@jmondi/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in TypeScript.
Requires node >= 18. Read the docs
The following RFCs are implemented:
- RFC6749 "OAuth 2.0"
- RFC6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage"
- RFC7009 "OAuth 2.0 Token Revocation"
- RFC7519 "JSON Web Token (JWT)"
- RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"
- RFC7662 "OAuth 2.0 Token Introspection"
- RFC8693 "OAuth 2.0 Token Exchange"
Out of the box it supports the following grants:
- Authorization code grant
- Client credentials grant
- Refresh grant
- Implicit grant // not recommended
- Resource owner password credentials grant // not recommended
Framework support:
The included adapters are just helper functions, any framework should be supported. Take a look at the adapter implementations to learn how you can create custom adapters for your favorite tool!
A example using client credentials grant
const authorizationServer = new AuthorizationServer(
clientRepository,
accessTokenRepository,
scopeRepository,
"secret-key",
);
authorizationServer.enableGrantType("client_credentials");
app.post("/token", async (req: Express.Request, res: Express.Response) => {
try {
const oauthResponse = await authorizationServer.respondToAccessTokenRequest(req);
return handleExpressResponse(res, oauthResponse);
} catch (e) {
handleExpressError(e, res);
}
});
app.post("/token/revoke", async (req: Express.Request, res: Express.Response) => {
try {
const oauthResponse = await authorizationServer.revoke(req);
return handleExpressResponse(res, oauthResponse);
} catch (e) {
handleExpressError(e, res);
}
});Example implementations:
| Version | Latest Version | Security Updates |
|---|---|---|
| 4.x | 🎉 | 🎉 |
| 3.x | 🎉 | 🎉 |
| 2.x | 🎉 |
This project is inspired by the PHP League's OAuth2 Server. Check out the PHP League's other packages for some other great PHP projects.