Gurant is an OAuth 2.0 provider built with Typescript/NodeJS. It is an authorization framework based on the OAuth 2.0 Specification.
Additionally, it also has a built-in authentication using Firebase. Currently, it is opinionated and will only support Firebase.
Lastly, this project uses Hasura's GrahpQL Engine for handling database queries and mutations. That would also mean that Gurant is database agnostic as long as Hasura supports it.
CRYPTO_SECRET_KEY=
CRYPTO_INIT_VECTOR=
FIREBASE_PROJECT_ID=
FIREBASE_DATABASE_URL=
FIREBASE_CLIENT_EMAIL=
FIREBASE_PRIVATE_KEY=
HASURA_ADMIN_SECRET=
JWT_PUBLIC_KEY=
JWT_PRIVATE_KEY=Change the GraphQL Endpoint (https://gurant.hasura.app/v1/graphql) in the codegen.config.js to the GraphQL Endpoint of your Hasura Project.
Fetches the resource owner's profile details.
| property | type | description |
|---|---|---|
id |
string | the resource owner's identifier |
created_at |
timestamp | timestamp when the resource is created |
updated_at |
timestamp | timestamp when the resource is updated |
display_name |
string | the resource owner's display name |
email |
string | the resource owner's email |
client_live |
object | refer to the table below |
client_test |
object | refer to the table below |
| property | type | description |
|---|---|---|
id |
string | the client identifier |
created_at |
timestamp | timestamp when the resource is created |
updated_at |
timestamp | timestamp when the resource is updated |
secret |
string | the client secret |
is_live |
boolean | determines whether the credentias is for a live or test enviroment |
redirect_uri |
string | the client's redirect enpoint |
Register clients after the user has been registed. Requires the user's Firebase token to their info.
| property | type | description |
|---|---|---|
redirect_uri |
string | the user specified redirect enpoint |
| property | type | description |
|---|---|---|
id |
string | the resource owner's identifier |
created_at |
timestamp | timestamp when the resource is created |
updated_at |
timestamp | timestamp when the resource is updated |
display_name |
string | the resource owner's display name |
email |
string | the resource owner's email |
client_live_id |
string | the resource owner's live client identifier |
client_test_id |
string | the resource owner's test client identifier |
Update the specified client's redirect endpoint, requires Firebase token for authorization.
| property | type | description |
|---|---|---|
redirect_uri |
string * | The new redirect enpoint for the client |
| property | type | description |
|---|---|---|
id |
string | the updated client's client identifier |
redirect_uri |
string | the new redirect enpoint for the client |
Retrieve the authrization code after the authorization grant, requires Firebase token authorization.
| property | type | description |
|---|---|---|
response_type |
string * | value MUST be code |
client_id |
string * | the registered client's client identifier |
redirect_url |
string * | value MUST be the same with the client's redirect_url |
scope |
string * | the scope of which the authorization is applicable |
state |
string | additional state to be passed, could be user info |
The response is the redirect url injected with the parameters below
| property | type | description |
|---|---|---|
code |
string | the authorization code that'll be exchanged to the access token |
state |
string | value MUST be the same with state parameter passed in the request |
This endpoint is responsible for generating tokens using the previously generated authorization code.
This also requires client authentication (HTTP Basic Auth).
The generated access and refresh tokens comply with the JSON Web Token (JWT) Specification.
| property | type | description |
|---|---|---|
grant_type |
string * | the type of request in how the access token should be generated, value MUST be authorization_code |
code |
string * | the authorization code that'll be exchanged to the access token |
redirect_uri |
string * | the redirect enpoint used in the previous authorization grant |
client_id |
string * | the registered client's client identifier |
| property | type | description |
|---|---|---|
access_token |
string | the access token used to access protected resources |
refresh_token |
string | the refresh token used to refresh an access token |
scope |
string | the scope of which access is applicable |
expires_in |
number | the lifetime in seconds of the access token |
token_type |
string | the type of the access token, value is always bearer |
This endpoint is responsible for generating tokens using a refresh_token.
This also requires client authentication (HTTP Basic Auth).
| property | type | description |
|---|---|---|
grant_type |
string * | the type of request in how the access token should be generated, value MUST be refresh_token |
refresh_token |
string * | the refresh token used to refresh an access token |
| property | type | description |
|---|---|---|
access_token |
string | the access token used to access protected resources |
refresh_token |
string | the refresh token used to refresh an access token |
scope |
string | the scope of which access is applicable |
expires_in |
number | the lifetime in seconds of the access token |
token_type |
string | the type of the access token, value is always bearer |
Revoke an access token, requires client authentication (HTTP Basic Auth). This follows the OAuth 2.0 Token Revocation Specification
| property | type | description |
|---|---|---|
token |
string * | The token the client wants to revoke |
token_type_hint |
string * | A hint about the type of the token submitted for revocation. For now, the value MUST be access_token only |
| property | type | description |
|---|---|---|
status |
string | the HTTP status |
statusCode |
number | the HTTP status code |
This endpoint is used for health checks
| property | type | description |
|---|---|---|
status |
string | the HTTP status |
statusCode |
number | the HTTP status code |
This endpoint SHOULD NOT be exposed in production as it SHOULD only be used for debugging purposes.
Generates a secret_key and an initialization vector.
| property | type | description |
|---|---|---|
secret_key |
string | the raw key used by the algorithm and the initialization vector |
initialization_vector |
string | a cryptographically random 16 byte string |
This endpoint SHOULD NOT be exposed in production as it SHOULD only be used for debugging purposes.
Generates a public and private signed with the secp256r1 elliptic curve.
| property | type | description |
|---|---|---|
public_key |
string | the public key in a PEM format |
private_key |
string | the private key in a PEM format |
This endpoint SHOULD NOT be exposed in production as it SHOULD only be used for debugging purposes. Verifies and decodes a given JSON Web Token (JWT).
| property | type | description |
|---|---|---|
token |
string * | the token to be verified and decoded |
token_type_hint |
string * | the token's type, value could eiher be access_token or refresh_token |
| property | type | description |
|---|---|---|
decoded |
object | the value of the decoded token |
- Add tests :')