Certified, thoroughly tested, zero deps, fully typed, secure defaults, works in Node/Deno/Bun/Edge, supports PKCE/dPoP/etc.
There's advice eg https://www.oauth.com/oauth2-servers/pkce/ that seems to say you should PKCE it even in server-side auth code flow use cases:
> PKCE was originally designed to protect the authorization code flow in mobile apps, and was later recommended to be used by single-page apps as well. In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that use a client secret.
It's simple with barebones implementations. I'm trying to now learn the server (OAuth provider) side aspect of things so if anyone has any good guides I'd highly appreciate! Alot of the stuff we see in the client side we take for granted e.g redirecting user back to the client? Generating Access tokens? Generating OAuth tokens, verification of identity etc etc.
Any help is appreciated!
Only suggestions …. add some more providers, some minimal client side code and show how to get some data from the provider api with the token and how to refresh it.
When I was first learning OAuth, I found that all the guides were text-heavy and lacked code. I personally learn better from code, so I created a code-first guide. Let me know if you have any feedback!