oauth4webapi 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +21 -0
- package/README.md +100 -0
- package/build/index.d.ts +1179 -0
- package/build/index.js +1589 -0
- package/package.json +80 -0
package/LICENSE.md
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
The MIT License (MIT)
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2022 Filip Skokan
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
# OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes
|
|
2
|
+
|
|
3
|
+
This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.
|
|
4
|
+
|
|
5
|
+
Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable OpenID Connect is also supported.
|
|
6
|
+
|
|
7
|
+
## In Scope & Implemented
|
|
8
|
+
|
|
9
|
+
- Authorization Server Metadata discovery
|
|
10
|
+
- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
|
|
11
|
+
- Refresh Token, Device Authorization, and Client Credentials Grants
|
|
12
|
+
- Demonstrating Proof-of-Possession at the Application Layer (DPoP)
|
|
13
|
+
- Token Introspection and Revocation
|
|
14
|
+
- Pushed Authorization Requests (PAR)
|
|
15
|
+
- UserInfo and Protected Resource Requests
|
|
16
|
+
- Authorization Server Issuer Identification
|
|
17
|
+
- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
|
|
18
|
+
|
|
19
|
+
## [Certification](https://openid.net/certification/faq/)
|
|
20
|
+
|
|
21
|
+
[<img width="96" height="50" align="right" src="https://user-images.githubusercontent.com/241506/166977513-7cd710a9-7f60-4944-aebe-a658e9f36375.png" alt="OpenID Certification">](#certification)
|
|
22
|
+
|
|
23
|
+
[Filip Skokan](https://github.com/panva) has certified that [this software](https://github.com/panva/oauth4webapi) conforms to the Basic RP Conformance Profile of the OpenID Connectâ„¢ protocol.
|
|
24
|
+
|
|
25
|
+
## [💗 Help the project](https://github.com/sponsors/panva)
|
|
26
|
+
|
|
27
|
+
## Dependencies: 0
|
|
28
|
+
|
|
29
|
+
## [Documentation](docs/README.md)
|
|
30
|
+
|
|
31
|
+
## [Examples](examples/README.md)
|
|
32
|
+
|
|
33
|
+
**`example`** ESM import
|
|
34
|
+
|
|
35
|
+
```js
|
|
36
|
+
import * as oauth2 from 'oauth4webapi'
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
**`example`** Deno import
|
|
40
|
+
|
|
41
|
+
```js
|
|
42
|
+
import * as oauth2 from 'https://deno.land/x/oauth4webapi/src/index.ts'
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
- Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)
|
|
46
|
+
- Public Client Authorization Code Flow - [source](examples/public.ts) | [diff from code flow](examples/public.diff)
|
|
47
|
+
- Private Key JWT Client Authentication - [source](examples/private_key_jwt.ts) | [diff from code flow](examples/private_key_jwt.diff)
|
|
48
|
+
- DPoP - [source](examples/dpop.ts) | [diff from code flow](examples/dpop.diff)
|
|
49
|
+
- Pushed Authorization Request (PAR) - [source](examples/par.ts) | [diff from code flow](examples/par.diff)
|
|
50
|
+
- Client Credentials Grant - [source](examples/client_credentials.ts)
|
|
51
|
+
- Device Authorization Grant - [source](examples/device_authorization_grant.ts)
|
|
52
|
+
- FAPI 2.0 (Private Key JWT, PAR, DPoP) - [source](examples/fapi2.ts)
|
|
53
|
+
- FAPI 2.0 Message Signing (Private Key JWT, PAR, DPoP, JAR, JARM) - [source](examples/fapi2-message-signing.ts) | [diff](examples/fapi2-message-signing.diff)
|
|
54
|
+
|
|
55
|
+
## Runtime requirements
|
|
56
|
+
|
|
57
|
+
The supported JavaScript runtimes include ones that
|
|
58
|
+
|
|
59
|
+
- are reasonably up to date ECMAScript (targets ES2020, but may be further transpiled for compatibility)
|
|
60
|
+
- support required Web API globals and standard built-in objects
|
|
61
|
+
- [Fetch API][] and its related globals [fetch][], [Response][], [Headers][]
|
|
62
|
+
- [Web Crypto API][] and its related globals [crypto][], [CryptoKey][]
|
|
63
|
+
- [Encoding API][] and its related globals [TextEncoder][], [TextDecoder][]
|
|
64
|
+
- [URL API][] and its related globals [URL][], [URLSearchParams][]
|
|
65
|
+
- [atob][] and [btoa][]
|
|
66
|
+
- [Uint8Array][]
|
|
67
|
+
- These are (not an exhaustive list):
|
|
68
|
+
- Browsers
|
|
69
|
+
- Cloudflare Workers
|
|
70
|
+
- Deno (^1.21.0)
|
|
71
|
+
- Electron
|
|
72
|
+
- Next.js Middlewares
|
|
73
|
+
- Node.js ([runtime flags may be needed](https://github.com/panva/oauth4webapi/issues/8))
|
|
74
|
+
- Vercel Edge Functions
|
|
75
|
+
|
|
76
|
+
## Out of scope
|
|
77
|
+
|
|
78
|
+
- CommonJS
|
|
79
|
+
- Implicit, Hybrid, and Resource Owner Password Credentials Flows
|
|
80
|
+
- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
|
|
81
|
+
- JSON Web Encryption (JWE)
|
|
82
|
+
- JSON Web Signature (JWS) rarely used algorithms and HMAC
|
|
83
|
+
- Automatic polyfills of any kind
|
|
84
|
+
|
|
85
|
+
[web crypto api]: https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API
|
|
86
|
+
[fetch api]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
|
|
87
|
+
[fetch]: https://developer.mozilla.org/en-US/docs/Web/API/fetch
|
|
88
|
+
[textdecoder]: https://developer.mozilla.org/en-US/docs/Web/API/TextDecoder
|
|
89
|
+
[textencoder]: https://developer.mozilla.org/en-US/docs/Web/API/TextEncoder
|
|
90
|
+
[btoa]: https://developer.mozilla.org/en-US/docs/Web/API/btoa
|
|
91
|
+
[atob]: https://developer.mozilla.org/en-US/docs/Web/API/atob
|
|
92
|
+
[uint8array]: https://developer.mozilla.org/en-US/docs/Web/API/Uint8Array
|
|
93
|
+
[response]: https://developer.mozilla.org/en-US/docs/Web/API/Response
|
|
94
|
+
[headers]: https://developer.mozilla.org/en-US/docs/Web/API/Headers
|
|
95
|
+
[crypto]: https://developer.mozilla.org/en-US/docs/Web/API/crypto
|
|
96
|
+
[cryptokey]: https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey
|
|
97
|
+
[urlsearchparams]: https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams
|
|
98
|
+
[encoding api]: https://developer.mozilla.org/en-US/docs/Web/API/Encoding_API
|
|
99
|
+
[url api]: https://developer.mozilla.org/en-US/docs/Web/API/URL_API
|
|
100
|
+
[url]: https://developer.mozilla.org/en-US/docs/Web/API/URL
|