https://github.com/alyldas/uniauth-oauth-oidc-provider
OAuth/OIDC provider adapter helpers for UniAuth.
https://github.com/alyldas/uniauth-oauth-oidc-provider
auth authentication oauth oidc provider typescript uniauth
Last synced: 2 days ago
JSON representation
OAuth/OIDC provider adapter helpers for UniAuth.
- Host: GitHub
- URL: https://github.com/alyldas/uniauth-oauth-oidc-provider
- Owner: alyldas
- License: other
- Created: 2026-05-26T15:13:33.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2026-05-27T16:13:04.000Z (about 1 month ago)
- Last Synced: 2026-05-27T16:15:41.739Z (about 1 month ago)
- Topics: auth, authentication, oauth, oidc, provider, typescript, uniauth
- Language: TypeScript
- Homepage: https://github.com/alyldas/uniauth-oauth-oidc-provider#readme
- Size: 43.9 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Security: SECURITY.md
- Notice: NOTICE
- Agents: AGENTS.md
Awesome Lists containing this project
README
# UniAuth OAuth OIDC Provider
[](https://github.com/users/alyldas/packages/npm/package/uniauth-oauth-oidc-provider)
`@alyldas/uniauth-oauth-oidc-provider` exposes a small SDK-free contract for OAuth and OIDC
provider adapters. It maps a validated provider profile into a UniAuth `ProviderIdentityAssertion`
and delegates account decisions to the existing UniAuth core flow.
## Runtime Boundary
This package does not own authorization URL creation, callback routes, state and nonce validation,
redirect URI policy, PKCE storage, provider secrets, HTTP clients, token persistence, refresh, or
revocation.
## Install
Configure the GitHub Packages registry for the package scope before installing:
```ini
@alyldas:registry=https://npm.pkg.github.com
```
GitHub Packages can require authentication for package reads. Use a token with `read:packages` in local npm config or CI secrets; do not commit tokens.
```bash
npm install @alyldas/uniauth-core @alyldas/uniauth-oauth-oidc-provider
```
## Usage
```ts
import { createOAuthOidcProvider, type OAuthOidcClient } from '@alyldas/uniauth-oauth-oidc-provider'
const client: OAuthOidcClient = {
async exchangeCode(input) {
return appOAuthClient.exchangeCode({
code: input.code,
redirectUri: input.redirectUri,
codeVerifier: input.codeVerifier,
})
},
async fetchProfile(input) {
return appOAuthClient.fetchUserInfo(input.tokens)
},
}
providerRegistry.register(
createOAuthOidcProvider({
providerId: 'example-oauth',
client,
}),
)
```
```ts
await auth.public.provider.signIn({
provider: 'example-oauth',
finishInput: {
code: request.query.code,
state: request.query.state,
payload: {
redirectUri: 'https://app.example/auth/callback',
codeVerifier: request.session.oauthCodeVerifier,
},
},
})
```
The built-in mapper uses `profile.subject` as `providerUserId`, maps verified email and phone
claims, and copies only reduced profile metadata such as issuer, preferred username, picture URL,
locale, and explicit app-provided profile metadata.
Use `mapProfile` when a provider needs a custom subject format or tenant-specific metadata:
```ts
createOAuthOidcProvider({
providerId: 'tenant-oauth',
client,
mapProfile: ({ provider, profile }) => ({
provider,
providerUserId: `${profile.issuer}:${profile.subject}`,
}),
})
```
Use `createOAuthOidcTokenRecord(...)` when an application needs one normalized shape for
application-owned token persistence. See [provider token persistence](docs/provider-token-persistence.md).
## Security Notes
- Validate `state`, `nonce`, redirect URI, and PKCE verifier in application code.
- Keep provider secrets in the application-owned client.
- Do not store access tokens, ID tokens, or refresh tokens in `ProviderIdentityAssertion.metadata`.
- Token storage, refresh token rotation, and provider revocation remain application-owned.
- UniAuth policy invariants still apply after mapping.
## Local Checks
```bash
npm run check
```