A server that handles step 2 of GitHub's OAuth web application flow so your static, serverless applications can authorize with GitHub while keeping your client secrets secret.
For each GitHub OAuth App, set an
environment variable whose name is SECRET_ followed by the client ID and whose
value is the corresponding client secret (in Heroku this is done with
Settings > Config Vars in your app dashboard).
You can also set a PORT variable to change the port used. If not set, it will
default to port 5000.
Run the server somewhere. Then to authenticate with it:
- Follow step 1 of GitHub's OAuth web application flow.
You should get back
codeandstateparameters. - Make a
GETrequest to the OAuth client. The path is your app's client ID, and thecodeandstateshould be passed as URL parameters. - The server will respond with a JSON object with these fields.
You probably just need the
tokenfield.
For example:
const CLIENT_ID = '1234567890abcdef';
const params = new URLSearchParams({ code, state }).toString();
const response = await fetch(`https://my-oauth-client-url.com/${CLIENT_ID}?${params}`);
if (response.ok) {
const { token } = await response.json();
console.log('Access token:', token);
}The server supports the code, redirect_uri, and state parameters as
described in step 2 of GitHub's OAuth web application flow.
This is based on github-secret-keeper and created because I couldn't get that to work.