JSR NPM Version GitHub Workflow Status Test Coverage NPM Downloads
@jmondi/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in TypeScript.
Requires node >= 18. Read the docs
The following RFCs are implemented:
- RFC6749 "OAuth 2.0"
- RFC6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage"
- RFC7009 "OAuth 2.0 Token Revocation"
- RFC7519 "JSON Web Token (JWT)"
- RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"
- RFC7662 "OAuth 2.0 Token Introspection"
- RFC8693 "OAuth 2.0 Token Exchange"
Out of the box it supports the following grants:
- Authorization code grant
- Client credentials grant
- Refresh grant
- Implicit grant // not recommended
- Resource owner password credentials grant // not recommended
Framework support:
The included adapters are just helper functions, any framework should be supported. Take a look at the adapter implementations to learn how you can create custom adapters for your favorite tool!
A example using client credentials grant
const authorizationServer = new AuthorizationServer( clientRepository, accessTokenRepository, scopeRepository, "secret-key", ); authorizationServer.enableGrantType("client_credentials"); app.post("/token", async (req: Express.Request, res: Express.Response) => { try { const oauthResponse = await authorizationServer.respondToAccessTokenRequest(req); return handleExpressResponse(res, oauthResponse); } catch (e) { handleExpressError(e, res); } }); app.post("/token/revoke", async (req: Express.Request, res: Express.Response) => { try { const oauthResponse = await authorizationServer.revoke(req); return handleExpressResponse(res, oauthResponse); } catch (e) { handleExpressError(e, res); } });
Example implementations:
| Version | Latest Version | Security Updates |
|---|---|---|
| 4.x | π | π |
| 3.x | π | π |
| 2.x | π |
This project is inspired by the PHP League's OAuth2 Server. Check out the PHP League's other packages for some other great PHP projects.