Function createOAuthRouter

createOAuthRouter(
    express: {
        json: () => RequestHandler;
        Router: () => Router;
        urlencoded: (opts: { extended: boolean }) => RequestHandler;
    },
    __namedParameters: {
        accessTokenDenylist?: AccessTokenDenylist;
        auditSink?: AuditSink;
        clientRepository: ClientRepository;
        codeRepository: CodeRepository;
        config: {
            cors: { allowedOrigins: string[] };
            endpoints: { login: { url: string } };
            federations: z.ZodRecord<
                z.ZodString,
                z.ZodObject<
                    {
                        enabled: z.ZodPreprocess<z.ZodBoolean>;
                        type: z.ZodOptional<z.ZodString>;
                    },
                    z.core.$loose,
                >,
            >;
            http: { port: number; trustProxy: boolean };
            memoryRateLimiter?: {
                defaultLimit?: { limit: number; windowSeconds: number };
                limits?: Record<string, { limit: number; windowSeconds: number }>;
                maxBuckets?: number;
            };
            oauth: {
                accessToken: { expiresIn: number };
                code?: { adapter?: "redis" | "memory" };
                grants: { [key: string]: unknown };
                jwt: {
                    issuer?: string;
                    legacyTypAccept?: boolean;
                    signingKey: {
                        local?:
                            | {
                                algorithm: "HS256";
                                kid: string;
                                previousSecrets?: { expiresAt: string; kid: string; secret: string }[];
                                secret?: string;
                            }
                            | {
                                algorithm: "RS256"
                                | "ES256"
                                | "EdDSA";
                                kid: string;
                                previousKeys?: {
                                    expiresAt: string;
                                    kid: string;
                                    publicKey?: (...) | (...);
                                    publicKeyPath?: (...) | (...);
                                }[];
                                privateKey?: string;
                                privateKeyPath?: string;
                                publicKey?: string;
                                publicKeyPath?: string;
                                [key: string]: unknown;
                            };
                        provider: string;
                        [key: string]: unknown;
                    };
                };
                nonce?: { maxLength: number };
                oidcMode: "oidc-required" | "dual";
                refreshToken: {
                    expiresIn: number;
                    legacyRtPolicy: "reject";
                    unknownFamilyPolicy: "accept" | "reject";
                };
                resourceIndicator?: { enabled: boolean };
                tokenExchange?: { maxActorChainDepth: number };
            };
            rateLimit: {
                failMode: "open"
                | "closed";
                login: { limit: number; windowMs: number };
            };
            rateLimiter?: { adapter?: "redis"
            | "memory" };
            redisCodeRepository?: { defaultExpiresIn?: number; keyPrefix?: string };
            redisRefreshTokenFamilyStore?: {
                casRetryLimit?: number;
                keyPrefix?: string;
            };
            redisSessionStores?: { keyPrefix?: string };
            refreshTokenFamilyStore?: { redis?: { password?: string; url: string } };
            repositories: {
                client: { type: string; [key: string]: unknown };
                code: { type: string; [key: string]: unknown };
                user: { type: string; [key: string]: unknown };
            };
            session: {
                domain: string
                | null;
                maxAge: number;
                name: string;
                sameSite: "none" | "lax" | "strict";
                secret: string;
                secure: boolean;
                storage: {
                    redis?: { password?: string; url: string };
                    type: string;
                    [key: string]: unknown;
                };
            };
            userSessionStores?: { adapter?: "redis"
            | "memory" };
        };
        federationTokenStore?: FederationTokenStore;
        getFederationProviders?: () => | ReadonlyMap<
            string,
            FederationProviderHandle,
        >
        | undefined;
        grantPolicy?: GrantPolicyHook;
        keyStore: KeyStore;
        logger?: Logger;
        rateLimiter?: RateLimiter;
        refreshTokenFamilyRevocation?: RefreshTokenFamilyRevocation;
        registry: GrantHandlerResolver;
        sessionFamilyIndex?: SessionFamilyIndex;
