Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

oauth4webapi

panva2.3mMIT3.1.4TypeScript support: included

Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

access token, auth, authentication, authorization, basic, browser, bun, certified, client, cloudflare, deno, edge, electron, fapi, javascript, jwt, netlify, next, nextjs, node, nodejs, oauth, oauth2, oidc, openid-connect, openid, vercel, workerd, workers

readme

oauth4webapi

Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.

Features

The following features are currently in scope and implemented in this software:

  • Authorization Server Metadata discovery
  • Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
  • Refresh Token, Device Authorization, and Client Credentials Grants
  • Demonstrating Proof-of-Possession at the Application Layer (DPoP)
  • Token Introspection and Revocation
  • Pushed Authorization Requests (PAR)
  • UserInfo and Protected Resource Requests
  • Authorization Server Issuer Identification
  • JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
  • Validating incoming JWT Access Tokens
<picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/panva/oauth4webapi/HEAD/sponsor/Auth0byOkta_dark.png"> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/panva/oauth4webapi/HEAD/sponsor/Auth0byOkta_light.png"> Auth0 by Okta </picture>

If you want to quickly add authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. Create an Auth0 account; it's free!

Certification

OpenID Certification

Filip Skokan has certified that this software conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.

💗 Help the project

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.

Dependencies: 0

oauth4webapi has no dependencies and it exports tree-shakeable ESM.

API Reference

oauth4webapi is distributed via npmjs.com, jsr.io, deno.land/x, cdnjs.com, jsdelivr.com, and github.com.

Examples

example ESM import[^cjs]

import * as oauth from 'oauth4webapi'
  • Authorization Code Flow (OAuth 2.0) - source
  • Authorization Code Flow (OpenID Connect) - source | diff
  • Extensions
  • Client Authentication
    • Client Secret in HTTP Authorization Header - source
    • Client Secret in HTTP Body - source | diff
    • Private Key JWT Client Authentication - source | diff
    • Public Client - source | diff
  • Other Grants
  • FAPI

Supported Runtimes

The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):

  • Browsers
  • Bun
  • Cloudflare Workers
  • Deno
  • Electron
  • Node.js
  • Vercel's Edge Runtime

Supported Versions

Version Security Fixes 🔑 Other Bug Fixes 🐞 New Features ⭐
v3.x

[^cjs]: CJS style let oauth = require('oauth4webapi') is possible in Node.js versions where process.features.require_module is true or with the --experimental-require-module Node.js CLI flag.

changelog

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

3.1.4 (2024-12-02)

Refactor

  • types: move customFetch options into its own interface (21c7d0a)

3.1.3 (2024-11-15)

Refactor

  • more descriptive "not a conform" message (0295887)

3.1.2 (2024-10-24)

Refactor

  • shake the supported function when not needed (c390093)
  • types: update indexable on MTLSEndpointAliases to be a string (a405c89)

3.1.1 (2024-10-14)

Refactor

  • simpler consume of Request bodies (bcf0b86)

3.1.0 (2024-10-14)

Features

  • add support for form_post Request instance in hybrid response mode validate response functions (5e22d9d)

3.0.1 (2024-10-13)

Refactor

3.0.0 (2024-10-07)

⚠ BREAKING CHANGES

  • build target is now ES2022
  • jweDecrypt is no longer an allowed symbol on the Client interface, it is instead an option passed to functions that may encounter encrypted assertions
  • specifying Ed448 curve for EdDSA is no longer supported, EdDSA is now just an alias for the fully-specified Ed25519 JWS algorithm
  • assertions signed with an Ed25519 CryptoKey will now use the Ed25519 JWS alg value instead of EdDSA. This can be reverted using the modifyAssertion symbol export
  • the audience of a Private Key JWT and Client Secret JWT client assertions is now just the issuer identifier
  • remove modifyAssertion from the PrivateKey interface
  • optional (non-repudiation) signature validation of ID Token JWS Signatures is now done the same way as JWT UserInfo and JWT Introspection is done, with a Response instance rather than a TokenEndpointResponse object
  • validateJwtIntrospectionSignature is now validateApplicationLevelSignature
  • validateJwtUserInfoSignature is now validateApplicationLevelSignature
  • validateIdTokenSignature is now validateApplicationLevelSignature
  • DPoP request options are now obtained by calling the DPoP() exported function. This returns a handle that also maintains its own LRU nonce caches
  • client authentication is now an explicit argument to authenticated functions
  • processAuthorizationCodeOpenIDResponse() method was removed in favour of processAuthorizationCodeResponse()
  • processAuthorizationCodeOAuth2Response() method was removed in favour of processAuthorizationCodeResponse()
  • All grant functions that execute against the Token Endpoint will now validate ID Token when there is one in the response. This has already been the behaviour of functions such as processRefreshTokenResponse() or processDeviceCodeResponse()
  • Presence of auth_time is now required in all ID Tokens if client.default_auth_time is set
  • encode client_secret_basic - _ . ! ~ * ' ( ) characters
  • remove all deprecated options
  • remove the useMtlsAlias symbol and options
  • all functions now reject interacting with non-TLS HTTP endpoints. You can use the allowInsecureRequests in the HttpRequestOptions interface to revert this behaviour.
  • removed the isOAuth2Error() helper, all functions that used to possibly return an OAuth2Error now reject with ResponseBodyError or AuthorizationResponseError instead
  • removed parseWwwAuthenticateChallenges(), all functions verify process Response now reject with WWWAuthenticateChallengeError instead
  • removed protectedResourceRequest() now rejects with WWWAuthenticateChallengeError when the Response has one

