{"id":46196253,"url":"https://github.com/digicatapult/tsoa-oauth-express","last_synced_at":"2026-04-02T13:41:25.157Z","repository":{"id":239612568,"uuid":"800030728","full_name":"digicatapult/tsoa-oauth-express","owner":"digicatapult","description":"Authentication handler for TSOA using OAuth2 JWT tokens","archived":false,"fork":false,"pushed_at":"2026-03-26T17:34:36.000Z","size":779,"stargazers_count":1,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-26T22:51:02.022Z","etag":null,"topics":["authentication","express","oauth2","tsoa"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/digicatapult.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-05-13T15:10:47.000Z","updated_at":"2026-03-26T00:38:43.000Z","dependencies_parsed_at":"2024-06-28T00:24:54.294Z","dependency_job_id":"7216f23d-b0bc-434c-ad52-a230cc59f28f","html_url":"https://github.com/digicatapult/tsoa-oauth-express","commit_stats":null,"previous_names":["digicatapult/tsoa-oauth-express"],"tags_count":146,"template":false,"template_full_name":null,"purl":"pkg:github/digicatapult/tsoa-oauth-express","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digicatapult%2Ftsoa-oauth-express","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digicatapult%2Ftsoa-oauth-express/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digicatapult%2Ftsoa-oauth-express/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digicatapult%2Ftsoa-oauth-express/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/digicatapult","download_url":"https://codeload.github.com/digicatapult/tsoa-oauth-express/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digicatapult%2Ftsoa-oauth-express/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31307196,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","express","oauth2","tsoa"],"created_at":"2026-03-03T03:11:16.914Z","updated_at":"2026-04-02T13:41:25.136Z","avatar_url":"https://github.com/digicatapult.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tsoa-oauth-express\n\nThis library enables easy implementation of OAuth2 authentication for [tsoa](https://tsoa-community.github.io/docs/) on [express](http://expressjs.com/). To use this library first add it as an `npm` dependency to your existing `tsoa` application.\n\n```sh\nnpm i @digicatapult/tsoa-oauth-express\n```\n\nYour authentication file (see tsoa's documentation on authentication setup [here](https://tsoa-community.github.io/docs/authentication.html)) will then need to contain something like:\n\n```ts\nimport type express from 'express'\nimport type * as jwt from 'jsonwebtoken'\n\nimport mkExpressAuthentication, { AuthOptions } from '@digicatapult/tsoa-oauth-express'\n\n// module options\nconst options: AuthOptions = {\n  ...\n}\n\nexport const expressAuthentication = mkExpressAuthentication(options)\n```\n\nwhere the `options` value is an object with the following type and properties:\n\n```ts\ninterface AuthOptions {\n  securityName?: string\n  verifyOptions?: jwt.VerifyOptions \u0026 { complete?: false }\n  jwksUri: () =\u003e Promise\u003cstring\u003e\n  getAccessToken: (req: express.Request) =\u003e Promise\u003cstring | undefined\u003e\n  getScopesFromToken: (decoded: string | jwt.JwtPayload) =\u003e Promise\u003cstring[]\u003e\n  tryRefreshTokens: (req: express.Request) =\u003e Promise\u003cboolean\u003e\n}\n```\n\n| property           | required | description                                                                                                                                                                         |\n| ------------------ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| jwksUri            | `true`   | Resolves to the `uri` for your identity providers `jwks` configuration                                                                                                              |\n| getAccessToken     | `true`   | Resolves a JWT from the `Request`. For example this may come from an `authorization` header or a `cookie` based on requirements                                                     |\n| getScopesFromToken | `true`   | Resolves to an array of OAuth scopes that the provided token supports                                                                                                               |\n| securityName       | `false`  | `OpenAPI` Security scheme name to be secured                                                                                                                                        |\n| verifyOptions      | `false`  | `jsonwebtoken` verification options. See the [jsonwebtoken documentation](https://www.npmjs.com/package/jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback) for details |\n| tryRefreshTokens   | `false`  | Performs a token refresh. Resolves to `true` if the refressh succeeded otherwise `false`. By default this always resolves to `false`                                                |\n\n## Example\n\nAn example implementation of using the OAuth client-credential flow to authenticate a machine-to-machine (m2m) API is included in the package repository. This consists of two parts, a pre-configured `Keycloak` instance which can be instantiated with `docker compose` to act as our identity provider and an example application under [./example](./example) which implements to `tsoa` server. For further information please see the [tsoa authentication documentation](https://tsoa-community.github.io/docs/authentication.html) and our authentication handler example at [./example/authentication.ts](./example/authentication.ts).\n\nTo get started first bring up the `Keycloak` instance by executing from the repository root:\n\n```sh\ndocker compose up -d\n```\n\nThis will automatically pre-configure a client called `example` with client secret `example`. We can then fetch a m2m token by executing:\n\n```sh\ncurl --request POST \\\n  --url 'http://localhost:3080/realms/example/protocol/openid-connect/token' \\\n  --header 'content-type: application/x-www-form-urlencoded' \\\n  --data grant_type=client_credentials \\\n  --data client_id=example \\\n  --data client_secret=example\n```\n\nThis will return a JSON object with a JWT auth token in the `access_token` property that takes the form like `eyJhbGci...r8TIOfRQ`.\n\nThe example server can then be run with:\n\n```sh\nnpm run example\n```\n\nThis server listens on port 3000 and exposes two routes `/authenticated` and `/unauthenticated` where only the first route requires an auth token. So we can for example call\n\n```sh\ncurl http://localhost:3000/unauthenticated\n```\n\nwhich should return something like\n\n```json\n{ \"message\": \"This route is unauthenticated\", \"authenticated\": false }\n```\n\nBut calling the authenticated route (`curl http://localhost:3000/authenticated`) in the same was will return an error\n\n```json\n{ \"message\": \"unauthenticated\" }\n```\n\nProviding the JWT auth token as part of an authentication header:\n\n```sh\ncurl http://localhost:3000/authenticated --header 'authorization: bearer eyJhbGci...r8TIOfRQ'\n```\n\ncauses the call to succeed:\n\n```json\n{ \"message\": \"This route is authenticated\", \"authenticated\": true }\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigicatapult%2Ftsoa-oauth-express","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdigicatapult%2Ftsoa-oauth-express","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigicatapult%2Ftsoa-oauth-express/lists"}