mcollina/oauth
Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.
94
95%
Does it follow best practices?
Impact
93%
1.40xAverage score across 5 eval scenarios
Passed
No known issues
task.mdevals/scenario-5/
Build a Secure Internal Token Issuance Service
Problem/Feature Description
A platform team is building a lightweight OAuth authorization server component in Fastify that will issue short-lived access tokens to internal microservices using the client credentials flow. The service will expose a /token endpoint that microservices can call to obtain JWTs for service-to-service communication.
During a threat model review, the security team flagged two concerns: the token endpoint must be protected from brute-force and credential-stuffing attacks, and all communication must use TLS — the service should refuse to issue tokens if the request came in over plain HTTP. The service will only be deployed behind an HTTPS load balancer, but the code itself should enforce these constraints.
Output Specification
Produce a TypeScript Fastify application with the following files:
package.json— listing all required dependenciesplugins/oauth.ts— OAuth client credentials plugin setuproutes/token.ts— the/tokenendpoint implementationmiddleware/security.ts— any rate limiting or HTTPS enforcement logic
Read server credentials from environment variables: CLIENT_ID, CLIENT_SECRET, AUTH_SERVER.
No need to start a server or connect to a live identity provider. Produce only the source files.