|
| 1 | +# Compliance & your responsibilities |
| 2 | + |
| 3 | +`@node-oauth/oauth2-server` implements the OAuth 2.0 *protocol logic* — the grant |
| 4 | +flows, authorization-code and token validation, scope checks, PKCE verification, |
| 5 | +and RFC-compliant success/error responses. It is deliberately **framework-agnostic |
| 6 | +and transport-agnostic**: it never touches the network, your HTTP framework, or |
| 7 | +your storage directly. |
| 8 | + |
| 9 | +That means full [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749) / |
| 10 | +[RFC 6750](https://www.rfc-editor.org/rfc/rfc6750) conformance is a shared |
| 11 | +responsibility. This page lists the requirements that fall on **you** — the |
| 12 | +integration (Express / Koa / Fastify / …) and deployment layers — so you can build |
| 13 | +your own conformance checklist. If you use an official adapter such as |
| 14 | +[express-oauth-server](https://www.npmjs.com/package/@node-oauth/express-oauth-server), |
| 15 | +some of these are handled for you. |
| 16 | + |
| 17 | +## What the library already handles |
| 18 | + |
| 19 | +So you know where the boundary sits, the library takes care of: |
| 20 | + |
| 21 | +- The `authorization_code`, `client_credentials`, `refresh_token` and `password` |
| 22 | + grant flows, plus extension grants. |
| 23 | +- Validating authorization codes, refresh tokens and access tokens (existence, |
| 24 | + ownership and expiry), and enforcing single use of authorization codes. |
| 25 | +- Scope parsing/validation and PKCE verification (see [PKCE](./pkce.md)). |
| 26 | +- Reading request parameters from **both** the query string and the request body. |
| 27 | +- Requiring the token endpoint to use `POST` with |
| 28 | + `Content-Type: application/x-www-form-urlencoded`. |
| 29 | +- RFC-compliant responses: the `error` / `error_description` body on failures |
| 30 | + ([§5.2](https://www.rfc-editor.org/rfc/rfc6749#section-5.2)), |
| 31 | + `Cache-Control: no-store` and `Pragma: no-cache` on token responses |
| 32 | + ([§5.1](https://www.rfc-editor.org/rfc/rfc6749#section-5.1)), and the |
| 33 | + `WWW-Authenticate` header on `401` responses. |
| 34 | + |
| 35 | +## What you must handle |
| 36 | + |
| 37 | +### Transport security (TLS) |
| 38 | + |
| 39 | +> The authorization server MUST require the use of TLS […] |
| 40 | +> |
| 41 | +> — [RFC 6749 §1.6](https://www.rfc-editor.org/rfc/rfc6749#section-1.6), [§2.3.1](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) |
| 42 | +
|
| 43 | +The library does not — and cannot — enforce transport security. Serve every |
| 44 | +endpoint over HTTPS (terminate TLS at your server or reverse proxy) and reject |
| 45 | +plaintext requests. |
| 46 | + |
| 47 | +### Support `GET` on the authorization endpoint |
| 48 | + |
| 49 | +> The authorization server MUST support the use of the HTTP "GET" method |
| 50 | +> [RFC2616] for the authorization endpoint and MAY support the use of the "POST" |
| 51 | +> method as well. |
| 52 | +> |
| 53 | +> — [RFC 6749 §3.1](https://www.rfc-editor.org/rfc/rfc6749#section-3.1) |
| 54 | +
|
| 55 | +The library reads the authorization request from both the query string and the |
| 56 | +body, so it works with either method — but **your router must expose the |
| 57 | +authorization endpoint over `GET`** (and may also accept `POST`). The token |
| 58 | +endpoint, by contrast, MUST be `POST`, which the library enforces. |
| 59 | + |
| 60 | +### Send the response and perform redirects |
| 61 | + |
| 62 | +The library *populates* the `Response` object; it does not send it. You must copy |
| 63 | +the status, headers and body onto your framework's real response object and, for |
| 64 | +the authorization endpoint, issue the redirect (the `location` header is set for |
| 65 | +you). Do not reassign your framework's `req`/`res` to the library's |
| 66 | +`Request`/`Response` — wrap them in new variables, or you will lose framework |
| 67 | +methods such as `res.redirect()`. |
| 68 | + |
| 69 | +### Brute-force protection / rate limiting |
| 70 | + |
| 71 | +> Since this client authentication method involves a password, the authorization |
| 72 | +> server MUST protect any endpoint utilizing it against brute force attacks. |
| 73 | +> |
| 74 | +> — [RFC 6749 §2.3.1](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) |
| 75 | +
|
| 76 | +Add rate limiting / throttling at the integration or deployment layer (middleware |
| 77 | +or gateway) for the token and authorization endpoints, especially when |
| 78 | +`client_secret` authentication or the (deprecated) `password` grant is in use. |
| 79 | + |
| 80 | +### CSRF protection and `state` |
| 81 | + |
| 82 | +The library requires the `state` parameter by default (unless `allowEmptyState` |
| 83 | +is set), validates it, and reflects it back on the authorization response. What |
| 84 | +it can't do for you is the CSRF protection itself: guarding your login / consent |
| 85 | +UI against CSRF, and having the *client* verify that the `state` returned on the |
| 86 | +redirect matches the value it sent, remain your responsibility |
| 87 | +([RFC 6749 §10.12](https://www.rfc-editor.org/rfc/rfc6749#section-10.12)). |
| 88 | + |
| 89 | +### Authenticate the resource owner |
| 90 | + |
| 91 | +For the authorization endpoint you must supply an `authenticateHandler` that |
| 92 | +returns the logged-in user (see [Getting started](./getting-started.md)). The |
| 93 | +library does not implement user login or session management. |
| 94 | + |
| 95 | +### Secure storage in your model |
| 96 | + |
| 97 | +Your [model](./model.md) is responsible for handling secrets and tokens safely: |
| 98 | +hash and compare `client_secret`s, store authorization codes and tokens securely |
| 99 | +and honour their expiry, and validate `redirect_uri`s against the registered set |
| 100 | +(`validateRedirectUri`) — see |
| 101 | +[RFC 6749 §3.1.2](https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2) and |
| 102 | +[§10](https://www.rfc-editor.org/rfc/rfc6749#section-10). |
| 103 | + |
| 104 | +## Conformance checklist |
| 105 | + |
| 106 | +- [ ] All endpoints served over **TLS**. |
| 107 | +- [ ] Authorization endpoint reachable via **`GET`** (and optionally `POST`). |
| 108 | +- [ ] Framework response sent and redirects issued (see [Sending the response](./getting-started.md#sending-the-response)). |
| 109 | +- [ ] **Rate limiting / brute-force** protection on the token and authorization endpoints. |
| 110 | +- [ ] **CSRF** protection on the login/consent UI; `state` validated by clients. |
| 111 | +- [ ] Resource owner authenticated via an `authenticateHandler`. |
| 112 | +- [ ] Model stores secrets/codes/tokens securely and validates `redirect_uri`. |
| 113 | +- [ ] **PKCE** used for the authorization code grant (see [PKCE](./pkce.md)). |
| 114 | + |
| 115 | +See also [RFC 6749 §10 (Security Considerations)](https://www.rfc-editor.org/rfc/rfc6749#section-10) |
| 116 | +and [RFC 9700 (OAuth 2.0 Security Best Current Practice)](https://www.rfc-editor.org/rfc/rfc9700). |
0 commit comments