OAuth Provider Overview

The S-Auth OAuth Provider is a fully compliant OAuth2 authorization server built on Cloudflare Workers with D1 database storage.

Supported Grant Types

Grant Type	Use Case	Requires User
Authorization Code	Web applications, SPAs	Yes
Authorization Code + PKCE	Mobile apps, public clients	Yes
Client Credentials	Service-to-service	No
Refresh Token	Token renewal	Depends

Endpoints

Endpoint	Description
`GET /authorize`	Start authorization flow
`POST /token`	Exchange code/credentials for tokens
`GET /userinfo`	Get authenticated user information
`POST /revoke`	Revoke access or refresh tokens
`GET /.well-known/openid-configuration`	OpenID Connect discovery

Token Types

Access Token

Prefix: sat_ (S-Auth Token)
Default expiry: 15 minutes (900 seconds)
Used to access protected resources

Refresh Token

Prefix: srt_ (S-Auth Refresh Token)
Default expiry: 30 days
Used to obtain new access tokens

Scopes

S-Auth supports the following OAuth2 scopes:

Scope	Description
`openid`	Required for OIDC flows
`profile`	Access to user's name and user_id
`email`	Access to user's email address

Client Types

Confidential Clients

Can securely store a client secret
Examples: Server-side web applications
Use client_secret_basic or client_secret_post authentication

Public Clients

Cannot securely store secrets
Examples: SPAs, mobile apps, CLI tools
Must use PKCE for security

Security Features

PKCE Support - Proof Key for Code Exchange for public clients
One-Time Auth Codes - Authorization codes are invalidated after use
Token Binding - Tokens are bound to the client that requested them
Secure Token Generation - Uses crypto.getRandomValues() for all tokens
Password Hashing - bcrypt with configurable cost factor
CORS Protection - Configurable allowed origins

Configuration

Token lifetimes and other settings are configured via environment variables:

ACCESS_TOKEN_EXPIRES_IN=900      # 15 minutes
REFRESH_TOKEN_EXPIRES_IN=2592000 # 30 days
AUTH_CODE_EXPIRES_IN=600         # 10 minutes
SESSION_EXPIRES_IN=86400         # 24 hours
BCRYPT_ROUNDS=10                 # Password hashing cost

OpenID Connect Discovery

The provider exposes a standard OIDC discovery endpoint at /.well-known/openid-configuration:

{
  "issuer": "https://auth.sebbyk.net",
  "authorization_endpoint": "https://auth.sebbyk.net/authorize",
  "token_endpoint": "https://auth.sebbyk.net/token",
  "userinfo_endpoint": "https://auth.sebbyk.net/userinfo",
  "revocation_endpoint": "https://auth.sebbyk.net/revoke",
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "client_credentials", "refresh_token"],
  "code_challenge_methods_supported": ["S256", "plain"],
  "scopes_supported": ["openid", "profile", "email"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["RS256"]
}

Supported Grant Types​

Endpoints​

Token Types​

Access Token​

Refresh Token​

Scopes​

Client Types​

Confidential Clients​

Public Clients​

Security Features​

Configuration​

OpenID Connect Discovery​