Features

  • add a counterpart process method to genericTokenEndpointRequest (848f3f6)
  • add a helper function for DPoP retry management (06493e3)
  • add support for client_secret_jwt (cf85fd6)
  • add support for code id_token response without FAPI 1.0 s_hash (eebb4f1)
  • add unified authorization code method (07d4ff9)
  • allow setting expected JWT algorithms in validateJwtAccessToken (8f20f91)

Fixes

  • encode client_secret_basic - _ . ! ~ * ' ( ) characters (cd5bbc1)
  • types: infer CryptoKey type for @types/node types' sake (d126f1f)

Documentation

  • add more examples (dcaf056)
  • export and document error codes (364cbd8)
  • hide the error constructors (a1cb7f8)
  • minor touch ups (fee6790)
  • re-generate API reference docs (c4a7f64)
  • update client auth method docs (ef8fe9f)
  • update examples due to changes (f24b39d)
  • update examples due to changes (fcd3c3e)
  • update groups, properties (329876a)
  • update inline examples (33ee2b0)
  • update README.md (0bd2e56)
  • update several examples and add descriptions to DAG (dd99b9a)

Refactor

  • add a source map, update pkg exports (0232cf2)
  • add causes and codes to "is not a conform" errors (a0b19c5)
  • add claim/attribute names to error reasons (fe11bdc)
  • add more error messages and update codes (038b44a)
  • add OperationProcessingError code and cause when wrong callback method is used (9d4c546)
  • added codes and reasons to as many errors as possible (bce81b4)
  • allow and document tls client auth methods (f0e7919)
  • better type for oauth.customFetch implementations, updated examples (a06efb5)
  • build target is now ES2022 (8af3e9f)
  • changed the default client authentication (4fe3f2c)
  • client authentication is now an explicit argument to authenticated functions (cefcf32)
  • future proof Ed25519 (ac0550d)
  • improve tree-shaking of JWT claims verification (60b7dcf)
  • jweDecrypt is now an option on the functions that support it (d7e8482)
  • keep all OAuthError properties (fce528e)
  • make DPoP implementation tree-shakeable (1fca2a3)
  • private_key_jwt audience is now only the issuer identifier (f388ba8)
  • push id token required claims straight to jwt validation (ec45b61)
  • reject requests to non-HTTPS endpoints by default (4829da6)
  • remove all deprecated options (137a547)
  • remove modifyAssertion from the PrivateKey interface (4d8b9e8)
  • remove the useMtlsAlias symbol and options (cd5ed0d)
  • remove the weird use of JWSAlgorithm type (970e3b6)
  • removed the parseWwwAuthenticateChallenges export (5fa774d)
  • resolve only successful responses (0f8bcc3)
  • unify validating endpoints and checking their protocols (e16254f)
  • update the CryptoKey workarounds without affecting docs (0d3b05a)
  • userInfoRequest should not reject www-authenticate (e373ec3)
  • validating ID Token signatures is now done with a Response (d71bc2c)

2.17.0 (2024-09-22)

Features

  • support client use_mtls_endpoint_aliases metadata (60c9df4)

Documentation

  • fix calculatePKCECodeChallenge description (ac014f2)

Refactor

  • deprecate the useMtlsAlias symbol and options (d2b7cb0)
  • use as Type for type assertions instead of <Type> (a0ccf56)

2.16.0 (2024-09-16)

Features

  • add a hook for decrypting JWE assertions (62795a6)
  • allow to modify issued JWT headers and payloads before signing (30931ba)

