Skip to content

feat: add OAuth example for providers without DCR support #1695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
travisbreaks wants to merge 1 commit into from
+750 −0

feat(examples): add OAuth without DCR example

233c1d9
Select commit
Loading
Failed to load commit list.
Closed

feat: add OAuth example for providers without DCR support #1695

feat(examples): add OAuth without DCR example
233c1d9
Select commit
Loading
Failed to load commit list.
Claude / Claude Code Review completed Mar 27, 2026 in 4m 29s

Code review found 3 potential issues

Found 6 candidates, confirmed 3. See review comments for details.

Details

Severity Count
🔴 Important 0
🟡 Nit 3
🟣 Pre-existing 0
Severity File:Line Issue
🟡 Nit examples/server/src/oauthWithoutDcr.ts:334-341 Token endpoint allows unauthenticated code exchange when client_secret is omitted
🟡 Nit examples/server/src/oauthWithoutDcr.ts:222-223 No-op scope reassignment in /authorize handler
🟡 Nit examples/server/src/README-oauthWithoutDcr.md:49-55 README references wrong filename case (oauthWithoutDCR.ts vs oauthWithoutDcr.ts)

Annotations

Check warning on line 341 in examples/server/src/oauthWithoutDcr.ts

See this annotation in the file changed.

@claude claude / Claude Code Review

Token endpoint allows unauthenticated code exchange when client_secret is omitted 

The client authentication check on line 337 allows requests with no `client_secret` to bypass secret validation: when `client_secret` is `undefined`, the condition `client.client_secret \!== client_secret && client_secret \!== undefined` evaluates to `true && false` = `false`, skipping the rejection. Since this is demo code with security disclaimers and the AS metadata already advertises `"none"` as a supported auth method, this is a minor inconsistency rather than a critical flaw — but it could

Check warning on line 223 in examples/server/src/oauthWithoutDcr.ts

See this annotation in the file changed.

@claude claude / Claude Code Review

No-op scope reassignment in /authorize handler 

Line 223 is a no-op: `pendingAuthorizations.get(proxyState)\!.scope = \`\${pendingAuthorizations.get(proxyState)\!.scope ?? ''}\`;` just reassigns the scope string to itself via a template literal. This looks like leftover from an incomplete implementation (perhaps something was meant to be appended to the scope). The line should be removed as dead code.

Check warning on line 55 in examples/server/src/README-oauthWithoutDcr.md

See this annotation in the file changed.

@claude claude / Claude Code Review

README references wrong filename case (oauthWithoutDCR.ts vs oauthWithoutDcr.ts) 

The README run commands on lines 51 and 57 reference `oauthWithoutDCR.ts` (uppercase DCR), but the actual file is `oauthWithoutDcr.ts` (lowercase). On case-sensitive filesystems (Linux), these commands will fail with file-not-found. The same typo appears in the .ts file's own usage comment (line 37).
View more details on Claude