        sessionFederationIndex?: SessionFederationIndex;
        sessionRPRegistry?: SessionRPRegistry;
        userSessionStore?: UserSessionStore;
    },
): Promise<{ registry: GrantHandlerResolver; router: Router }>
Parameters
- express: {
      json: () => RequestHandler;
      Router: () => Router;
      urlencoded: (opts: { extended: boolean }) => RequestHandler;
  }
- __namedParameters: {
      accessTokenDenylist?: AccessTokenDenylist;
      auditSink?: AuditSink;
      clientRepository: ClientRepository;
      codeRepository: CodeRepository;
      config: {
          cors: { allowedOrigins: string[] };
          endpoints: { login: { url: string } };
          federations: z.ZodRecord<
              z.ZodString,
              z.ZodObject<
                  {
                      enabled: z.ZodPreprocess<z.ZodBoolean>;
                      type: z.ZodOptional<z.ZodString>;
                  },
                  z.core.$loose,
              >,
          >;
          http: { port: number; trustProxy: boolean };
          memoryRateLimiter?: {
              defaultLimit?: { limit: number; windowSeconds: number };
              limits?: Record<string, { limit: number; windowSeconds: number }>;
              maxBuckets?: number;
          };
          oauth: {
              accessToken: { expiresIn: number };
              code?: { adapter?: "redis" | "memory" };
              grants: { [key: string]: unknown };
              jwt: {
                  issuer?: string;
                  legacyTypAccept?: boolean;
                  signingKey: {
                      local?:
                          | {
                              algorithm: "HS256";
                              kid: string;
                              previousSecrets?: { expiresAt: string; kid: string; secret: string }[];
                              secret?: string;
                          }
                          | {
                              algorithm: "RS256"
                              | "ES256"
                              | "EdDSA";
                              kid: string;
                              previousKeys?: {
                                  expiresAt: string;
                                  kid: string;
                                  publicKey?: (...) | (...);
                                  publicKeyPath?: (...) | (...);
                              }[];
                              privateKey?: string;
                              privateKeyPath?: string;
                              publicKey?: string;
                              publicKeyPath?: string;
                              [key: string]: unknown;
                          };
                      provider: string;
                      [key: string]: unknown;
                  };
              };
              nonce?: { maxLength: number };
              oidcMode: "oidc-required" | "dual";
              refreshToken: {
                  expiresIn: number;
                  legacyRtPolicy: "reject";
                  unknownFamilyPolicy: "accept" | "reject";
              };
              resourceIndicator?: { enabled: boolean };
              tokenExchange?: { maxActorChainDepth: number };
          };
          rateLimit: {
              failMode: "open"
              | "closed";
              login: { limit: number; windowMs: number };
          };
          rateLimiter?: { adapter?: "redis"
          | "memory" };
          redisCodeRepository?: { defaultExpiresIn?: number; keyPrefix?: string };
          redisRefreshTokenFamilyStore?: {
              casRetryLimit?: number;
              keyPrefix?: string;
          };
          redisSessionStores?: { keyPrefix?: string };
          refreshTokenFamilyStore?: { redis?: { password?: string; url: string } };
          repositories: {
              client: { type: string; [key: string]: unknown };
              code: { type: string; [key: string]: unknown };
              user: { type: string; [key: string]: unknown };
          };
          session: {
              domain: string
              | null;
              maxAge: number;
              name: string;
              sameSite: "none" | "lax" | "strict";
              secret: string;
              secure: boolean;
              storage: {
                  redis?: { password?: string; url: string };
                  type: string;
                  [key: string]: unknown;
              };
          };
          userSessionStores?: { adapter?: "redis"
          | "memory" };
      };
      federationTokenStore?: FederationTokenStore;
      getFederationProviders?: () => | ReadonlyMap<
          string,
          FederationProviderHandle,
      >
      | undefined;
      grantPolicy?: GrantPolicyHook;
      keyStore: KeyStore;
      logger?: Logger;
      rateLimiter?: RateLimiter;
      refreshTokenFamilyRevocation?: RefreshTokenFamilyRevocation;
      registry: GrantHandlerResolver;
      sessionFamilyIndex?: SessionFamilyIndex;
      sessionFederationIndex?: SessionFederationIndex;
