Scripting
Documentation
Changelog
Privacy
Documentation
Changelog
Privacy

OAuth2

The OAuth2 class provides a robust interface for managing OAuth 2.0 authorization flows in Scripting. It supports standard authorization code flows, PKCE (Proof Key for Code Exchange), access token renewal, and customizable token handling.

Constructor

1new OAuth2(options: {
2  consumerKey: string
3  consumerSecret: string
4  authorizeUrl: string
5  accessTokenUrl?: string
6  responseType: string
7  contentType?: string
8})

Parameters

Name Type Required Description
consumerKey string Yes The application's client ID or consumer key.
consumerSecret string Yes The application's client secret.
authorizeUrl string Yes The URL where the user will be redirected for authorization.
accessTokenUrl string No The endpoint to request the access token. If omitted, authorizeUrl is used.
responseType string Yes Typically "code" for the Authorization Code Grant flow.
contentType string No Content type for token requests. Defaults to "application/x-www-form-urlencoded".

Throws

  • Error if the configuration is invalid or instantiation fails.

Properties

accessTokenBasicAuthentification: boolean

Enable this to use HTTP Basic authentication when exchanging the authorization code for an access token. Default is false.

allowMissingStateCheck: boolean

Disables CSRF protection based on state parameter validation. Use with caution. Default is false.

encodeCallbackURL: boolean

Encodes the callback URL when generating the authorization URL. Required by some providers. Default is true.

encodeCallbackURLQuery: boolean

Controls whether the entire query string is encoded. Some services (e.g., Imgur) require this to be false. Default is true.

Methods

authorize(options): Promise<OAuthCredential>

Initiates the OAuth2 authorization flow, opening a browser window for the user to log in and grant permissions.

1authorize(options: {
2  callbackURL?: string
3  scope: string
4  state: string
5  parameters?: Record<string, any>
6  headers?: Record<string, string>
7} & ({
8  codeVerifier: string
9  codeChallenge: string
10  codeChallengeMethod: string
11} | {
12  codeVerifier?: never
13  codeChallenge?: never
14  codeChallengeMethod?: never
15})): Promise<OAuthCredential>

Parameters

Name Type Required Description
callbackURL string No Custom redirect URI. Default is scripting://oauth_callback/{current_script_encoded_name}.
scope string Yes Space-separated list of requested scopes.
state string Yes A unique string used to prevent CSRF attacks.
parameters Record<string, any> No Extra query parameters to send in the authorization request.
headers Record<string, string> No Extra headers to send in the request.
codeVerifier string Conditional Raw random string used in PKCE flow.
codeChallenge string Conditional Hashed version of the code verifier.
codeChallengeMethod "plain" | "S256" Conditional Hashing method for code challenge. Default is "S256".

Returns

  • A Promise that resolves to an OAuthCredential object containing tokens and metadata.

Throws

  • Error if the user denies authorization or a network/response error occurs.

Example

1const oauth = new OAuth2({
2  consumerKey: 'your-client-id',
3  consumerSecret: 'your-client-secret',
4  authorizeUrl: 'https://provider.com/oauth/authorize',
5  accessTokenUrl: 'https://provider.com/oauth/token',
6  responseType: 'code'
7})
8
9const credential = await oauth.authorize({
10  scope: 'profile email',
11  state: 'secure_random_state',
12  callbackURL: Script.createOAuthCallbackURLScheme('my_oauth_script')
13})
14
15console.log(credential.oauthToken)

renewAccessToken(options): Promise<OAuthCredential>

Exchanges a refresh token for a new access token from the provider.

1renewAccessToken(options: {
2  refreshToken: string
3  parameters?: Record<string, any>
4  headers?: Record<string, string>
5}): Promise<OAuthCredential>

Parameters

Name Type Required Description
refreshToken string Yes The refresh token previously obtained.
parameters Record<string, any> No Additional POST body parameters.
headers Record<string, string> No Additional headers for the request.

Returns

  • A Promise that resolves to an updated OAuthCredential object.

Throws

  • Error if the refresh fails due to expired or revoked tokens.

Example

1const newCredential = await oauth.renewAccessToken({
2  refreshToken: previous.oauthRefreshToken
3})
4
5console.log(newCredential.oauthToken)

OAuthCredential Type

The OAuthCredential object contains all relevant information from a successful OAuth2 transaction.

1type OAuthCredential = {
2  oauthToken: string
3  oauthTokenSecret: string
4  oauthRefreshToken: string
5  oauthTokenExpiresAt: number | null
6  oauthVerifier: string
7  version: string
8  signatureMethod: string
9}

Field Descriptions

Field Type Description
oauthToken string Access token to authorize requests to the API.
oauthTokenSecret string Token secret for request signing (used in OAuth1.0-like flows).
oauthRefreshToken string Token used to refresh the access token.
oauthTokenExpiresAt number | null Expiration time in Unix timestamp (ms). null if no expiration.
oauthVerifier string Verifier used for PKCE validation.
version string OAuth version (e.g., "2.0").
signatureMethod string Method used to sign requests (e.g., "HMAC-SHA1", "PLAINTEXT").

Best Practices

  • Always verify state to protect against CSRF attacks unless explicitly disabled.
  • Use Script.createOAuthCallbackURLScheme(name) to generate script-specific callback URLs.
  • Securely store the oauthRefreshToken if long-term access is needed.
  • Consider using PKCE for enhanced security, especially in public clients.
Outline