@adr-express-ts/oauth2 v1.0.1
@adr-express-ts/oauth2
This is an OAuth2 Server Wrapper with support for PKCE
Content
Templates
For Password Grant and Authorization Code Grant with PKCE templates, use the @adr-express-ts/core and select the OAuth2 module(s)
PKCE Support
To use the PKCE:
code_challenge
andcode_challenge_method
(Which defaults toplain
) must be included in the Authorization Code Grant.code_verifier
must be sent in the Token Grant. Theclient_secret
is ignored whencode_verifier
is present.
Code Challenge Method S256
For S256, when sending the request from the client, the codeChallenge
must be saved as SHA256
in Base64
according to RFC7637 Page 17.
When the token is generated, the code_verifier
must not be encoded, the wrapper will hash it and validate it with the codeChallenge
.
Example in NodeJS for codeChallenge
:
import crypto from 'crypto';
const codeVerifier: string = 'some-hash';
const base64URLEncode = (buffer: Buffer) => {
return buffer
.toString('base64')
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '');
};
const hash = base64URLEncode(
crypto.createHash('sha256').update(codeVerifier).digest()
);
Code Challenge Method plain
For plain, when sending the request from the client, the codeChallenge
must be validated by this regex /^([A-Za-z0-9\.\-\_\~]){43,128}$/
according to RFC7637 Section 4.1.
When the token is generated, the code_verifier
must be the same as codeChallenge
.
Request model for Authorize
and Authorization Code Grant
The code verifier
is some-hash
.
The code challenge
is xtZ07fkhEB8SBPd1I5DLKo1_4OsA8GXYR328wpqfNms
.
The Authorization
header is required and can be generated from Password Grant to know which user is which.
The parameters for the request body as application/x-www-form-urlencoded
are:
{
"client_id": "123456789",
"grant_type": "authorization_code",
"state": "some_state",
"response_type": "code",
"scope": "some_scope",
"code_challenge_method": "S256",
"code_challenge": "xtZ07fkhEB8SBPd1I5DLKo1_4OsA8GXYR328wpqfNms"
}
curl --location --request POST 'http://127.0.0.1/api/v1/oauth2/authorize' \
--header 'Authorization: Bearer some-access-token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=123456789' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'state=some_state' \
--data-urlencode 'response_type=code' \
--data-urlencode 'scope=some_scope' \
--data-urlencode 'code_challenge_method=S256' \
--data-urlencode 'code_challenge=xtZ07fkhEB8SBPd1I5DLKo1_4OsA8GXYR328wpqfNms'
Response:
{
"code": "248ebd408a963cf3c66eecd22146ec35ac11384f",
"state": "some_state"
}
Request model for Token
and Authorization Code Grant
The parameters for the request body as application/x-www-form-urlencoded
are:
{
"client_id": "123456789",
"grant_type": "authorization_code",
"code": "248ebd408a963cf3c66eecd22146ec35ac11384f",
"redirect_uri": "http://url",
"code_verifier": "some-hash"
}
curl --location --request POST 'http://127.0.0.1/api/v1/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=123456789' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=248ebd408a963cf3c66eecd22146ec35ac11384f' \
--data-urlencode 'redirect_uri=http://url' \
--data-urlencode 'code_verifier=some-hash'
Response:
{
"access_token": "25202a95c58ffaead0d423a75c7b89e3a4e71046",
"token_type": "Bearer",
"expires_in": 3599,
"refresh_token": "1a54d25aafe6cc54a486680c1ec538c3731ba74a",
"scope": "some_scope"
}