Hey HN, author here.

When I was first learning OAuth, I found that all the guides were text-heavy and lacked code. I personally learn better from code, so I created a code-first guide. Let me know if you have any feedback!

For those looking for production-level OAuth libs, the best implementation for all JS runtimes is https://github.com/panva/oauth4webapi

Certified, thoroughly tested, zero deps, fully typed, secure defaults, works in Node/Deno/Bun/Edge, supports PKCE/dPoP/etc.

In what cases is this kindof plain auth code flow still considered good enough from security POV?

There's advice eg https://www.oauth.com/oauth2-servers/pkce/ that seems to say you should PKCE it even in server-side auth code flow use cases:

> PKCE was originally designed to protect the authorization code flow in mobile apps, and was later recommended to be used by single-page apps as well. In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that use a client secret.

at my old company we worked with auth a lot, so it was a requirement for new joiners to watch this in their first week. i still recommend it if you want to learn oauth from 0


I recently started writing an API client for some endpoints protected with Oauth2 and it was an absolute pain at first. Very few examples were available that took into account their quirks, and I ended up relying on a random git repo I found with a working implementation written in PHP.
I'm learning OAuth right now and this is great!

It's simple with barebones implementations. I'm trying to now learn the server (OAuth provider) side aspect of things so if anyone has any good guides I'd highly appreciate! Alot of the stuff we see in the client side we take for granted e.g redirecting user back to the client? Generating Access tokens? Generating OAuth tokens, verification of identity etc etc.

Any help is appreciated!

What I learned from writing my own auth(OAuth as well) something, it's not worth the time and effort. Great learning opportunity, with way too many footguns.
This is really great I learn best from this sort of thing - a bare bones code implementation.

Only suggestions …. add some more providers, some minimal client side code and show how to get some data from the provider api with the token and how to refresh it.

I like the website, but it does NOT work in reader mode.
I like this, oauth has a certain threshold, whether this can run in the browser or not
I've moved on to Deno. How about a tutorial with that?