      sessionRPRegistry?: SessionRPRegistry;
      userSessionStore?: UserSessionStore;
  }
  - OptionalaccessTokenDenylist?: AccessTokenDenylist
    Wave 1 — RFC 7009 access-token revocation. Optional: when absent, AT revocation is a warn-logged no-op.
  - OptionalauditSink?: AuditSink
  - clientRepository: ClientRepository
  - codeRepository: CodeRepository
  - config: {
        cors: { allowedOrigins: string[] };
        endpoints: { login: { url: string } };
        federations: z.ZodRecord<
            z.ZodString,
            z.ZodObject<
                {
                    enabled: z.ZodPreprocess<z.ZodBoolean>;
                    type: z.ZodOptional<z.ZodString>;
                },
                z.core.$loose,
            >,
        >;
        http: { port: number; trustProxy: boolean };
        memoryRateLimiter?: {
            defaultLimit?: { limit: number; windowSeconds: number };
            limits?: Record<string, { limit: number; windowSeconds: number }>;
            maxBuckets?: number;
        };
        oauth: {
            accessToken: { expiresIn: number };
            code?: { adapter?: "redis" | "memory" };
            grants: { [key: string]: unknown };
            jwt: {
                issuer?: string;
                legacyTypAccept?: boolean;
                signingKey: {
                    local?:
                        | {
                            algorithm: "HS256";
                            kid: string;
                            previousSecrets?: { expiresAt: string; kid: string; secret: string }[];
                            secret?: string;
                        }
                        | {
                            algorithm: "RS256"
                            | "ES256"
                            | "EdDSA";
                            kid: string;
                            previousKeys?: {
                                expiresAt: string;
                                kid: string;
                                publicKey?: (...) | (...);
                                publicKeyPath?: (...) | (...);
                            }[];
                            privateKey?: string;
                            privateKeyPath?: string;
                            publicKey?: string;
                            publicKeyPath?: string;
                            [key: string]: unknown;
                        };
                    provider: string;
                    [key: string]: unknown;
                };
            };
            nonce?: { maxLength: number };
            oidcMode: "oidc-required" | "dual";
            refreshToken: {
                expiresIn: number;
                legacyRtPolicy: "reject";
                unknownFamilyPolicy: "accept" | "reject";
            };
            resourceIndicator?: { enabled: boolean };
            tokenExchange?: { maxActorChainDepth: number };
        };
        rateLimit: {
            failMode: "open"
            | "closed";
            login: { limit: number; windowMs: number };
        };
        rateLimiter?: { adapter?: "redis"
        | "memory" };
        redisCodeRepository?: { defaultExpiresIn?: number; keyPrefix?: string };
        redisRefreshTokenFamilyStore?: {
            casRetryLimit?: number;
            keyPrefix?: string;
        };
        redisSessionStores?: { keyPrefix?: string };
        refreshTokenFamilyStore?: { redis?: { password?: string; url: string } };
        repositories: {
            client: { type: string; [key: string]: unknown };
            code: { type: string; [key: string]: unknown };
            user: { type: string; [key: string]: unknown };
        };
        session: {
            domain: string
            | null;
            maxAge: number;
            name: string;
            sameSite: "none" | "lax" | "strict";
            secret: string;
            secure: boolean;
            storage: {
                redis?: { password?: string; url: string };
                type: string;
                [key: string]: unknown;
            };
        };
        userSessionStores?: { adapter?: "redis"
        | "memory" };
    }
  - OptionalfederationTokenStore?: FederationTokenStore
  - OptionalgetFederationProviders?: () => ReadonlyMap<string, FederationProviderHandle> | undefined
    Lazy getter for the federation providers Map. Evaluated at request time so module init order does not affect resolution — pass () => context.federationProviders from module.mts. Defaults to () => undefined when not provided.
  - OptionalgrantPolicy?: GrantPolicyHook
  - keyStore: KeyStore
  - Optionallogger?: Logger
  - OptionalrateLimiter?: RateLimiter
  - OptionalrefreshTokenFamilyRevocation?: RefreshTokenFamilyRevocation
  - registry: GrantHandlerResolver
  - OptionalsessionFamilyIndex?: SessionFamilyIndex
  - OptionalsessionFederationIndex?: SessionFederationIndex
  - OptionalsessionRPRegistry?: SessionRPRegistry
  - OptionaluserSessionStore?: UserSessionStore
Returns Promise<{ registry: GrantHandlerResolver; router: Router }>
- Defined in oauth/src/routes.mts:69

