Authentik
OAuth 2.0 provider for Authentik.
Also see the OAuth 2.0 with PKCE guide.
Initialization
The domain
parameter should not include the protocol or path.
import { Authentik } from "arctic";
const domain = "auth.example.com";
const authentik = new Authentik(domain, clientId, clientSecret, redirectURI);
Create authorization URL
import { generateState, generateCodeVerifier } from "arctic";
const state = generateState();
const codeVerifier = generateCodeVerifier();
const scopes = ["openid", "profile"];
const url = authentik.createAuthorizationURL(state, codeVerifier, scopes);
Validate authorization code
validateAuthorizationCode()
will either return an OAuth2Tokens
, or throw one of OAuth2RequestError
, ArcticFetchError
, or a standard Error
(parse errors). Actual values returned by Authentik depends on your configuration and version.
import { OAuth2RequestError, ArcticFetchError } from "arctic";
try {
const tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
const accessToken = tokens.accessToken();
const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
const refreshToken = tokens.refreshToken();
} catch (e) {
if (e instanceof OAuth2RequestError) {
// Invalid authorization code, credentials, or redirect URI
const code = e.code;
// ...
}
if (e instanceof ArcticFetchError) {
// Failed to call `fetch()`
const cause = e.cause;
// ...
}
// Parse error
}
OpenID Connect
Use OpenID Connect with the openid
scope to get the user's profile with an ID token or the userinfo
endpoint. Arctic provides decodeIdToken()
for decoding the token's payload.
const scopes = ["openid"];
const url = authentik.createAuthorizationURL(state, codeVerifier, scopes);
import { decodeIdToken } from "arctic";
const tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
const idToken = tokens.idToken();
const claims = decodeIdToken(idToken);
Refresh access tokens
Use refreshAccessToken()
to get a new access token using a refresh token. This method also returns OAuth2Tokens
and throws the same errors as validateAuthorizationCode()
.
import { OAuth2RequestError, ArcticFetchError } from "arctic";
try {
const tokens = await authentik.refreshAccessToken(refreshToken);
} catch (e) {
if (e instanceof OAuth2RequestError) {
// Invalid authorization code, credentials, or redirect URI
}
if (e instanceof ArcticFetchError) {
// Failed to call `fetch()`
}
// Parse error
}
Revoke tokens
Use revokeToken()
to revoke a token. This can throw the same errors as validateAuthorizationCode()
.
try {
await authentik.revokeToken(token);
} catch (e) {
if (e instanceof OAuth2RequestError) {
// Invalid authorization code, credentials, or redirect URI
}
if (e instanceof ArcticFetchError) {
// Failed to call `fetch()`
}
// Parse error
}