Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/panva/oauth4webapi

OAuth 2 / OpenID Connect for JavaScript Runtimes
https://github.com/panva/oauth4webapi

authentication authorization browser bun cloudflare-workers deno electron javascript nextjs node nodejs oauth2 oidc openid openid-connect vercel-edge

Last synced: 23 days ago
JSON representation

OAuth 2 / OpenID Connect for JavaScript Runtimes

Awesome Lists containing this project

README 

        
# Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes



This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.



## Features



The following features are currently in scope and implemented in this software:



- Authorization Server Metadata discovery

- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE

- Refresh Token, Device Authorization, and Client Credentials Grants

- Demonstrating Proof-of-Possession at the Application Layer (DPoP)

- Token Introspection and Revocation

- Pushed Authorization Requests (PAR)

- UserInfo and Protected Resource Requests

- Authorization Server Issuer Identification

- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo

- Validating incoming JWT Access Tokens



## Sponsor



  

  

  Auth0 by Okta



If you want to quickly add authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. [Create an Auth0 account; it's free!][sponsor-auth0]




## [Certification](https://openid.net/certification/faq/)



[OpenID Certification](#certification)



[Filip Skokan](https://github.com/panva) has [certified](https://openid.net/certification) that [this software](https://github.com/panva/oauth4webapi) conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connectβ„’ protocol.



## [πŸ’— Help the project](https://github.com/sponsors/panva)



Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).



## Dependencies: 0



`oauth4webapi` has no dependencies and it exports tree-shakeable ESM.



## [API Reference](docs/README.md)



`oauth4webapi` is distributed via [npmjs.com](https://www.npmjs.com/package/oauth4webapi), [jsr.io](https://jsr.io/@panva/oauth4webapi), [deno.land/x](https://deno.land/x/oauth4webapi), [cdnjs.com](https://cdnjs.com/libraries/oauth4webapi), [jsdelivr.com](https://www.jsdelivr.com/package/npm/oauth4webapi), and [github.com](https://github.com/panva/oauth4webapi).



## [Examples](examples/README.md)



**`example`** ESM import[^cjs]



```js

import * as oauth from 'oauth4webapi'

```



- Authorization Code Flow (OAuth 2.0) - [source](examples/oauth.ts)

- Authorization Code Flow (OpenID Connect) - [source](examples/oidc.ts) | [diff](examples/oidc.diff)

- Extensions

  - DPoP - [source](examples/dpop.ts) | [diff](examples/dpop.diff)

  - JWT Secured Authorization Request (JAR) - [source](examples/jar.ts) | [diff](examples/jar.diff)

  - JWT Secured Authorization Response Mode (JARM) - [source](examples/jarm.ts) | [diff](examples/jarm.diff)

  - Pushed Authorization Request (PAR) - [source](examples/par.ts) | [diff](examples/par.diff)

- Client Authentication

  - Client Secret in HTTP Authorization Header - [source](examples/oauth.ts)

  - Client Secret in HTTP Body - [source](examples/client_secret_post.ts) | [diff](examples/client_secret_post.diff)

  - Private Key JWT Client Authentication - [source](examples/private_key_jwt.ts) | [diff](examples/private_key_jwt.diff)

  - Public Client - [source](examples/public.ts) | [diff](examples/public.diff)

- Other Grants

  - Client Credentials Grant - [source](examples/client_credentials.ts)

  - Device Authorization Grant - [source](examples/device_authorization_grant.ts)

  - Refresh Token Grant - [source](examples/refresh_token.ts) | [diff](examples/refresh_token.diff)

- FAPI

  - FAPI 1.0 Advanced - [source](examples/fapi1-advanced.ts) | [diff](examples/fapi1-advanced.diff)

  - FAPI 2.0 Security Profile - [source](examples/fapi2.ts) | [diff](examples/fapi2.diff)

  - FAPI 2.0 Message Signing - [source](examples/fapi2-message-signing.ts) | [diff](examples/fapi2-message-signing.diff)



## Supported Runtimes



The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are _(but are not limited to)_:



- Browsers

- Bun

- Cloudflare Workers

- Deno

- Electron

- Node.js

- Vercel's Edge Runtime



## Supported Versions



| Version                                                 | Security Fixes πŸ”‘ | Other Bug Fixes 🐞 | New Features ⭐ |

| ------------------------------------------------------- | ----------------- | ------------------ | --------------- |

| [v3.x](https://github.com/panva/oauth4webapi/tree/v3.x) | βœ…                | βœ…                 | βœ…              |

| [v2.x](https://github.com/panva/oauth4webapi/tree/v2.x) | ❌                | ❌                 | ❌              |

| [v1.x](https://github.com/panva/oauth4webapi/tree/v1.x) | ❌                | ❌                 | ❌              |



[sponsor-auth0]: https://auth0.com/signup?utm_source=external_sites&utm_medium=panva&utm_campaign=devn_signup



[^cjs]: CJS style `let oauth = require('oauth4webapi')` is possible in Node.js versions where `process.features.require_module` is `true` or with the `--experimental-require-module` Node.js CLI flag.