{"library":"oauth4webapi","title":"Low-Level OAuth 2 / OpenID Connect Client API","description":"oauth4webapi is a low-level JavaScript client library for implementing OAuth 2.1, OAuth 2.0 (with Security BCPs), FAPI 2.0, and OpenID Connect protocols. It provides a comprehensive set of routines for authorization server metadata discovery, various grant flows (Authorization Code Flow with PKCE, Refresh Token, Device Authorization, CIBA, Client Credentials), DPoP, Token Introspection/Revocation, PAR, UserInfo requests, and JWT-secured mechanisms. The library emphasizes secure, up-to-date best practices and is designed to run consistently across browser and non-browser JavaScript runtimes, including Node.js, Deno, and Bun. Currently at version 3.8.5, it receives frequent patch and minor releases, indicated by the detailed changelog. A key differentiator is its zero-dependency footprint and OpenID Connect certification, promoting high-assurance security standards without external dependencies.","language":"javascript","status":"active","last_verified":"Sun Apr 19","install":{"commands":["npm install oauth4webapi"],"cli":null},"imports":["import * as oauth from 'oauth4webapi'","import { discover } from 'oauth4webapi'","import { generatePKCE } from 'oauth4webapi'"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import { discover, calculatePKCEChallenge, generatePKCE, authorizationUrl, processAuthorizationResponse, exchangeCode, Issuer, Client, TokenEndpointResponse, JWKS } from 'oauth4webapi';\n\nconst as = await discover(new URL('https://accounts.google.com/.well-known/openid-configuration'));\n\nconst client: Client = {\n  client_id: process.env.GOOGLE_CLIENT_ID ?? '',\n  client_secret: process.env.GOOGLE_CLIENT_SECRET ?? '',\n  token_endpoint_auth_method: 'client_secret_post'\n};\n\nconst redirect_uri = 'http://localhost:3000/callback';\n\nasync function initiateOAuthFlow() {\n  const pkce = generatePKCE();\n  const code_challenge = await calculatePKCEChallenge(pkce);\n\n  const authUrl = new URL(authorizationUrl(as, client, {\n    redirect_uri,\n    scope: 'openid email profile',\n    response_type: 'code',\n    code_challenge,\n    code_challenge_method: 'S256',\n    nonce: 'some-random-nonce'\n  }));\n  console.log('Please visit this URL to authenticate:', authUrl.toString());\n  // In a real application, you would redirect the user to authUrl.\n  // For this example, you'd manually visit and get the code from the callback.\n}\n\nasync function handleCallback(requestUrl: string) {\n  const currentUrl = new URL(requestUrl);\n  const params = oauth.validateAuthResponse(as, client, currentUrl);\n\n  if (oauth.is= (params instanceof Error)) {\n    console.error('Authorization response error:', params);\n    return;\n  }\n\n  const response = await exchangeCode(as, client, params.code, {\n    redirect_uri,\n    code_verifier: 'your_pkce_code_verifier_here' // Replace with actual verifier from initiateOAuthFlow\n  });\n\n  if (response instanceof Error) {\n    console.error('Token exchange error:', response);\n    return;\n  }\n\n  console.log('Access Token:', response.access_token);\n  console.log('ID Token:', response.id_token);\n\n  // Further validation and usage of tokens would follow\n}\n\n// Example usage (simplified for quickstart)\ninitiateOAuthFlow();\n// To test handleCallback, you'd simulate a redirect after authentication\n// handleCallback('http://localhost:3000/callback?code=YOUR_CODE_HERE&state=YOUR_STATE_HERE');\n","lang":"typescript","description":"This quickstart demonstrates a basic OpenID Connect Authorization Code Flow with PKCE, covering discovery, authorization URL generation, and code exchange for tokens using Google as the IdP. It highlights key functions like `discover`, `generatePKCE`, `authorizationUrl`, and `exchangeCode`.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}