Skip to content

Commit e102d0f

Browse files
authored
Merge pull request #450 from dhensby/docs/compliance-guide
docs: add a compliance / integration-layer responsibilities guide
2 parents f18f4b2 + fb19e48 commit e102d0f

2 files changed

Lines changed: 117 additions & 0 deletions

File tree

docs/.vitepress/config.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ export default defineConfig({
2424
{text: 'Token types', link: '/guide/token-types'},
2525
{text: 'PKCE', link: '/guide/pkce'},
2626
{text: 'Adapters', link: '/guide/adapters'},
27+
{text: 'Compliance', link: '/guide/compliance'},
2728
{text: 'Migrating to v5', link: '/guide/migrating-to-v5'},
2829
{text: 'Contributing', link: '/guide/contributing'},
2930
]

docs/guide/compliance.md

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
# Compliance & your responsibilities
2+
3+
`@node-oauth/oauth2-server` implements the OAuth 2.0 *protocol logic* — the grant
4+
flows, authorization-code and token validation, scope checks, PKCE verification,
5+
and RFC-compliant success/error responses. It is deliberately **framework-agnostic
6+
and transport-agnostic**: it never touches the network, your HTTP framework, or
7+
your storage directly.
8+
9+
That means full [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749) /
10+
[RFC 6750](https://www.rfc-editor.org/rfc/rfc6750) conformance is a shared
11+
responsibility. This page lists the requirements that fall on **you** — the
12+
integration (Express / Koa / Fastify / …) and deployment layers — so you can build
13+
your own conformance checklist. If you use an official adapter such as
14+
[express-oauth-server](https://www.npmjs.com/package/@node-oauth/express-oauth-server),
15+
some of these are handled for you.
16+
17+
## What the library already handles
18+
19+
So you know where the boundary sits, the library takes care of:
20+
21+
- The `authorization_code`, `client_credentials`, `refresh_token` and `password`
22+
grant flows, plus extension grants.
23+
- Validating authorization codes, refresh tokens and access tokens (existence,
24+
ownership and expiry), and enforcing single use of authorization codes.
25+
- Scope parsing/validation and PKCE verification (see [PKCE](./pkce.md)).
26+
- Reading request parameters from **both** the query string and the request body.
27+
- Requiring the token endpoint to use `POST` with
28+
`Content-Type: application/x-www-form-urlencoded`.
29+
- RFC-compliant responses: the `error` / `error_description` body on failures
30+
([§5.2](https://www.rfc-editor.org/rfc/rfc6749#section-5.2)),
31+
`Cache-Control: no-store` and `Pragma: no-cache` on token responses
32+
([§5.1](https://www.rfc-editor.org/rfc/rfc6749#section-5.1)), and the
33+
`WWW-Authenticate` header on `401` responses.
34+
35+
## What you must handle
36+
37+
### Transport security (TLS)
38+
39+
> The authorization server MUST require the use of TLS []
40+
>
41+
> [RFC 6749 §1.6](https://www.rfc-editor.org/rfc/rfc6749#section-1.6), [§2.3.1](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1)
42+
43+
The library does not — and cannot — enforce transport security. Serve every
44+
endpoint over HTTPS (terminate TLS at your server or reverse proxy) and reject
45+
plaintext requests.
46+
47+
### Support `GET` on the authorization endpoint
48+
49+
> The authorization server MUST support the use of the HTTP "GET" method
50+
> [RFC2616] for the authorization endpoint and MAY support the use of the "POST"
51+
> method as well.
52+
>
53+
> [RFC 6749 §3.1](https://www.rfc-editor.org/rfc/rfc6749#section-3.1)
54+
55+
The library reads the authorization request from both the query string and the
56+
body, so it works with either method — but **your router must expose the
57+
authorization endpoint over `GET`** (and may also accept `POST`). The token
58+
endpoint, by contrast, MUST be `POST`, which the library enforces.
59+
60+
### Send the response and perform redirects
61+
62+
The library *populates* the `Response` object; it does not send it. You must copy
63+
the status, headers and body onto your framework's real response object and, for
64+
the authorization endpoint, issue the redirect (the `location` header is set for
65+
you). Do not reassign your framework's `req`/`res` to the library's
66+
`Request`/`Response` — wrap them in new variables, or you will lose framework
67+
methods such as `res.redirect()`.
68+
69+
### Brute-force protection / rate limiting
70+
71+
> Since this client authentication method involves a password, the authorization
72+
> server MUST protect any endpoint utilizing it against brute force attacks.
73+
>
74+
> [RFC 6749 §2.3.1](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1)
75+
76+
Add rate limiting / throttling at the integration or deployment layer (middleware
77+
or gateway) for the token and authorization endpoints, especially when
78+
`client_secret` authentication or the (deprecated) `password` grant is in use.
79+
80+
### CSRF protection and `state`
81+
82+
The library requires the `state` parameter by default (unless `allowEmptyState`
83+
is set), validates it, and reflects it back on the authorization response. What
84+
it can't do for you is the CSRF protection itself: guarding your login / consent
85+
UI against CSRF, and having the *client* verify that the `state` returned on the
86+
redirect matches the value it sent, remain your responsibility
87+
([RFC 6749 §10.12](https://www.rfc-editor.org/rfc/rfc6749#section-10.12)).
88+
89+
### Authenticate the resource owner
90+
91+
For the authorization endpoint you must supply an `authenticateHandler` that
92+
returns the logged-in user (see [Getting started](./getting-started.md)). The
93+
library does not implement user login or session management.
94+
95+
### Secure storage in your model
96+
97+
Your [model](./model.md) is responsible for handling secrets and tokens safely:
98+
hash and compare `client_secret`s, store authorization codes and tokens securely
99+
and honour their expiry, and validate `redirect_uri`s against the registered set
100+
(`validateRedirectUri`) — see
101+
[RFC 6749 §3.1.2](https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2) and
102+
[§10](https://www.rfc-editor.org/rfc/rfc6749#section-10).
103+
104+
## Conformance checklist
105+
106+
- [ ] All endpoints served over **TLS**.
107+
- [ ] Authorization endpoint reachable via **`GET`** (and optionally `POST`).
108+
- [ ] Framework response sent and redirects issued (see [Sending the response](./getting-started.md#sending-the-response)).
109+
- [ ] **Rate limiting / brute-force** protection on the token and authorization endpoints.
110+
- [ ] **CSRF** protection on the login/consent UI; `state` validated by clients.
111+
- [ ] Resource owner authenticated via an `authenticateHandler`.
112+
- [ ] Model stores secrets/codes/tokens securely and validates `redirect_uri`.
113+
- [ ] **PKCE** used for the authorization code grant (see [PKCE](./pkce.md)).
114+
115+
See also [RFC 6749 §10 (Security Considerations)](https://www.rfc-editor.org/rfc/rfc6749#section-10)
116+
and [RFC 9700 (OAuth 2.0 Security Best Current Practice)](https://www.rfc-editor.org/rfc/rfc9700).

0 commit comments

Comments
 (0)