OAuth 2.0 and OpenID Connect authentication for Harper applications. Supports GitHub, Google, Azure AD, Auth0, and custom OIDC providers with automatic token refresh and lifecycle hooks for user provisioning.
- Multi-provider support - GitHub, Google, Azure AD, Auth0, and custom OIDC providers
- Automatic token refresh - Proactive token renewal on every request
- Lifecycle hooks - Extensible hooks for user provisioning and custom logic
- CSRF protection - Distributed token storage for cluster support
- ID token verification - Full OIDC support with signature validation
- Zero configuration - Works with Harper's session system automatically
npm install @harperdb/oauthAdd to your config.yaml:
'@harperdb/oauth':
package: '@harperdb/oauth'
providers:
github:
clientId: ${OAUTH_GITHUB_CLIENT_ID}
clientSecret: ${OAUTH_GITHUB_CLIENT_SECRET}export OAUTH_GITHUB_CLIENT_ID="your-client-id"
export OAUTH_GITHUB_CLIENT_SECRET="your-client-secret"Set your OAuth callback URL in your provider settings:
https://your-domain/oauth/github/callback
Create or update users when they log in:
// resources.ts
import { registerHooks } from '@harperdb/oauth';
registerHooks({
onLogin: async (oauthUser, tokenResponse, session, request, provider) => {
const { User } = tables;
// Find or create user
let user;
for await (const existing of User.search({ email: oauthUser.email })) {
user = existing;
break;
}
if (!user) {
user = await User.create({
email: oauthUser.email,
name: oauthUser.name,
provider: provider,
});
}
return { user: String(user.id) };
},
});
// Export your resources...Navigate to:
http://localhost:9926/oauth/github/login
Access authenticated user in your resources:
export class MyResource extends tables.Resource {
async get(target, request) {
if (!request.session?.user) {
throw new ClientError('Not authenticated', 401);
}
return {
userId: request.session.user,
email: request.session.oauthUser.email,
};
}
}- GitHub - OAuth 2.0
- Google - OpenID Connect
- Azure AD - OpenID Connect
- Auth0 - OpenID Connect
- Custom - Generic OIDC provider
The plugin automatically handles:
- OAuth Flow - Redirects to provider, handles callback, exchanges code for tokens
- Token Management - Validates and refreshes tokens on every HTTP request
- Session Integration - Stores OAuth data in Harper sessions
- CSRF Protection - Validates state parameter using distributed token storage
- Auto-logout - Clears session when tokens expire and can't be refreshed
Complete documentation is available in the docs directory:
- Getting Started - Installation and quick start guide
- Configuration - Complete configuration reference
- OAuth Providers - Provider setup guides
- Lifecycle Hooks - User provisioning and custom logic
- API Reference - Endpoints and programmatic API
npm install
npm run buildnpm test
npm run test:coveragenpm run lint
npm run format:check
npm run format:writeThe plugin creates a csrf_tokens table for CSRF protection:
type CSRFToken @table {
token: string @key
sessionId: string
provider: string
originalUrl: string
createdAt: number
expiresAt: number @index
}Tokens automatically expire after 10 minutes.
- HTTPS required - OAuth requires HTTPS in production
- CSRF protection - Automatic via state parameter validation
- ID token verification - OIDC providers verify token signatures
- Secure sessions - Use Harper's secure session configuration
- Token storage - Tokens stored in session (configure secure cookies)
Enable debug endpoints for testing:
'@harperdb/oauth':
debug: true
providers:
github:
clientId: ${OAUTH_GITHUB_CLIENT_ID}
clientSecret: ${OAUTH_GITHUB_CLIENT_SECRET}Debug endpoints:
GET /oauth/- List configured providersGET /oauth/test- Interactive test pageGET /oauth/{provider}/user- View current sessionGET /oauth/{provider}/refresh- Trigger token refresh
Warning: Never enable debug mode in production.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Copyright 2025 HarperDB, Inc.