OAuth3 Playground

Go ahead, test our login

taking my sweet time to do something in the background...
will be used as the login issuer



Debug & Status Info:

JavaScript Framework

(yes, real runs-in-a-web-browser - and even on Android - ES5.1)
(no framework) 

var OAUTH3 = require('oauth3.org');
<script src="/assets/oauth3.org/oauth3.core.js"></script>
<script src="/assets/oauth3.org/oauth3.crypto.js"></script>
<script src="/assets/oauth3.org/oauth3.issuer.js"></script>
<script src="/assets/oauth3.org/oauth3.ng.js"></script>


Client URI:
(this is the URL of the application as per window.location.href) 
OAUTH3.clientUri({ host: "", port: null, pathname: '/' });


Subject:
(this is either the subject portion or whole address of subject@issuer) 
address: 
subject: 
issuer:


Issuer URI:
(this is the URL part of subject@issuer)


Directives Discovery:
(this is how we learn if a server support oauth3 and to what extent) 
OAUTH3.urls.discover("", opts);
OAUTH3.discover("", opts);


Scopes:
(these are used to lookup the descriptions of grant permissions)
  • desc 
OAUTH3.urls.scope(directives, opts);
OAUTH3.discoverScopes(directives, opts);


Authorization Dialog URL
(this is what opens the login dialog box with the checkboxes and such) 
OAUTH3.urls.implicitGrant(directives, opts);
OAUTH3.implicitGrant(directives, opts);


Refresh Token URL
(This is the URL of the iFrame that completes token refreshes. And it occurs over iFrame rather than API so that no server is required.) 
OAUTH3.urls.refreshToken(directives, opts);
OAUTH3.refreshToken(directives, opts);


Logout Dialog URL
(this is what opens the logout dialog) 
OAUTH3.urls.logout(directives, opts);
OAUTH3.logout(directives, opts);

1st Party and App Login



Credential Meta URL
(Not implemented... anymore)
(this is the endpoint that reports if the user exists and what their proof-strategy is) 
OAUTH3.authn.loginMeta(directives, { email: "" });


Credential OTP URL
(this is the URL that sends your one-time password via email) 
OAUTH3.authn.otp(directives, { email: "" });


Resource Owner Password URL
(this is the URL that native apps and APIs use to login)
(it's also a bit of a misnomer, it should be *proof* rather than password) 

OAUTH3.urls.resourceOwnerPassword(directives, opts);
 



OAUTH3.authn.resourceOwnerPassword(directives, );


Session
(this is the object that contains meta data about the session, including the access token itself)


Access Token
(this is the access token) 
OAUTH3.jwt.decode(token);


Token Issuer's Public Key
(not implemented)
(this is the URL that inspects and verifies the token) 
OAUTH3.authn.jwk(directives, token);


Verify JWT
(not implemented)
(ppids can be verified via the public key of the issuer) 


OAUTH3.jwt.verify(token, jwk);


Exchange Opaque Token
(not implemented)
(Opaque tokens are issued serverside - like a traditional OAuth2 token - and do not contain a subject and, therefore, cannot identify a user directly. They may be used by multiple audiences client-side, but must be exchanged by authorized parties for a ppid access token to verify identity serverside. They can be refreshed without changing the JTI.) 
OAUTH3.authz.exchange(directives, token);


Approved Apps
(these are the public keys generated on remember-me devices and the opaque tokens issued to remember-me-not devices) 

OAUTH3.urls.grants(directives, opts);
OAUTH3.authz.grants(directives, );
...
Approved Applications:
...



Live API

these are what's actually on the object

Docs

0. Include the Library 

# Browsers
  <script src="oauth3.core.js"></script>
  var OAUTH3 = window.OAUTH3;

  # Node.js
  var OAUTH3 = require('oauth3.js').OAUTH3;

1. Establish the Client ID by its URI 

# Browsers
  var clientUri = OAUTH3.clientUri(window.location); // example.com

  # Node.js
  var clientUri = OAUTH3.clientUri("https://example.com"); // example.com

2. Provide promisable storage hooks for saving sessions and caching directives 

OAUTH3._hooks = {
    directives: {
      get: function (providerUri) { ... }
    , set: function (providerUri, directives) { ... }
    , all: function () { ... }
    , clear: function () { ... }
  , sessions: {
      get: function (providerUri, id) { ... }
    , set: function (providerUri, newSession, id) { ... }
    , all: function (providerUri) { ... }
    , clear: function (providerUri) { ... }
    }
  };
SECURITY: The default storage engine is window.sessionStorage. Session storage should be used for app:// urls and localhost urls and other applications in which the identity of the app is ephemeral, arbitrary, or not distinct.

3. Check to see if the user already has a session

OAUTH3.hooks.session.get(providerUri).then(function (session) {
    console.log('[DEBUG] session:');
    console.log(session);
  });
  OAUTH3.hooks.session.all().then(function (sessions) {
    console.log('[DEBUG] all sessions:');
    console.log(sessions);
  });
Note: expired sessions should not be returned and stale sessions should be refreshed

4. Prompt the user for their address and perform the lookup to see if it has a provider. 

var providerUri = address.split('@')[1] || address;
  var opts = { client_uri: clientUri };
  OAUTH3.discover(providerUri, opts).then(function (dir) {
    console.log('[DEBUG] directives:');
    console.log(dir);
  });

4.