Documentation

  • update docs on useMtlsAlias (006db55)

2.15.0 (2024-09-15)

Features

  • support generic token endpoint grant requests (2f454b5)

2.14.0 (2024-09-15)

Features

  • add non-repudiation signature validation methods (0916de2)

Documentation

  • update JSDoc to use more link syntax (d78f090)
  • update various comments and documentation (9c3f1ed)

2.13.0 (2024-09-10)

Features

  • build: add jsr.io distribution (dc6157f)

2.12.2 (2024-09-09)

Refactor

  • error msg when ID Token aud is an array and azp is missing (68e0338)
  • remove redundant checks (763b3d0)

Documentation

  • remove non-described parameter JSDoc tags (b1507b9)
  • update README.md (9d1377b)

2.12.1 (2024-09-03)

Fixes

  • use correct "htm" in DPoP Proof via protectedResourceRequest (3ce3be2), closes #132

2.12.0 (2024-08-19)

Features

  • graduate jwksCache to stable API (0e0e1d2)

Documentation

  • move clockSkew and clockTolerance docs to the symbol (3b5d2ea)
  • update clockSkew and clockTolerance docs (c97313a)

2.11.1 (2024-06-20)

Fixes

  • allow ID Token auth_time to be present even if client.require_auth_time is false (caa9ab3)

2.11.0 (2024-06-19)

Features

  • add experimental support for edge compute runtimes JWKS caching (15b7aff)

Refactor

  • update maxAge option type check error message (7fe3454)

Documentation

  • clarify documentation is more an API Reference (c96c8e0)
  • update example import (651e8ea)
  • updates for readability and consistency (b1b8b7d)

2.10.4 (2024-03-29)

Refactor

  • types: add explicit type to all exported functions (76e8d19)
  • types: add explicit type to all exported symbols (c66c595)
  • types: protectedResourceRequest method argument is just a string (a15d76c)

Documentation

  • mention RFC 6750 in validateJwtAccessToken (f61b68e), closes #115

2.10.3 (2024-02-07)

Refactor

  • make protectedResourceRequest headers argument optional (bcbc872)

Documentation

2.10.2 (2024-02-05)

Fixes

  • normalize authorization_details and max_age in issueRequestObject (f8d267e)

2.10.0 (2024-02-04)

Features

  • types: add interfaces for RFC 9396 (Rich Authorization Requests) (1c606ea)

Refactor

  • some biome identified smells and less non-null assertions (bc508f6)

Documentation

  • update customFetch and useMtlsAlias a bit (627e716)

Fixes

  • types: add missing and optional scope to interfaces (5dc6d17)

2.9.0 (2024-02-02)

Features

  • graduate recently added experimental features to stable API (94da0c9)

2.8.1 (2024-01-24)

Fixes

  • check that DPoP Proof iat is recent enough (a6159e3)

2.8.0 (2024-01-23)

Features

  • add experimental support for validating JWT Access Tokens (f65deae)

2.7.0 (2024-01-18)

Features

  • allow fragment response as URL in validateDetachedSignatureResponse (bcbe2f5)

2.6.0 (2024-01-11)

Features

  • add experimental support for FAPI 1.0 (6b6b496)

Refactor

  • reorganize experimental features (c8479b4)

Documentation

2.5.0 (2024-01-10)

Features

  • add experimental customize fetch option (e98c1aa), closes #94
  • add experimental support for mtls_endpoint_aliases (f1cb365)
  • allow all of HeadersInit for HttpRequestOptions.headers (a5fe73c)

Refactor

  • fetch url resolution and validation (b2e62a6)

Documentation

  • fix ToC anchors to symbol properties (ed01dcf)
  • return hierarchy to markdown docs (7d3b414)

2.4.5 (2024-01-09)

Fixes

  • DPoP: clockSkew in ProtectedResourceRequestOptions is a unique Symbol (1708f21)

Documentation

  • expose clock skew and tolerance documentation (2d90c49)

2.4.4 (2024-01-09)

Fixes

  • handle Response objects with empty string url in processDpopNonce (f2c9415)

2.4.3 (2024-01-06)

2.4.2 (2024-01-05)

Documentation

  • add distribution links to README.md (29bb947)

Fixes

  • encode client_secret_basic - _ . ! ~ * ' ( ) characters (f926175)

2.4.1 (2024-01-03)

Refactor

  • create Request instances before passing them to fetch (02ab110)
  • types: mark always lowercased values and keys as Lowercase<string> (89e7a77)

