[e1g]

For those looking for production-level OAuth libs, the best implementation for all JS runtimes is https://github.com/panva/oauth4webapi

Certified, thoroughly tested, zero deps, fully typed, secure defaults, works in Node/Deno/Bun/Edge, supports PKCE/dPoP/etc.

[beanjuiceII]

Certified by the person who wrote the library? I guess I also certify it

[_panva]

In self-certification processes like the OIDC certification program, it's common for developers to certify their own software. This is because the process is designed for developers to evaluate their own implementations against the established standards and requirements set by the certification program.

Self-certification doesn't mean that the process lacks validity or rigor. On the contrary, it involves thorough testing and validation against industry standards to ensure that the software meets the necessary criteria for interoperability, security, and functionality.

If you're curious about the specifics of the process, you can find more information on the OIDC certification FAQ pages. These resources provide detailed explanations of the certification process, the criteria for certification, and the testing procedures involved.

[chucky]

AFAIK there's no "certifying body" that would be able to provide an external "certification".

In any case Filip Skokan has essentially made a career out of building open source OAuth stuff, so even if it's a bit humorous that he certifies his own stuff, it's likely that this implementation is one of the most compliant out there.

[azophy_2]

certified by OpenID foundation: https://openid.net/wp-content/uploads/2024/01/oidcc-client-b...

[andrewstuart]

I'll certify your certification!

[moltar]

Out of scope

The following features are currently out of scope:

CommonJS

Can’t be the best if CJS support is not offered. I know everyone’s hot for ESM but the fact of the matter is that there is an endless supply of legacy projects that will never migrate to ESM. Deliberately eliminating huge swath of potential users is IMO hostile. Especially because there are tools like tsup that can cross build out of the box.

[_panva]

All target runtimes of oauth4webapi natively support ESM. Furthermore, experimental "require(esm)" is coming with Node.js 22 in the coming days, giving library authors such as myself even less of a need to bother with CJS targets, publishing, dual CJS/ESM hassles and more. See https://joyeecheung.github.io/blog/2024/03/18/require-esm-in...