Configuration for the OAuth2 authorization-code + PKCE provider produced by oauth2. Only WebCrypto is used for PKCE (Node ≥20 exposes globalThis.crypto); no new hard dependencies are introduced.

interface OAuth2Config {
    authorizationEndpoint: string;
    clientId: string;
    clockSkewMs?: number;
    extraAuthorizationParams?: Record<string, string>;
    extraTokenParams?: Record<string, string>;
    fetchFn?: {
        (input: URL | RequestInfo, init?: RequestInit): Promise<Response>;
        (input: string | URL | Request, init?: RequestInit): Promise<Response>;
    };
    mode?: OAuth2SignInMode;
    onEvent?: HonuaAuthEventListener;
    popupFeatures?: string;
    redirectUri: string;
    revocationEndpoint?: string;
    scopes?: readonly string[];
    serviceKey?: string;
    store?: CredentialStore;
    tokenEndpoint: string;
    windowRef?: Window;
}

Properties

authorizationEndpoint: string

Authorization endpoint (where the browser is redirected to sign in).

clientId: string

Public client identifier.

clockSkewMs?: number

Clock-skew tolerance in milliseconds. A credential is treated as expiring this long before its real expiry so a refresh happens before requests fail. Defaults to 60_000.

extraAuthorizationParams?: Record<string, string>

Extra query params appended to the authorization request.

extraTokenParams?: Record<string, string>

Extra body params appended to token/refresh requests.

fetchFn?: {
    (input: URL | RequestInfo, init?: RequestInit): Promise<Response>;
    (input: string | URL | Request, init?: RequestInit): Promise<Response>;
}

Override fetch (Node/tests). Defaults to globalThis.fetch.

Type declaration

    • (input, init?): Promise<Response>
    • Parameters

      • input: URL | RequestInfo
      • Optionalinit: RequestInit

      Returns Promise<Response>

    • (input, init?): Promise<Response>
    • Parameters

      • input: string | URL | Request
      • Optionalinit: RequestInit

      Returns Promise<Response>

Interactive mode. Defaults to redirect.

Auth lifecycle listener.

popupFeatures?: string

Popup window features string (popup mode).

redirectUri: string

Registered redirect URI that receives the authorization code+state.

revocationEndpoint?: string

Optional revocation endpoint (RFC 7009) called on signOut().

scopes?: readonly string[]

Requested scopes.

serviceKey?: string

Stable key that scopes stored credentials to this service. Defaults to ${clientId}@${origin of tokenEndpoint} so tokens are never shared across services or origins.

Credential store. Defaults to an in-memory store. Scoped per origin/service via OAuth2Config.serviceKey.

tokenEndpoint: string

Token endpoint (code exchange + refresh).

windowRef?: Window

Window used for redirect/popup + transaction persistence. Defaults to globalThis.window. Injectable for tests / non-DOM hosts.