Class OauthCredentialProviderAbstract

Hierarchy (view full)

Constructors

constructor

Properties

_openId? authorizationEndpoint? clientId clientSecret discoveryEndpoint endSessionEndpoint? scope tokenEndpoint? tokenEndpointAuthMethod? tokenLocation tokenName tokenPrefix

Methods

clone createTokenRequest expireToken getAccessToken getTokenEndpoint issuer openId resolve from fromEnv

Constructors

Protected constructor

  • new OauthCredentialProvider(options, openId?): OauthCredentialProvider

  • Constructs the base of the credential providers. Only use this class to inherit the base methods and properties.

    Parameters

    • options: {
          clientId: string;
          clientSecret?: string;
          scope?: string;
          tokenEndpointAuthMethod?: "client_secret_basic" | "client_secret_post";
          tokenLocation?: string;
          tokenName?: string;
          tokenPrefix?: string;
      } & ({
          issuer: string;
      } | {
          discoveryEndpoint: string;
      } | {
          authorizationEndpoint?: string;
          endSessionEndpoint?: string;
          tokenEndpoint: string;
      })

      The credential provider configuration options.

    • Optional openId: OpenIdConfiguration

      An Open ID configuration used to configure this credential provider.

    Returns OauthCredentialProvider

Properties

Protected Optional _openId

_openId?: OpenIdConfiguration

OpenID Provider metadata used to configure clients. Docs: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Optional Readonly authorizationEndpoint

authorizationEndpoint?: string

The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.1

Readonly clientId

clientId: string

The client identifier issued to the client during the registration process.

Source: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

Protected Readonly clientSecret

clientSecret: undefined | string

The client secret issued by the OAuth provider. Some credential providers do not require a client secret.

Source: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

Readonly discoveryEndpoint

discoveryEndpoint: undefined | string

A fully qualified URL for the OpenId Provider Metadata.

Source: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Optional Readonly endSessionEndpoint

endSessionEndpoint?: string

URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. SOURCE: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OPMetadata

Readonly scope

scope: undefined | string

The scope to request during the authorization flow. As defined per the OAuth Specification: "...a list of space-delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope." Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.3.

Optional Readonly tokenEndpoint

tokenEndpoint?: string

The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (deprecated) since an access token is issued directly. Source: https://www.rfc-editor.org/rfc/rfc6749#section-3.2

Optional Readonly tokenEndpointAuthMethod

tokenEndpointAuthMethod?: TokenEndpointAuthMethod

Specifies the authentication method to be used at the OAuth 2.0 token endpoint.

This property indicates how the client credentials should be transmitted when exchanging an authorization code for an access token. The value can be one of the following:

  • TOKEN_ENDPOINT_AUTH_METHOD.BASIC: Client credentials are included in the HTTP Authorization header using Basic authentication (base64 encoded clientId:clientSecret).
  • TOKEN_ENDPOINT_AUTH_METHOD.POST: Client credentials are sent as form parameters in the request body.

If this property is undefined, the authentication method defaults to TOKEN_ENDPOINT_AUTH_METHOD.POST.

Readonly tokenLocation

tokenLocation: string

The location where the token should be used.

Readonly tokenName

tokenName: string

The name of the token location property, usually a header name or querystring key.

Readonly tokenPrefix

tokenPrefix: string

The token value may have a prefix, such as 'Basic' or 'Bearer'

Methods

Abstract clone

Protected createTokenRequest

  • createTokenRequest(options): RequestInit

  • Creates the configuration object for an OAuth2 token request.

    This function returns a RequestInit object that can be used with the fetch API to perform a token request. It builds the request using a POST method and the application/x-www-form-urlencoded content type. Depending on the authentication method (BASIC or POST) and the grant type (AUTHORIZATION_CODE or REFRESH_TOKEN), the appropriate headers and body parameters are conditionally included.

    • When using BASIC authentication and a client secret is provided, an Authorization header is added using Base64-encoded credentials (clientId:clientSecret).
    • For POST authentication, the client secret is added to the request body.
    • The request body is constructed with mandatory and optional parameters based on the grant type:
      • For the AUTHORIZATION_CODE grant, the code is included along with optional redirect_uri and code_verifier.
      • For the REFRESH_TOKEN grant, the refresh token is included if available.

    Parameters

    Returns RequestInit

    The request configuration object, including method, headers, and body.

Abstract expireToken

Abstract getAccessToken

Protected getTokenEndpoint

  • getTokenEndpoint(): Promise<string>

  • Retrieves the token endpoint URL for the OpenID provider. It first checks if the tokenEndpoint property is already set and returns it if available. If not, it retrieves the OpenID configuration via the openId() method, obtains the token endpoint from the configuration, and converts it to a string.

    Returns Promise<string>

    A promise that resolves to the token endpoint URL as a string.

issuer

openId

Abstract resolve

Static from

Static fromEnv

Settings

Member Visibility

Theme

On This Page

constructor_openIdauthorizationEndpointclientIdclientSecretdiscoveryEndpointendSessionEndpointscopetokenEndpointtokenEndpointAuthMethodtokenLocationtokenNametokenPrefixclonecreateTokenRequestexpireTokengetAccessTokengetTokenEndpointissueropenIdresolvefromfromEnv