{"id":28070057,"url":"https://github.com/rpcpool/rpc-oauth-client","last_synced_at":"2025-10-17T03:33:15.193Z","repository":{"id":103795111,"uuid":"425192037","full_name":"rpcpool/rpc-oauth-client","owner":"rpcpool","description":"Oauth clients for RPC servers","archived":false,"fork":false,"pushed_at":"2022-01-28T10:33:40.000Z","size":4610,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-06-21T15:32:53.207Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rpcpool.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-06T08:22:34.000Z","updated_at":"2022-05-07T07:18:53.000Z","dependencies_parsed_at":"2024-06-21T14:14:50.311Z","dependency_job_id":null,"html_url":"https://github.com/rpcpool/rpc-oauth-client","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpcpool%2Frpc-oauth-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpcpool%2Frpc-oauth-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpcpool%2Frpc-oauth-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpcpool%2Frpc-oauth-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rpcpool","download_url":"https://codeload.github.com/rpcpool/rpc-oauth-client/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253808714,"owners_count":21967586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-12T19:36:03.374Z","updated_at":"2025-10-17T03:33:15.116Z","avatar_url":"https://github.com/rpcpool.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# rpc-oauth-client\nA \"headless\" Oauth client (PKCE) for Solana RPC services.\n\nWeb3 operates on a principal of user anonymity. However, this anonymity creates a vector for bad actors to abuse backend systems. It is currently too easy to spoof an origin header and gain access to free RPC services.\n\nAn important point of distinction is that the user does not need to reveal their identity to use the service. This is headless OAuth in the sense that the user is not asked to identify themselves with the more familiar OAuth services offered by Github, Twitter, etc. The RPC-OAuth-Client allows a dApp to prove that RPC requests originate from their approved website.\n\n## How does it work?\n\nThis implements a version of standard oauth2 PKCE flow, but skips the actual authentication steps instead only authenticating the origin of the request. The origin can be authenticated in two ways:\n\n 1) Only allow requests from a particular origin to initiate the request flow. This is easily spoofable from a command line, but not spoofable inside a standards compliant browser due to XSS/CORS protections.\n 2) Only do callbacks to a specific URL, meaning that at the end of the flow, we will redirect to that particular URL. This URL receives a temporary token that it will then interact with our service to replace with a permanent, timelimited access token. This callback can be used with any type of URL that the user's device can access - localhost, app, extension call back and so forth.\n\nThis flow ensures that we can authenticate that the request comes from your application as an origin and that someone seeking to abuse an RPC endpoint which has oauth2 support will have to run an interactive browser to receive the actual token and they will also be required to regularly refresh these tokens, considerably increasing the effort to abuse RPC endpoints.\n\n## Integrating with your app/client\n \nTo integrate with your own set up you'll need to add support for the Oauth PKCE flow\n\nIn this repo we have included a sample [oauth.ts](oauth.ts) that includes a TypeScript oauth client that can be used as a reference. An example of how to use this is given below:\n\n```\n  const endpoint = useMemo(() =\u003e clusterApiUrl(network), []);\n\n  const [ connection, setConnection ] = useState\u003cConnection\u003e(new anchor.web3.Connection(rpcHost))\n\n  useEffect(() =\u003e {\n    (async () =\u003e {\n      const accessToken = await getOAuthToken(\n        \"my-client-id\", // This needs to be generated on the server side by us\n        \"http://localhost:8080\", // This needs to be whitelisted by us on the server side\n        \"https://auth-fra1.rpcpool.com:8443/oauth2/auth\",\n        \"https://auth-fra1.rpcpool.com:8443/oauth2/token\",\n      );\n\n      setConnection(new anchor.web3.Connection(rpcHost, { httpHeaders: { 'Authorization': `Bearer ${accessToken}`}}));\n    })()\n  }, [])\n```\n\nWe have also included sample golang source for an app that implements the oauth part. You can use this to write the custom integration with your app.\n\n \n### Features\n\nYour integration should feature:\n\n  - Configuration of the parameters of an oauth2 pkce flow using custom auth/token urls along with custom requested scopes (sample ones below for testing)\n  - Code verifier generation and validation for PKCE flow\n  - Callback for receiving the initial authorization token and turning into a permanent token\n  - Tracking expiry time of tokens received \n  - Renewal of tokens using a renewal token\n\n\n### SDKs and other examples\n\nA sample SDK is provided from auth0, which can be used as a baseline:\n\n - https://auth0.com/docs/libraries/auth0-single-page-app-sdk.\n\nThere has also been work integrating oauth support with web3.js/candy machine/metaplex:\n\n - https://github.com/metaplex-foundation/metaplex/pull/944\n - https://github.com/metaplex-foundation/metaplex/pull/1193 \n - https://github.com/solana-labs/solana/issues/21816\n\n\n## Backend Servers\n\nFor testing, we currently have both a sample client and a set of backend servers set up. The sample client is given in this repo. To get oauth access credentials \n\n### Sample client\n\nFor the sample client you can visit https://auth-fra1.rpcpool.com  and click 'Login'. After the authentication flow you will be redirected back to a callback page on the same domain but with a token that you can use for RPC requests. \n\nYou can use the token received in the following way:\n\n```\ncurl -H \"Authorization: Bearer \u003ctoken\u003e\" https://stage.mainnet.rpcpool.com ... rpc call ...\n```\n\nTo validate that the token has given you higher access permissions use the following:\n\n```\ncurl -H \"Authorization: Bearer \u003ctoken\u003e\" https://stage.mainnet.rpcpool.com/tier \n```\n\nThe response should be `tier1,offline_access`. \n\n### OAuth2 Backend\n\nFor testing we provide an Oauth2 backend which offers the following two Oauth2 endpoints:\n\n - Auth URL:  https://auth-fra1.rpcpool.com:8443/oauth2/auth\n - Token URL: https://auth-fra1.rpcpool.com:8443/oauth2/token\n\nThe auth URL is the starting point of the authentication flow. After the flow is completed, we will callback on the `redirect_url` that you specified in your oauth2 request. This URL needs to be whitelisted for your particular `client_id` (see below). \n\nAfter the flow you'll receive a temporary token as a parameter to the callback. Use this temporary token with the `Token URL` above to turn it into a bearer token that you can use to authenticate with the RPC servers.\n\n### Oauth2 Credentials\n\nTo run this, you will need to have two pieces of credentials pre-registered with the Oauth2 backend above:\n\n 1. `client_id` - this is the client id under which the credentials will be registered\n 2. `redirect_url` - the redirect URL/callback URL that the Oauth2 server will use to send credentials at the end of the authentication flow\n\nTo get new credentials for testing e-mail support@triton.one. \n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frpcpool%2Frpc-oauth-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frpcpool%2Frpc-oauth-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frpcpool%2Frpc-oauth-client/lists"}