - The Resource Owner Password Credentials grant is omitted\n \n - Bearer token usage omits the use of bearer tokens in the query string of URIs\n \n - Refresh tokens for public clients must either be sender-constrained or one-time use \n\n## How to use this repository\n\nThis API provides endpoints to test OAuth flow all by yourself without any front-end. The limit however is that as there is no front-end application you need to do some more steps by yourself in order to make it work. Of course in a production ready application it would'nt have been done this way. \n\n### Register a new user\n\n1. #### Using user credentials:\n\n You can register a new user in two ways, first you can use the ```POST /auth/register``` route to register a user by sending an email \n\n2. #### Using a third party provider \n\n For a third party provider, the register process is the same that an authentication.\n\n### Authenticate\n\n1. #### With ```grant_type=\"password\"``` \n\n\u003e ⚠ī¸ As the 2.1 standard specifies, using the password must be avoided as much as possible\n\nRequest ```POST /auth/authenticate``` with the right email and the right password and you will be granted an access/refresh tokens duet.\n\n2. #### With ```grant_type=\"refresh_token\"```\n\nRequest ```POST /auth/authenticate``` with the ```refresh_token``` you stored from your last authentication request and you will be granted a new access/refresh tokens duet.\n\n3. #### With ```grant_type=\"authorization_code\"```\n\nThe authorization code allows you to register using a code provided by a third party solution (like Google or Github). In this example we use the provided code to access you public data on these providers api and then create an access/refresh tokens duet.\n\n##### \u003cins\u003eUsing Google:\u003c/ins\u003e\n\u003e ℹī¸ You can find the documentation for Google Api using OAuth [here](https://developers.google.com/identity/protocols/oauth2/native-app)\n\n- **Step 1:** Request ```GET /helpers/pkce``` to get your ```code_challenge``` and your ```code_verifier``` required for the [PKCE](https://www.oauth.com/oauth2-servers/pkce/) flow. \n\n- **Step 2:** Navigate to this url https://accounts.google.com/o/oauth2/v2/auth/oauth?scope=email\u0026response_type=code\u0026redirect_uri=http://localhost:3000/helpers/callback\u0026client_id=616004699496-e8udbu373o3muhns6ca826d8hsvtski8.apps.googleusercontent.com\u0026code_challenge_method=256\u0026code_challenge=[YOUR_CODE_CHALLENGE] \n\u003e ⚠ī¸ Don't forget to set your own code_challenge generated earlier in the url\n\n- **Step 3:** After connecting with your credentials you will be redirected to the ```GET /helpers/callback``` with your authorization code.\n\n- **Step 4:** Request ```POST /auth/authenticate``` with the right ```grant_type```, the ```code``` you just received, and also the ```code_verifier``` and you should get a access/refresh\n tokens duet as response. \n\n\u003e ⚠ī¸ It's mandatory to use the ```code_verifier``` used to encrypt the code_challenge otherwise it cannot work.\n\n##### \u003cins\u003eUsing Github:\u003c/ins\u003e\n\n\u003e ℹī¸ As Github **does not support PKCE** you can ignore ```code_verifier``` and ```code_challenge```\n\n- **Step 1:** Navigate to this url: https://github.com/login/oauth/authorize?client_id=3f2c99a3de279ba209fb](https://github.com/login/oauth/authorize?client_id=3f2c99a3de279ba209fb) where ```client_id``` refers to the client_id of the github app I've created for this exemple following [this](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app).\n\n- **Step 2:** After connecting with your credentials you will be redirected to the ```GET /helpers/callback``` with your authorization code. \n(this url is set as callback url in github configuration)\n\n- **Step 3:** Request ```POST /auth/authenticate``` with the right ```grant_type``` and the ```code``` you just received, and you should get a access/refresh tokens duet as response. \n\n### Access ressources\n\nTo access restricted data, just set the authorization header as a \"Bearer\" token corresponding to your ```refresh_token```\n\n## Try it\n\n\u003c/br\u003e\n\nYou can found the documentation [here](https://documenter.getpostman.com/view/13815486/2sA3BoZBfN#d77d2a56-4569-4adc-bad2-79675b67041b) 👈\n\nor even try it yourself with this postman library:\u003cbr\u003e\n\u003cbr\u003e\n[\u003cimg src=\"https://run.pstmn.io/button.svg\" alt=\"Run In Postman\" style=\"width: 128px; height: 32px;\"\u003e](https://app.getpostman.com/run-collection/13815486-9b79f65f-be11-4928-94e1-90c902579f65?action=collection%2Ffork\u0026source=rip_markdown\u0026collection-url=entityId%3D13815486-9b79f65f-be11-4928-94e1-90c902579f65%26entityType%3Dcollection%26workspaceId%3D71afb205-34e7-4c58-9c00-f3cc105b0da0#?env%5BOAuth%202.1%20sandbox%5D=W3sia2V5IjoiYWNjZXNzX3Rva2VuIiwidmFsdWUiOiIiLCJlbmFibGVkIjp0cnVlLCJ0eXBlIjoiZGVmYXVsdCIsInNlc3Npb25WYWx1ZSI6IiIsInNlc3Npb25JbmRleCI6MH0seyJrZXkiOiJyZWZyZXNoX3Rva2VuIiwidmFsdWUiOiIiLCJlbmFibGVkIjp0cnVlLCJ0eXBlIjoic2VjcmV0Iiwic2Vzc2lvblZhbHVlIjoiIiwic2Vzc2lvbkluZGV4IjoxfSx7ImtleSI6ImJhc2VfdXJsIiwidmFsdWUiOiIiLCJlbmFibGVkIjp0cnVlLCJ0eXBlIjoiZGVmYXVsdCIsInNlc3Npb25WYWx1ZSI6ImxvY2FsaG9zdDozMDAwIiwic2Vzc2lvbkluZGV4IjoyfSx7ImtleSI6ImNvZGVfdmVyaWZpZXIiLCJ2YWx1ZSI6IiIsImVuYWJsZWQiOnRydWUsInR5cGUiOiJkZWZhdWx0Iiwic2Vzc2lvblZhbHVlIjoiMTgyMzVlMzRmZDJjM2JlMzE1N2I3MDJhYTRiNzI0NDFlNThmOGMzYTA1YjU3ODdjMmM3MWEwMTJmYzY4MjkyMjExMTk2OTE1NzMyMDFmOGIyZjZkZDNiMDY2NTIzMjE1ODE3ZjIwYmJiODg1ZmNlMzVkM2UyN2MxYjI4ZGU2OTQiLCJzZXNzaW9uSW5kZXgiOjN9LHsia2V5IjoiY29kZV9jaGFsbGVuZ2UiLCJ2YWx1ZSI6IiIsImVuYWJsZWQiOnRydWUsInR5cGUiOiJkZWZhdWx0Iiwic2Vzc2lvblZhbHVlIjoiVUFtWG9tclI3NkVxbmhwamp4QUtyMFU0Z0VkREloejdYNTAtUzhmenlkdyIsInNlc3Npb25JbmRleCI6NH0seyJrZXkiOiJjYWxsYmFja191cmwiLCJ2YWx1ZSI6IiIsImVuYWJsZWQiOnRydWUsInR5cGUiOiJkZWZhdWx0Iiwic2Vzc2lvblZhbHVlIjoiL2hlbHBlcnMvY2FsbGJhY2siLCJzZXNzaW9uSW5kZXgiOjV9XQ==)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefless%2Foauth-2.1-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdefless%2Foauth-2.1-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefless%2Foauth-2.1-example/lists"}