Function createOAuthRouter

Parameters

`Optional`accessTokenDenylist?: AccessTokenDenylist

`Optional`auditSink?: AuditSink

clientRepository: ClientRepository

codeRepository: CodeRepository

`Optional`federationTokenStore?: FederationTokenStore

`Optional`getFederationProviders?: () => ReadonlyMap<string, FederationProviderHandle> | undefined

`Optional`grantPolicy?: GrantPolicyHook

keyStore: KeyStore

`Optional`logger?: Logger

`Optional`rateLimiter?: RateLimiter

`Optional`refreshTokenFamilyRevocation?: RefreshTokenFamilyRevocation

registry: GrantHandlerResolver

`Optional`sessionFamilyIndex?: SessionFamilyIndex

`Optional`sessionFederationIndex?: SessionFederationIndex

`Optional`sessionRPRegistry?: SessionRPRegistry

`Optional`userSessionStore?: UserSessionStore

Returns Promise<{ registry: GrantHandlerResolver; router: Router }>

Settings

Function createOAuthRouter

Parameters

OptionalaccessTokenDenylist?: AccessTokenDenylist

OptionalauditSink?: AuditSink

clientRepository: ClientRepository

codeRepository: CodeRepository

OptionalfederationTokenStore?: FederationTokenStore

OptionalgetFederationProviders?: () => ReadonlyMap<string, FederationProviderHandle> | undefined

OptionalgrantPolicy?: GrantPolicyHook

keyStore: KeyStore

Optionallogger?: Logger

OptionalrateLimiter?: RateLimiter

OptionalrefreshTokenFamilyRevocation?: RefreshTokenFamilyRevocation

registry: GrantHandlerResolver

OptionalsessionFamilyIndex?: SessionFamilyIndex

OptionalsessionFederationIndex?: SessionFederationIndex

OptionalsessionRPRegistry?: SessionRPRegistry

OptionaluserSessionStore?: UserSessionStore

Returns Promise<{ registry: GrantHandlerResolver; router: Router }>

Settings

`Optional`accessTokenDenylist?: AccessTokenDenylist

`Optional`auditSink?: AuditSink

`Optional`federationTokenStore?: FederationTokenStore

`Optional`getFederationProviders?: () => ReadonlyMap<string, FederationProviderHandle> | undefined

`Optional`grantPolicy?: GrantPolicyHook

`Optional`logger?: Logger

`Optional`rateLimiter?: RateLimiter

`Optional`refreshTokenFamilyRevocation?: RefreshTokenFamilyRevocation

`Optional`sessionFamilyIndex?: SessionFamilyIndex

`Optional`sessionFederationIndex?: SessionFederationIndex

`Optional`sessionRPRegistry?: SessionRPRegistry

`Optional`userSessionStore?: UserSessionStore