- Uses oauth2_client for OAuth 2.0 workflows and Deno KV for persistent session storage.
- Automatically handles the authorization code flow with Proof Key for Code Exchange (PKCE), access token refresh, and client redirection.
- Comes with pre-configured OAuth 2.0 clients for popular providers.
- Works locally and in the cloud, including Deno Deploy.
- Based on the
Request
andResponse
interfaces from the Web API. - Works with
std/http's
serve()
andDeno.serve()
native HTTP servers, and web frameworks such as Fresh and Oak. See the In the Wild section below for examples and demos.
You can also check out a live demo at https://kv-oauth.deno.dev, which uses Github as the OAuth 2.0 provider. Source code is located in demo.ts.
Check out the full documentation and API reference here.
This example uses GitHub as the OAuth 2.0 provider. However, you can use any provider you like.
-
Create your OAuth 2.0 application for your given provider.
-
Create your pre-configured or custom OAuth 2.0 client instance.
// Pre-configured OAuth 2.0 client import { createGitHubOAuth2Client } from "https://deno.land/x/deno_kv_oauth@$VERSION/mod.ts"; const oauth2Client = createGitHubOAuth2Client();
-
Using the OAuth 2.0 client instance, insert the authentication flow functions into your authentication routes.
// Sign-in, callback and sign-out handlers import { createGitHubOAuth2Client, handleCallback, signIn, signOut, } from "https://deno.land/x/deno_kv_oauth@$VERSION/mod.ts"; const oauth2Client = createGitHubOAuth2Client(); async function handleSignIn(request: Request) { return await signIn(request, oauth2Client); } async function handleOAuth2Callback(request: Request) { return await handleCallback(request, oauth2Client); } async function handleSignOut(request: Request) { return await signOut(request); }
-
Use Deno KV OAuth's helper functions where needed.
// Protected route import { createGitHubOAuth2Client, getSessionAccessToken, getSessionId, } from "https://deno.land/x/deno_kv_oauth@$VERSION/mod.ts"; const oauth2Client = createGitHubOAuth2Client(); async function handleAccountPage(request: Request) { const sessionId = await getSessionId(request); const isSignedIn = sessionId !== undefined; if (!isSignedIn) return new Response(null, { status: 404 }); const accessToken = await getSessionAccessToken(oauth2Client, sessionId); return Response.json({ isSignedIn, accessToken }); }
-
Start your server with the necessary environment variables.
GITHUB_CLIENT_ID=xxx GITHUB_CLIENT_SECRET=xxx deno run --unstable --allow-env --allow-net server.ts
Check out a full implementation in the demo source code.
This module comes with a suite of pre-configured OAuth 2.0 clients for the following providers:
Each function is typed so that their respective platform's requirements are met.
If there's a pre-configured OAuth 2.0 client for a provider you'd like added, please submit a pull request or create a new issue.
If you require custom OAuth 2.0 configuration, you must define your client
using
new OAuth2Client()
from the oauth2_client
module.
E.g.:
import { OAuth2Client } from "https://deno.land/x/oauth2_client/mod.ts";
const client = new OAuth2Client({
clientId: Deno.env.get("CUSTOM_CLIENT_ID")!,
clientSecret: Deno.env.get("CUSTOM_CLIENT_SECRET")!,
authorizationEndpointUri: "https://custom.com/oauth/authorize",
tokenUri: "https://custom.com/oauth/token",
redirectUri: "https://my-site.com",
});
KV_PATH
(optional) - defines the path that Deno KV uses. See the API reference for further details.${PROVIDER}_CLIENT_ID
and${PROVIDER}_CLIENT_SECRET
- required when creating a pre-configured OAuth 2.0 client for a given provider. E.g. for Twitter, the environment variable keys areTWITTER_CLIENT_ID
andTWITTER_CLIENT_SECRET
. See the list below for specifics.OKTA_DOMAIN
orAUTH0_DOMAIN
- required only when using the Okta or Auth0 provider to supply your own given domain.
Note: reading environment variables requires the
--allow-env[=<VARIABLE_NAME>...]
permission flag. See the manual for further details.
Run deno task demo
to start the demo application. The task uses environment
variables defined in a .env
file at the root of this folder.
By default, the demo uses GitHub with a minimal scope. Use the PROVIDER
and
SCOPE
environment variables, if you'd like to change this behavior. E.g. for
Twitter:
PROVIDER=Twitter SCOPE=users.read deno task demo
Before submitting a pull request, please run deno task ok
and ensure all
checks pass. This checks formatting, linting, types and runs tests.
In the pull request, please do the following:
- Share a screenshot of the demo web page running on your local machine. This confirms that the newly created OAuth 2.0 client is working correctly.
- Ensure the code example snippet is reproducible.
- Add the provider to the README's list of pre-configured OAuth 2.0 clients, in alphabetical order.
Check out these projects powered by Deno KV OAuth 2.0:
- Deno SaaSKit / Deno Hunt - A modern SaaS template built on Fresh.
- KV SketchBook - Dead simple sketchbook app.
- Fresh + Deno KV OAuth demo - A demo of Deno KV OAuth working in the Fresh web framework.
- Oak + Deno KV OAuth demo - A demo of Deno KV OAuth working in the Oak web framework.
- Ultra + Deno KV OAuth demo - A demo of Deno KV OAuth working in the Ultra web framework.
Do you have a project powered by Deno KV OAuth 2.0 that you'd like to share? Please submit a pull request adding that project to this list.