This is a TypeScript library that implements the provider side of the OAuth 2.1 protocol with PKCE support. The library is intended to be used on Cloudflare Workers.
A Worker that uses the library might look like this:
import { OAuthProvider } from '@cloudflare/workers-oauth-provider';
import { WorkerEntrypoint } from 'cloudflare:workers';
// We export the OAuthProvider instance as the entrypoint to our Worker. This means it
// implements the `fetch()` handler, receiving all HTTP requests.
export default new OAuthProvider({
// Configure API routes. Any requests whose URL starts with any of these prefixes will be
// considered API requests. The OAuth provider will check the access token on these requests,
// and then, if the token is valid, send the request to the API handler.
// You can provide:
// - A single route (string) or multiple routes (array)
// - Full URLs (which will match the hostname) or just paths (which will match any hostname)
apiRoute: [
'/api/', // Path only - will match any hostname
'https://api.example.com/', // Full URL - will check hostname
],
// When the OAuth system receives an API request with a valid access token, it passes the request
// to this handler object's fetch method.
// You can provide either an object with a fetch method (ExportedHandler)
// or a class extending WorkerEntrypoint.
apiHandler: ApiHandler, // Using a WorkerEntrypoint class
// For multi-handler setups, you can use apiHandlers instead of apiRoute+apiHandler.
// This allows you to use different handlers for different API routes.
// Note: You must use either apiRoute+apiHandler (single-handler) OR apiHandlers (multi-handler), not both.
// Example:
// apiHandlers: {
// "/api/users/": UsersApiHandler,
// "/api/documents/": DocumentsApiHandler,
// "https://api.example.com/": ExternalApiHandler,
// },
// Any requests which aren't API request will be passed to the default handler instead.
// Again, this can be either an object or a WorkerEntrypoint.
defaultHandler: defaultHandler, // Using an object with a fetch method
// This specifies the URL of the OAuth authorization flow UI. This UI is NOT implemented by
// the OAuthProvider. It is up to the application to implement a UI here. The only reason why
// this URL is given to the OAuthProvider is so that it can implement the RFC-8414 metadata
// discovery endpoint, i.e. `.well-known/oauth-authorization-server`.
// Can also be specified as just a path (e.g., "/authorize").
authorizeEndpoint: 'https://example.com/authorize',
// This specifies the OAuth 2 token exchange endpoint. The OAuthProvider will implement this
// endpoint (by directly responding to requests with a matching URL).
// Can also be specified as just a path (e.g., "/oauth/token").
tokenEndpoint: 'https://example.com/oauth/token',
// This specifies the RFC-7591 dynamic client registration endpoint. This setting is optional,
// but if provided, the OAuthProvider will implement this endpoint to allow dynamic client
// registration.
// Can also be specified as just a path (e.g., "/oauth/register").
clientRegistrationEndpoint: 'https://example.com/oauth/register',
// Optional list of scopes supported by this OAuth provider.
// If provided, this will be included in the RFC 8414 metadata as 'scopes_supported'.
// If not provided, the 'scopes_supported' field will be omitted from the metadata.
scopesSupported: ['document.read', 'document.write', 'profile'],
// Optional: Controls whether the OAuth implicit flow is allowed.
// The implicit flow is discouraged in OAuth 2.1 but may be needed for some clients.
// Defaults to false.
allowImplicitFlow: false,
// Optional: Controls whether the plain PKCE code_challenge_method is allowed.
// OAuth 2.1 recommends using S256 exclusively as plain offers no cryptographic protection.
// When false, only S256 is accepted and advertised in the metadata endpoint.
// Defaults to true for backward compatibility.
allowPlainPKCE: true,
// Optional: Controls whether public clients (clients without a secret, like SPAs)
// can register via the dynamic client registration endpoint.
// When true, only confidential clients can register.
// Note: Creating public clients via the OAuthHelpers.createClient() method
// is always allowed regardless of this setting.
// Defaults to false.
disallowPublicClientRegistration: false,
// Optional: Time-to-live for refresh tokens in seconds.
// Defaults to 30 days (2,592,000 seconds).
// Set to 0 to disable refresh tokens (only access tokens will be issued).
// Set to `undefined` explicitly for refresh tokens that never expire.
refreshTokenTTL: 2592000, // 30 days (the default)
// Optional: Time-to-live for access tokens in seconds.
// Defaults to 1 hour (3600 seconds) if not specified.
accessTokenTTL: 3600,
// Optional: Time-to-live for dynamically registered clients in seconds.
// Defaults to 90 days (7,776,000 seconds).
// Clients created via OAuthHelpers.createClient() are not affected.
// Set to `undefined` explicitly for clients that never expire.
clientRegistrationTTL: 7776000, // 90 days (the default)
// Optional: Controls whether OAuth 2.0 Token Exchange (RFC 8693) is allowed.
// When false, the token exchange grant type will not be advertised in metadata
// and token exchange requests will be rejected.
// Defaults to false.
allowTokenExchangeGrant: false,
// Optional: Experimental MCP Enterprise-Managed Authorization support.
// When enabled, the token endpoint accepts ID-JAG JWTs with the JWT bearer grant.
enterpriseManagedAuthorization: undefined,
// Optional: Explicitly enable Client ID Metadata Document (CIMD) support.
// When true, URL-formatted client_ids will be fetched as metadata documents.
// Requires the 'global_fetch_strictly_public' compatibility flag.
