This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.
Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable OpenID Connect is also supported.
- Authorization Server Metadata discovery
- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
- Refresh Token, Device Authorization, and Client Credentials Grants
- Demonstrating Proof-of-Possession at the Application Layer (DPoP)
- Token Introspection and Revocation
- Pushed Authorization Requests (PAR)
- UserInfo and Protected Resource Requests
- Authorization Server Issuer Identification
- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
Filip Skokan has certified that this software conforms to the Basic RP Conformance Profile of the OpenID Connect™ protocol.
example ESM import
import * as oauth2 from '@panva/oauth4webapi'example Deno import
import * as oauth2 from 'https://deno.land/x/doauth/src/index.ts'- Authorization Code Flow - OpenID Connect source, or plain OAuth 2 source
- Public Client Authorization Code Flow - source | diff from code flow
- Private Key JWT Client Authentication - source | diff from code flow
- DPoP - source | diff from code flow
- Pushed Authorization Request (PAR) - source | diff from code flow
- Client Credentials Grant - source
- Device Authorization Grant - source
- FAPI 2.0 (Private Key JWT, PAR, DPoP) - source
- FAPI 2.0 Message Signing (Private Key JWT, PAR, DPoP, JAR, JARM) - source | diff
The supported JavaScript runtimes include ones that
- are reasonably up to date ECMAScript (targets ES2020, but may be further transpiled for compatibility)
- support required Web API globals and standard built-in objects
- Fetch API and its related globals fetch, Response, Headers
- Web Crypto API and its related globals crypto, CryptoKey
- Encoding API and its related globals TextEncoder, TextDecoder
- URL API and its related globals URL, URLSearchParams
- atob and btoa
- Uint8Array
- These are (not an exhaustive list):
- Browsers
- Cloudflare Workers
- Deno (^1.21.0)
- Electron
- Next.js Middlewares
- Node.js (runtime flags may be needed)
- Vercel Edge Functions
- CommonJS
- Implicit, Hybrid, and Resource Owner Password Credentials Flows
- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
- JSON Web Encryption (JWE)
- JSON Web Signature (JWS) rarely used algorithms and HMAC
- Automatic polyfills of any kind