OAuth 2.0 Authorization Server

Built as a deep-dive into the OAuth 2.0 and OpenID Connect specifications, this authorization server implements every major endpoint from scratch using TypeScript and the Authlete backend SDK.

The server features a clean MVC architecture with dedicated controllers for each OAuth endpoint, EJS-rendered login and consent UIs for interactive flows, structured Winston + Morgan logging with per-request tracing IDs, and full support for Authorization Code with PKCE, Resource Owner Password Credentials, Client Credentials, and Token Exchange flows.

The project ships with a companion React SPA client that demonstrates Authorization Code + PKCE using a public client type, proving the full round-trip of token issuance, userinfo retrieval, and token introspection.

A live demo is deployed on Render and is testable via OAuth Tools or the Curity Playground.