// See the CIMD section below for details. Defaults to false.
clientIdMetadataDocumentEnabled: false,
});
// The default handler object - the OAuthProvider will pass through HTTP requests to this object's fetch method
// if they aren't API requests or do not have a valid access token
const defaultHandler = {
// This fetch method works just like a standard Cloudflare Workers fetch handler
//
// The `request`, `env`, and `ctx` parameters are the same as for a normal Cloudflare Workers fetch
// handler, and are exactly the objects that the `OAuthProvider` itself received from the Workers
// runtime.
//
// The `env.OAUTH_PROVIDER` provides an API by which the application can call back to the
// OAuthProvider.
async fetch(request: Request, env, ctx) {
let url = new URL(request.url);
if (url.pathname == '/authorize') {
// This is a request for our OAuth authorization flow UI. It is up to the application to
// implement this. However, the OAuthProvider library provides some helpers to assist.
// `env.OAUTH_PROVIDER.parseAuthRequest()` parses the OAuth authorization request to extract the parameters
// required by the OAuth 2 standard, namely response_type, client_id, redirect_uri, scope, and
// state. It returns an object containing all these (using idiomatic camelCase naming).
let oauthReqInfo = await env.OAUTH_PROVIDER.parseAuthRequest(request);
// `env.OAUTH_PROVIDER.lookupClient()` looks up metadata about the client, as definetd by RFC-7591. This
// includes things like redirect_uris, client_name, logo_uri, etc.
let clientInfo = await env.OAUTH_PROVIDER.lookupClient(oauthReqInfo.clientId);
// At this point, the application should use `oauthReqInfo` and `clientInfo` to render an
// authorization consent UI to the user. The details of this are up to the app so are not
// shown here.
// After the user has granted consent, the application calls `env.OAUTH_PROVIDER.completeAuthorization()` to
// grant the authorization.
let { redirectTo } = await env.OAUTH_PROVIDER.completeAuthorization({
// The application passes back the original OAuth request info that was returned by
// `parseAuthRequest()` earlier.
request: oauthReqInfo,
// The application must specify the user's ID, which is some sort of string. This is needed
// so that the application can later query the OAuthProvider to enumerate all grants
// belonging to a particular user, e.g. to implement an audit and revocation UI.
userId: '1234',
// The application can specify some arbitary metadata which describes this grant. The
// metadata can contain any JSON-serializable content. This metadata is not used by the
// OAuthProvider, but the application can read back the metadata attached to specific
// grants when enumerating them later, again e.g. to implement an udit and revocation UI.
metadata: { label: 'foo' },
// The application specifies the list of OAuth scope identifiers that were granted. This
// may or may not be the same as was requested in `oauthReqInfo.scope`.
scope: ['document.read', 'document.write'],
// `props` is an arbitrary JSON-serializable object which will be passed back to the API
// handler for every request authorized by this grant.
props: {
userId: 1234,
username: 'Bob',
},
});
// `completeAuthorization()` will have returned the URL to which the user should be redirected
// in order to complete the authorization flow. This is the requesting client's OAuth
// redirect_uri with the appropriate query parameters added to complete the flow and obtain
// tokens.
return Response.redirect(redirectTo, 302);
}
// ... the application can implement other non-API HTTP endpoints here ...
return new Response('Not found', { status: 404 });
},
};
// The API handler object - the OAuthProivder will pass authorized API requests to this object's fetch method
// (because we provided it as the `apiHandler` setting, above). This is ONLY called for API requests
// that had a valid access token.
class ApiHandler extends WorkerEntrypoint {
// This fetch method works just like any other WorkerEntrypoint fetch method. The `request` is
// passed as a parameter, while `env` and `ctx` are available as `this.env` and `this.ctx`.
//
// The `this.env.OAUTH_PROVIDER` is available just like in the default handler.
//
// The `this.ctx.props` property contains the `props` value that was passed to
// `env.OAUTH_PROVIDER.completeAuthorization()` during the authorization flow that authorized this client.
fetch(request: Request) {
// The application can implement its API endpoints like normal. This app implements a single
// endpoint, `/api/whoami`, which returns the user's authenticated identity.
let url = new URL(request.url);
if (url.pathname == '/api/whoami') {
// Since the username is embedded in `ctx.props`, which came from the access token that the
// OAuthProivder already verified, we don't need to do any other authentication steps.
return new Response(`You are authenticated as: ${this.ctx.props.username}`);
}
return new Response('Not found', { status: 404 });
}
}
By default, completeAuthorization() revokes existing grants for the same user and client after storing the new
grant. This prevents stale tokens from continuing to use old props after a user re-authorizes. Set
revokeExistingGrants: false only if your application intentionally allows multiple concurrent grants for the same
user and client.
For users with many grants, revokeExistingGrantsBatchSize controls the KV page size used while scanning existing
grants for revocation. It defaults to 50, must be a positive integer, and is capped at Cloudflare KV's maximum page
size of 1000.
This implementation requires that your worker is configured with a Workers KV namespace binding called OAUTH_KV, which is used to store token information. See the file storage-schema.md for details on the schema of this namespace.
The env.OAUTH_PROVIDER object available to the fetch handlers provides some methods to query the storage, including:
lookupClient(), already shown in the example code).Note that deleteClient() cascades: it revokes all grants (and their associated tokens) for the deleted client across all users.
See the OAuthHelpers interface definition for full API details.
This library allows you to update the props value during token exchanges by configuring a callback function. This is useful for scenarios where the application needs to perform additional processing when tokens are issued or refreshed.
For example, if your application is also a client to some other OAuth API, you might want to perform an equivalent upstream token exchange and store the result in the props. The callback can be used to update the pr
$ claude mcp add workers-oauth-provider \
-- python -m otcore.mcp_server <graph>