JS Core SDK Overview
このコンテンツはまだ日本語訳がありません。
Introduction
Section titled “Introduction”@authrim/core is Authrim’s platform-agnostic authentication core library. It provides a complete implementation of OAuth 2.0 and OpenID Connect protocols, designed to run in any JavaScript environment — browsers, Node.js, React Native, Cloudflare Workers, and more.
The core SDK handles:
- Authorization Code Flow with PKCE
- Silent Authentication
- Device Authorization Grant (RFC 8628)
- Token management with automatic refresh
- Session management and logout
- DPoP (RFC 9449), PAR (RFC 9126), JAR (RFC 9101), JARM
- OIDC Discovery
- Token Exchange (RFC 8693), Introspection (RFC 7662), Revocation (RFC 7009)
- Native SSO token exchange with
device_secret - Tenant discovery helpers for common-entry login experiences
- Canonical Step-Up, device inventory, and customer profile protected-resource clients
Architecture
Section titled “Architecture”The Authrim SDK follows a layered architecture with @authrim/core at the foundation:
flowchart TB
app["Application Code"]
subgraph sdks["Platform SDKs"]
direction LR
web["@authrim/web<br>(Browser)"]
server["@authrim/server<br>(Node.js)"]
kit["@authrim/sveltekit"]
end
core["@authrim/core<br>(OAuth 2.0 / OIDC protocol implementation)"]
providers["Provider Interfaces<br>(CryptoProvider · Storage · HttpClient)"]
app --> sdks --> core --> providers
@authrim/core— Protocol logic, token management, security features. No platform dependencies.@authrim/web— Browser-specific implementation (popup/redirect login, Web Crypto API, localStorage).@authrim/server— Resource-server token validation, JWKS management, DPoP validation, and framework middleware.@authrim/sveltekit— SvelteKit integration with hooks and stores.
Supported Specifications
Section titled “Supported Specifications”| Specification | RFC | Status |
|---|---|---|
| OAuth 2.0 Authorization Code + PKCE | RFC 6749 / RFC 7636 | Supported |
| OpenID Connect Core 1.0 | — | Supported |
| OIDC Discovery | — | Supported |
| Token Exchange | RFC 8693 | Supported |
| Token Introspection | RFC 7662 | Supported |
| Token Revocation | RFC 7009 | Supported |
| Device Authorization Grant | RFC 8628 | Supported |
| DPoP | RFC 9449 | Supported |
| Pushed Authorization Requests | RFC 9126 | Supported |
| JWT Secured Authorization Request (JAR) | RFC 9101 | Supported |
| JWT Secured Authorization Response Mode (JARM) | — | Supported |
| RP-Initiated Logout | — | Supported |
| Native SSO token exchange profile | — | Supported |
When to Use @authrim/core
Section titled “When to Use @authrim/core”Use @authrim/core directly when:
- You are building a custom platform adapter (e.g., React Native, Electron, Cloudflare Workers)
- You need full control over the authentication flow
- You want to implement custom storage or crypto providers
- You need low-level clients such as
TenantDiscoveryClient,StepUpClient,DeviceInventoryClient, orCustomerProfileClient
For most applications, prefer the platform-specific SDKs:
| Platform | Package | When to Use |
|---|---|---|
| Browser (SPA) | @authrim/web | Single-page applications with popup or redirect login |
| Server (Node.js) | @authrim/server | Resource-server token validation, middleware, and server-side protected-resource helpers |
| SvelteKit | @authrim/sveltekit | SvelteKit applications with SSR/CSR |
Quick Example
Section titled “Quick Example”import { createAuthrimClient } from '@authrim/core';
const client = await createAuthrimClient({ issuer: 'https://auth.example.com', clientId: 'my-app', crypto: myCryptoProvider, storage: myStorageProvider, http: myHttpClient, redirectUri: 'https://myapp.com/callback', dpop: { tokenRequests: true, algorithm: 'ES256', },});
// Build authorization URLconst { url } = await client.buildAuthorizationUrl({ redirectUri: 'https://myapp.com/callback', scope: 'openid profile email',});
// After redirect, handle the callbackconst tokens = await client.handleCallback(window.location.href);
// Get access token (auto-refreshes if expired)const accessToken = await client.token.getAccessToken();API Surface
Section titled “API Surface”The initialized AuthrimClient exposes these main areas:
| API | Purpose |
|---|---|
buildAuthorizationUrl() / handleCallback() | Authorization Code + PKCE |
client.par | Pushed Authorization Requests |
client.deviceFlow | Device Authorization Grant |
client.token | access/id token access, refresh, token exchange, Native SSO exchange, introspection, revocation |
client.session / getUser() / logout() | local/session API and logout helpers |
client.dpop | DPoP key/proof helpers when the crypto provider supports DPoP |
client.stepUp | canonical Step-Up actions |
client.customerProfiles | protected customer profile reads and delegated writes |
TenantDiscoveryClient | tenant resolution before choosing an issuer |
Next Steps
Section titled “Next Steps”- Installation & Setup — Install the package and configure providers
- Authorization Code Flow — Implement the standard login flow
- Configuration Reference — All available configuration options