Documentation

  • categorize APIs in docs/README.md (c28efda)
  • expose Indexed Access Types (54c4393)
  • update EdDSA description (9765e7a)

2.4.0 (2023-11-15)

Features

  • add the cause property to errors where possible (07c95f7)

Refactor

  • use AlgorithmIdentifier instead of Algorithm where possible (e2ae2f3)

Fixes

  • base64url decode errors are OperationProcessingError (7f4a878)

2.3.0 (2023-04-26)

Features

  • allow Record<string, string> and string[][] as parameter arguments (021b85f)

2.2.4 (2023-04-24)

Refactor

  • brand URLSearchParams instead of extending URLSearchParams (8e62c8a)

2.2.3 (2023-04-21)

2.2.2 (2023-04-21)

Refactor

  • types: enforce flat interfaces (c958d61)

2.2.1 (2023-04-13)

Fixes

  • return undefined from getValidatedIdTokenClaims as documented (678b12d)

2.2.0 (2023-03-10)

Features

  • allow the client's assumed current time to be adjusted (5051a5d), closes #49 #50
  • allow the client's DateTime claims tolerance to be adjusted (3936a56), closes #49 #50

2.1.0 (2023-02-09)

Features

  • add more asymmetric JWS algorithms (af43ec7)

2.0.6 (2022-12-16)

Fixes

  • build: fixup user agent version after version bump (e1c3ed8)

2.0.5 (2022-12-11)

2.0.4 (2022-11-27)

Refactor

  • weak maps instead of symbols (e551edc)

2.0.3 (2022-11-25)

Fixes

  • omit zealous response cloning() to reduce edge compute memory bills (a785223), closes #37

2.0.1 (2022-11-21)

Fixes

  • claims parameter encoding in issued request objects (3eb165a)

Performance

  • cache public DPoP CryptoKey's JWK representation for re-use (2858d06)

2.0.0 (2022-11-20)

⚠ BREAKING CHANGES

  • Use the TLS server validation in processAuthorizationCodeOpenIDResponse to validate the issuer instead of checking the ID Token's signature. The function's options argument was removed.
  • Use the TLS server validation in processDeviceCodeResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
  • Use the TLS server validation in processIntrospectionResponse to validate the issuer instead of checking the optional JWT Introspection Response signature. The function's options argument was removed.
  • Use the TLS server validation in processRefreshTokenResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
  • Use the TLS server validation in processUserInfoResponse to validate the issuer instead of checking the optional JWT UserInfo Response signature. The function's options argument was removed.
  • PAR w/ DPoP no longer automatically adds dpop_jkt to the authorization request.
  • Removed calculateJwkThumbprint function export.
  • Removed jwksRequest function export.
  • Removed processJwksResponse function export.

Refactor

  • remove ignored and unused exports (4a545df)
  • use TLS server validation instead of jwt signature validations (f728110)

1.4.1 (2022-11-20)

Refactor

  • deno: add mod.ts to deno.land/x (0778278)
  • use RsaHashedKeyAlgorithm in checkRsaKeyAlgorithm (94aa31c)

1.4.0 (2022-11-08)

Features

  • add bun as a supported runtime (707efd1)

1.3.0 (2022-10-31)

Features

  • allow to skip JWT signature validation on select responses (44d9114)

1.2.2 (2022-10-20)

Refactor

  • add a type check on AbortSignal (b013fef)
  • align argument and function names in assert functions (8ea65f6)
  • update "as" error messages (3e894f5)

1.2.1 (2022-10-10)

1.2.0 (2022-09-14)

Features

  • add experimental EdDSA (Ed25519) JWS algorithm support (f70d4d5)

1.1.4 (2022-08-26)

Fixes

  • typescript: resolve ts4.8 issue (572c6de)

1.1.3 (2022-07-20)

1.1.2 (2022-07-12)

1.1.1 (2022-07-04)

Fixes

  • processing pure oauth2 code response ignores invalid ID tokens (282705a)

1.1.0 (2022-06-28)

Features

  • allow AbortSignal-returning function as well as an instance (90d21b8)

1.0.5 (2022-06-17)

Fixes

  • allow zero-length scope in token endpoint responses (#15) (d54c821)

1.0.4 (2022-06-09)

Fixes

  • do not set a user-agent in CORS-enabled runtimes (8899a6b), closes #13

1.0.3 (2022-05-23)

Fixes

  • skip recalculating dpop_jkt in PAR if already set (9499ccd)

1.0.2 (2022-05-19)

1.0.1 (2022-05-18)

Fixes

  • reject unsupported token_type values (3d2cc0c)

