Class AuthorizationCodeProvider

Hierarchy (view full)

Constructors

constructor

Properties

_openId? authorizationEndpoint? clientId clientSecret discoveryEndpoint endSessionEndpoint? maxRefreshRetries maxRefreshRetryDelay postLogoutRedirectUri redirectUri scope session tokenEndpoint? tokenEndpointAuthMethod? tokenLocation tokenName tokenPrefix

Methods

clone createTokenRequest expireToken getAccessToken getAuthCodeFromRedirect getAuthorizationUri getTokenEndpoint getTokenFromAuthCode getTokenFromCodeRedirect getUserInfo issuer openId refreshToken resolve from fromEnv

Constructors

constructor

Properties

Protected Optional _openId

_openId?: OpenIdConfiguration

OpenID Provider metadata used to configure clients. Docs: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Optional Readonly authorizationEndpoint

authorizationEndpoint?: string

The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.1

Readonly clientId

clientId: string

The client identifier issued to the client during the registration process.

Source: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

Protected Readonly clientSecret

clientSecret: undefined | string

The client secret issued by the OAuth provider. Some credential providers do not require a client secret.

Source: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

Readonly discoveryEndpoint

discoveryEndpoint: undefined | string

A fully qualified URL for the OpenId Provider Metadata.

Source: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Optional Readonly endSessionEndpoint

endSessionEndpoint?: string

URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. SOURCE: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OPMetadata

Readonly maxRefreshRetries

maxRefreshRetries: number

Readonly maxRefreshRetryDelay

maxRefreshRetryDelay: number

Readonly postLogoutRedirectUri

postLogoutRedirectUri: string

The redirection endpoint that the authorization server should redirect to after unauthenticating the resource owner.

Readonly redirectUri

redirectUri: string

The redirection endpoint that the authorization server should redirect to after authenticating the resource owner.

Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2

Readonly scope

scope: undefined | string

The scope to request during the authorization flow. As defined per the OAuth Specification: "...a list of space-delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope." Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.3.

Readonly session

session: undefined | Session

Optional Readonly tokenEndpoint

tokenEndpoint?: string

The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (deprecated) since an access token is issued directly. Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.2

Optional Readonly tokenEndpointAuthMethod

tokenEndpointAuthMethod?: TokenEndpointAuthMethod

Specifies the authentication method to be used at the OAuth 2.0 token endpoint.

This property indicates how the client credentials should be transmitted when exchanging an authorization code for an access token. The value can be one of the following:

  • TOKEN_ENDPOINT_AUTH_METHOD.BASIC: Client credentials are included in the HTTP Authorization header using Basic authentication (base64 encoded clientId:clientSecret).
  • TOKEN_ENDPOINT_AUTH_METHOD.POST: Client credentials are sent as form parameters in the request body.

If this property is undefined, the authentication method defaults to TOKEN_ENDPOINT_AUTH_METHOD.POST.

Readonly tokenLocation

tokenLocation: string

The location where the token should be used.

Readonly tokenName

tokenName: string

The name of the token location property, usually a header name or querystring key.

Readonly tokenPrefix

tokenPrefix: string

The token value may have a prefix, such as 'Basic' or 'Bearer'

Methods

clone

Protected createTokenRequest

  • createTokenRequest(options): RequestInit

  • Creates the configuration object for an OAuth2 token request.

    This function returns a RequestInit object that can be used with the fetch API to perform a token request. It builds the request using a POST method and the application/x-www-form-urlencoded content type. Depending on the authentication method (BASIC or POST) and the grant type (AUTHORIZATION_CODE or REFRESH_TOKEN), the appropriate headers and body parameters are conditionally included.

    • When using BASIC authentication and a client secret is provided, an Authorization header is added using Base64-encoded credentials (clientId:clientSecret).
    • For POST authentication, the client secret is added to the request body.
    • The request body is constructed with mandatory and optional parameters based on the grant type:
      • For the AUTHORIZATION_CODE grant, the code is included along with optional redirect_uri and code_verifier.
      • For the REFRESH_TOKEN grant, the refresh token is included if available.

    Parameters

    Returns RequestInit

    The request configuration object, including method, headers, and body.

expireToken

getAccessToken

getAuthCodeFromRedirect

getAuthorizationUri

Protected getTokenEndpoint

  • getTokenEndpoint(): Promise<string>

  • Retrieves the token endpoint URL for the OpenID provider. It first checks if the tokenEndpoint property is already set and returns it if available. If not, it retrieves the OpenID configuration via the openId() method, obtains the token endpoint from the configuration, and converts it to a string.

    Returns Promise<string>

    A promise that resolves to the token endpoint URL as a string.

getTokenFromAuthCode

  • getTokenFromAuthCode(authCode, codeVerifier?): Promise<AccessToken>

  • Get an access token using the authorization code.

    Parameters

    • authCode: AuthorizationCode

      The parsed authorization code from the authorization redirect url.

    • Optional codeVerifier: string

      A cryptographically unique string to use to verify the client is the only entity able to trade the authorization code for an access token. Use the genCodeVerifier method to securely generate a code verifier.

    Returns Promise<AccessToken>

    An active access token.

getTokenFromCodeRedirect

getUserInfo

  • getUserInfo(token, tokenTypeHint?): Promise<any>

  • Retrieves the user information associated with the access token. To do this, it first looks up the user info endpoint in the open id configuration document.

    Parameters

    • token: AccessToken

      The access token to be introspected

    • Optional tokenTypeHint: string

      The

    Returns Promise<any>

issuer

openId

refreshToken

resolve

Static from

Static fromEnv

Settings

Member Visibility

Theme

On This Page

constructor_openIdauthorizationEndpointclientIdclientSecretdiscoveryEndpointendSessionEndpointmaxRefreshRetriesmaxRefreshRetryDelaypostLogoutRedirectUriredirectUriscopesessiontokenEndpointtokenEndpointAuthMethodtokenLocationtokenNametokenPrefixclonecreateTokenRequestexpireTokengetAccessTokengetAuthCodeFromRedirectgetAuthorizationUrigetTokenEndpointgetTokenFromAuthCodegetTokenFromCodeRedirectgetUserInfoissueropenIdrefreshTokenresolvefromfromEnv