A standards compliant implementation of an OAuth 2.0 authorization server with PKCE support.
This module was inspired by node-oauth2-server.
- The OAuth 2.0 Authorization Framework RFC 6749 compliant
- The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 compliant
- Proof Key for Code Exchange by OAuth Public Clients RFC 7636 compliant
- Follows best security practices from RFC 6819 and OAuth 2.0 Security Best Current Practice
- Framework agnostic with officially supported adapter for Oak
To include this module in a Deno project, you can import directly from the TS files. This module is available in Deno's third part module registry but can also be imported directly from GitHub using raw content URLs.
There are 2 different main entry points for this module.
The ResourceServer provides methods for authenticating requests and verifying the request has proper authorization. You should use this if your server is not also acting as an authorization server.
// Import from Deno's third party module registry
import { ResourceServer } from "https://deno.land/x/oauth2_server@0.12.0/resource_server.ts";
// Import from GitHub
import { ResourceServer } from "https://raw.githubusercontent.com/udibo/oauth2_server/0.12.0/resource_server.ts";
The AuthorizationServer is an extension of the ResourceServer, adding methods used by the authorize and token endpoints.
// Import from Deno's third party module registry
import { AuthorizationServer } from "https://deno.land/x/oauth2_server@0.12.0/authorization_server.ts";
// Import from GitHub
import { AuthorizationServer } from "https://raw.githubusercontent.com/udibo/oauth2_server/0.12.0/authorization_server.ts";
An example of how to use this module can be found here. I wouldn't recommend using the example as is but it should give you an idea of how to use this module.
See deno docs for more information.
This module comes with the authorization code, client credentials, and refresh token grant types. The authorization code grant supports PKCE but does not require it.
An implementation of the resource owner password credentials grant can be found here but is not included in mod.ts because the grant type insecurely exposes the credentials of the resource owner to the client. See OAuth 2.0 Security Best Current Practice for more information.
The implicit grant was not implemented because it is vulnerable to access token leakage and access token replay. You should use the authorization code grant instead. See OAuth 2.0 Security Best Current Practice for more information.
When implemented, extension grants will be added to the same folder as the other grant types and added to this readme.
The models folder contains interfaces for objects used by this module. You can extend the models how you want.
The services folder contains abstract classes and interfaces for objects used by this module to get and store models.
The oak-localstorage example shows how to use localStorage for your services. The example includes some functions that are not required by this module. Some of the functions in the example don't need to be async since localStorage is syncronous but were made asyncronous to make it easy to replace localStorage with something else that is asyncronous.
This module is framework agnostic. Adapters can be created to make this compatible with any framework. It comes with an adapter for Oak.
If you would like to use this module with other frameworks, look at the oak adapter for an example of how to implement an adapter.
The oak adapter can be found here. A working example showing how to use this module with the adapter can be found here.