1.0.0 (2022-05-13)

0.9.0 (2022-05-13)

⚠ BREAKING CHANGES

  • types: rename TokenEndpointAuthMethod type to ClientAuthenticationMethod

Refactor

  • types: rename TokenEndpointAuthMethod type to ClientAuthenticationMethod (6028fd8)

0.8.0 (2022-05-06)

⚠ BREAKING CHANGES

  • getValidatedIdTokenClaims throws if ref isnt weak referenced
  • remove client_secret_jwt

Refactor

  • getValidatedIdTokenClaims throws if ref isnt weak referenced (1ee5485)
  • remove client_secret_jwt (7611169)

0.7.0 (2022-05-05)

⚠ BREAKING CHANGES

  • ensure supported key in calculateJwkThumbprint
  • clientCredentialsGrantRequest now requires parameters

Features

  • explicitly add dpop_jkt to par request when using dpop (e6acd99)

Refactor

  • clientCredentialsGrantRequest now requires parameters (76e4fea)
  • ensure supported key in calculateJwkThumbprint (540f6cf)

0.6.4 (2022-05-04)

Features

  • add utility for calculating dpop_jkt from a crypto key (045dd10)

0.6.3 (2022-05-04)

0.6.2 (2022-05-03)

Features

  • add utility for generating crypto key pairs (d8f3e90)

0.6.1 (2022-05-02)

Fixes

  • types: validateJwtAuthResponse expectedState is optional (e618089)

0.6.0 (2022-04-28)

⚠ BREAKING CHANGES

  • remove encrypted JAR support

Refactor

  • remove encrypted JAR support (4352049)

Fixes

  • remove sub from request object (41d49fa)
  • signed userinfo aud and iss expected values (38edd37)

0.5.2 (2022-04-27)

Features

  • force jwks refetch every 10 minutes (ae35bae)

Fixes

  • correct jwks refetch minimal interval (8af6f85)

0.5.1 (2022-04-27)

Fixes

  • assert no client private key is provided unless needed (ac6be64)
  • assert no client secret is provided unless needed (604d8f3)
  • ensure issueRequestObject does not mutate input parameters (7b62b82)

0.5.0 (2022-04-27)

⚠ BREAKING CHANGES

  • deno: support deno ^1.21.0 (removed 1.20.x from CI)
  • types: rename SignalledRequestOptions interface to HttpRequestOptions

Features

  • option to add headers to http requests (94a2ecb)

Refactor

  • deno: support deno ^1.21.0 (removed 1.20.x from CI) (764db58)
  • types: rename SignalledRequestOptions interface to HttpRequestOptions (e4058d8)

0.4.0 (2022-04-25)

⚠ BREAKING CHANGES

  • trim down the supported JOSE algorithms

Refactor

  • trim down the supported JOSE algorithms (3a9e9a5)

0.3.3 (2022-04-14)

0.3.2 (2022-04-11)

Features

  • allow all key inputs to be CryptoKey instances (f405719)

0.3.1 (2022-04-10)

0.3.0 (2022-04-10)

⚠ BREAKING CHANGES

  • types: force types without string defaults

Refactor

  • types: force types without string defaults (188b252)

0.2.2 (2022-04-07)

Features

0.2.1 (2022-04-05)

0.2.0 (2022-04-01)

⚠ BREAKING CHANGES

  • ensure 2048 RSA keys are used for RSA-OAEP too

Fixes

  • ensure 2048 RSA keys are used for RSA-OAEP too (f4eda79)

0.1.0 (2022-04-01)

⚠ BREAKING CHANGES

  • ensure 2048 RSA keys are used

Fixes

  • ensure 2048 RSA keys are used (ad707c0)

0.0.11 (2022-04-01)

0.0.10 (2022-03-29)

Fixes

  • remove off-spec "default optional JWT typ" checks (34e524a)

0.0.9 (2022-03-28)

Fixes

  • normalize jwt typ when one is expected (e161ee3)

0.0.8 (2022-03-28)

0.0.7 (2022-03-23)

0.0.6 (2022-03-18)

0.0.5 (2022-03-17)

Fixes

  • jarm: correct message when jarm response is passed to validateAuthResponse (9ef7ce8)

0.0.4 (2022-03-17)

0.0.3 (2022-03-16)

Features

  • client_secret_jwt authentication method (93fc723)

Fixes

  • typescript: allow any string into "alg" and "enc" client fields (e6a8649)

0.0.2 (2022-03-16)

Fixes

  • set a proper user-agent string (1fbb173)

0.0.1 (2022-03-16)