Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
Recognized Client Metadata that have an effect on the exposed functionality.
IANA OAuth Client Registration Metadata registry
[metadata: string]: JsonValue | undefined
• client_id: string
Client identifier.
• optional [clockSkew]: number
See clockSkew.
• optional [clockTolerance]: number
See clockTolerance.
• optional [jweDecrypt]: JweDecryptFunction
See jweDecrypt.
• optional authorization_signed_response_alg: JWSAlgorithm
JWS alg algorithm required for signing authorization responses. When not configured the
default is to allow only supported algorithms listed in
as.authorization_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.
• optional client_secret: string
Client secret.
• optional default_max_age: number
Default Maximum Authentication Age.
• optional id_token_signed_response_alg: string
JWS alg algorithm required for signing the ID Token issued to this Client. When not
configured the default is to allow only algorithms listed in
as.id_token_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.
• optional introspection_signed_response_alg: string
JWS alg algorithm REQUIRED for signed introspection responses. When not configured the
default is to allow only algorithms listed in
as.introspection_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.
• optional require_auth_time: boolean
Boolean value specifying whether the auth_time Claim in the ID Token
is REQUIRED. Default is false.
• optional token_endpoint_auth_method: ClientAuthenticationMethod
Client authentication method for the client's authenticated
requests. Default is client_secret_basic.
• optional use_mtls_endpoint_aliases: boolean
Indicates the requirement for a client to use mutual TLS endpoint aliases defined by the AS
where present. Default is false.
When combined with customFetch (to use a Fetch API implementation that supports client certificates) this can be used to target FAPI 2.0 profiles that utilize Mutual-TLS for either client authentication or sender constraining. FAPI 1.0 Advanced profiles that use PAR and JARM can also be targetted.
(Node.js) Using nodejs/undici for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.
import * as undici from 'undici'
import * as oauth from 'oauth4webapi'
// Prerequisites
let as!: oauth.AuthorizationServer
let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
let params!: URLSearchParams
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate
const agent = new undici.Agent({ connect: { key, cert } })
const response = await oauth.pushedAuthorizationRequest(as, client, params, {
[oauth.customFetch]: (...args) =>
undici.fetch(args[0], { ...args[1], dispatcher: agent }),
})(Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.
import * as oauth from 'oauth4webapi'
// Prerequisites
let as!: oauth.AuthorizationServer
let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
let params!: URLSearchParams
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate
const agent = Deno.createHttpClient({ key, cert })
const response = await oauth.pushedAuthorizationRequest(as, client, params, {
[oauth.customFetch]: (...args) => fetch(args[0], { ...args[1], client: agent }),
})RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• optional userinfo_signed_response_alg: string
JWS alg algorithm REQUIRED for signing UserInfo Responses. When not configured the default is
to allow only algorithms listed in
as.userinfo_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.