OAuth2Config

Defined in: src/policies/auth/oauth2.ts:16

Configuration for the oauth2 policy.

Extends

• PolicyConfig

Properties

cacheMaxEntries?

optional cacheMaxEntries: number

Defined in: src/policies/auth/oauth2.ts:38

Maximum number of tokens to cache. Default: 100.

---

cacheTtlSeconds?

optional cacheTtlSeconds: number

Defined in: src/policies/auth/oauth2.ts:36

Cache introspection results for this many seconds. Default: 0 (no cache).

---

clientId?

optional clientId: string

Defined in: src/policies/auth/oauth2.ts:20

Client ID for authenticating with the introspection endpoint.

---

clientSecret?

optional clientSecret: string

Defined in: src/policies/auth/oauth2.ts:22

Client secret for authenticating with the introspection endpoint.

---

forwardTokenInfo?

optional forwardTokenInfo: Record<string, string>

Defined in: src/policies/auth/oauth2.ts:34

Map introspection response fields to request headers. Only applies with introspection.

---

headerName?

optional headerName: string

Defined in: src/policies/auth/oauth2.ts:28

Header name when tokenLocation is “header”. Default: “authorization”.

---

headerPrefix?

optional headerPrefix: string

Defined in: src/policies/auth/oauth2.ts:30

Prefix to strip from header value. Default: “Bearer”.

---

introspectionTimeoutMs?

optional introspectionTimeoutMs: number

Defined in: src/policies/auth/oauth2.ts:42

Introspection endpoint fetch timeout in milliseconds. Default: 5000.

---

introspectionUrl?

optional introspectionUrl: string

Defined in: src/policies/auth/oauth2.ts:18

OAuth2 token introspection endpoint (RFC 7662).

---

localValidate()?

optional localValidate: (token) => boolean | Promise<boolean>

Defined in: src/policies/auth/oauth2.ts:24

Local validation function as alternative to introspection. Takes precedence if both provided.

Parameters

token

string

Returns

boolean | Promise<boolean>

---

queryParam?

optional queryParam: string

Defined in: src/policies/auth/oauth2.ts:32

Query param name when tokenLocation is “query”. Default: “access_token”.

---

requiredScopes?

optional requiredScopes: string[]

Defined in: src/policies/auth/oauth2.ts:40

Required scopes - token must have ALL of these (space-separated scope string).

---

skip()?

optional skip: (c) => boolean | Promise<boolean>

Defined in: src/policies/types.ts:90

Skip this policy when condition returns true

Parameters

c

unknown

Returns

boolean | Promise<boolean>

Inherited from

PolicyConfig.skip

---

tokenLocation?

optional tokenLocation: "query" | "header"

Defined in: src/policies/auth/oauth2.ts:26

Where to look for the token. Default: “header”.