OAuth2 Provider
Act as an OAuth2 + OpenID Connect provider - Authorization Code + PKCE, refresh tokens, and ID tokens.
thunder-core can act as an OAuth2 + OIDC provider (Authorization Code + PKCE, refresh tokens, ID tokens). The core logic is the OAuth2 class in lib/oauth2.ts.
Key Methods
Read lib/oauth2.ts for the full method set. The important ones:
| Method | Purpose |
|---|---|
resolveJWKs | Lazily generates/persists an RS256 keypair in the jwks collection. |
createOAuthConfig | Builds the discovery metadata. |
validateOAuthParams / validateConfidentialClient | Validate incoming authorization requests and confidential clients. |
signJWT / verifyJWT | HS256, SECRET_KEY-based - for access/refresh/authorization codes. |
signIdToken | RS256, JWKS-based ID tokens. |
generateAuthorizationCode / exchangeToken / revoke / verifyAccessToken | The token lifecycle (S256 PKCE only). |
Concepts Not Obvious From Method Names
- Consent versioning: each consent has a
version.exchangeTokenincrements it, which revokes previously issued tokens carrying an older version. - Refresh tokens are only issued when the consent includes
offline_access. - ID tokens are only issued when the consent includes
openid.
Routes
Read each file for exact request/response shapes:
| Route file | Responsibility |
|---|---|
routes/.well-known.ts | OAuth2 / OpenID discovery metadata. |
routes/oauth.ts | authorize, consent, token, revoke, and JWKS endpoints. |
routes/oauthClients.ts | CRUD over registered OAuth clients. |
The client secret is hidden in responses. Confidential clients authenticate via HTTP Basic at the token/revoke endpoints. See schemas/oauthClient.ts and schemas/oauthConsent.ts for the stored fields.
resourceGrantSchema (exported from schemas/oauthConsent.ts) maps a tenant id to granted scopes, and is reused by both OAuth consents and API keys to scope access per tenant.