OAuth3 Playground

Go ahead, test our login

taking my sweet time to do something in the background...
will be used as the login issuer

Debug & Status Info:

JavaScript Framework

(yes, real runs-in-a-web-browser - and even on Android - ES5.1)
(no framework)

var OAUTH3 = require('oauth3.org');
<script src="/assets/oauth3.org/oauth3.core.js"></script>
<script src="/assets/oauth3.org/oauth3.crypto.js"></script>
<script src="/assets/oauth3.org/oauth3.issuer.js"></script>
<script src="/assets/oauth3.org/oauth3.ng.js"></script>

Client URI:
(this is the URL of the application as per window.location.href)
OAUTH3.clientUri({ host: "", port: null, pathname: '/' });

(this is either the subject portion or whole address of subject@issuer)

Issuer URI:
(this is the URL part of subject@issuer)

Directives Discovery:
(this is how we learn if a server support oauth3 and to what extent)
OAUTH3.urls.discover("", opts);
OAUTH3.discover("", opts);

(these are used to lookup the descriptions of grant permissions)
  • desc
OAUTH3.urls.scope(directives, opts);
OAUTH3.discoverScopes(directives, opts);

Authorization Dialog URL
(this is what opens the login dialog box with the checkboxes and such)
OAUTH3.urls.implicitGrant(directives, opts);
OAUTH3.implicitGrant(directives, opts);

Refresh Token URL
(This is the URL of the iFrame that completes token refreshes. And it occurs over iFrame rather than API so that no server is required.)
OAUTH3.urls.refreshToken(directives, opts);
OAUTH3.refreshToken(directives, opts);

Logout Dialog URL
(this is what opens the logout dialog)
OAUTH3.urls.logout(directives, opts);
OAUTH3.logout(directives, opts);

1st Party and App Login

Credential Meta URL
(Not implemented... anymore)
(this is the endpoint that reports if the user exists and what their proof-strategy is)
OAUTH3.authn.loginMeta(directives, { email: "" });

Credential OTP URL
(this is the URL that sends your one-time password via email)
OAUTH3.authn.otp(directives, { email: "" });

Resource Owner Password URL
(this is the URL that native apps and APIs use to login)
(it's also a bit of a misnomer, it should be *proof* rather than password)

OAUTH3.urls.resourceOwnerPassword(directives, opts);

OAUTH3.authn.resourceOwnerPassword(directives, );

(this is the object that contains meta data about the session, including the access token itself)

(this is the profile object)


Access Token
(this is the access token)

Token Issuer's Public Key
(not implemented)
(this is the URL that inspects and verifies the token)
OAUTH3.authn.jwk(directives, token);

Verify JWT
(not implemented)
(ppids can be verified via the public key of the issuer)

OAUTH3.jwt.verify(token, jwk);

Exchange Opaque Token
(not implemented)
(Opaque tokens are issued serverside - like a traditional OAuth2 token - and do not contain a subject and, therefore, cannot identify a user directly. They may be used by multiple audiences client-side, but must be exchanged by authorized parties for a ppid access token to verify identity serverside. They can be refreshed without changing the JTI.)
OAUTH3.authz.exchange(directives, token);

Approved Apps
(these are the public keys generated on remember-me devices and the opaque tokens issued to remember-me-not devices)

OAUTH3.urls.grants(directives, opts);
OAUTH3.authz.grants(directives, );

Approved Applications:

Live API

these are what's actually on the object


0. Include the Library

# Browsers
  <script src="oauth3.core.js"></script>
  var OAUTH3 = window.OAUTH3;

  # Node.js
  var OAUTH3 = require('oauth3.js').OAUTH3;

1. Establish the Client ID by its URI

# Browsers
  var clientUri = OAUTH3.clientUri(window.location); // example.com

  # Node.js
  var clientUri = OAUTH3.clientUri("https://example.com"); // example.com

2. Provide promisable storage hooks for saving sessions and caching directives

OAUTH3._hooks = {
    directives: {
      get: function (providerUri) { ... }
    , set: function (providerUri, directives) { ... }
    , all: function () { ... }
    , clear: function () { ... }
  , sessions: {
      get: function (providerUri, id) { ... }
    , set: function (providerUri, newSession, id) { ... }
    , all: function (providerUri) { ... }
    , clear: function (providerUri) { ... }
SECURITY: The default storage engine is window.sessionStorage. Session storage should be used for app:// urls and localhost urls and other applications in which the identity of the app is ephemeral, arbitrary, or not distinct.

3. Check to see if the user already has a session

OAUTH3.hooks.session.get(providerUri).then(function (session) {
    console.log('[DEBUG] session:');
  OAUTH3.hooks.session.all().then(function (sessions) {
    console.log('[DEBUG] all sessions:');
Note: expired sessions should not be returned and stale sessions should be refreshed

4. Prompt the user for their address and perform the lookup to see if it has a provider.

var providerUri = address.split('@')[1] || address;
  var opts = { client_uri: clientUri };
  OAUTH3.discover(providerUri, opts).then(function (dir) {
    console.log('[DEBUG] directives:');