AboutExperienceProjectsWritingBlogContact
Back to projects
Personal

OAuth2 from Scratch

A from-scratch implementation of OAuth2 / OIDC sign-in for Google, GitHub, and Microsoft — no auth libraries, every step exposed.

TypeScriptNext.jsNestJSOAuth2Security
Code

Overview

An educational, production-shaped implementation of OAuth2 / OIDC sign-in built without authentication libraries — so every step of the flow is visible, including the parts a library would normally hide.

What I built

  • Full OAuth2 / OIDC flow for three providers: Google, GitHub, and Microsoft
  • State-based CSRF protection on the authorization request
  • Session management with short-lived (15-min) access JWTs and 7-day rotating refresh tokens stored in httpOnly cookies
  • Refresh-token reuse detection to catch stolen-token replay
  • Defense in depth — hashed token storage at rest, an explicit CORS allowlist, and live user lookup

Stack

Next.js (App Router) frontend · NestJS backend · TypeScript end-to-end.

Why it's interesting

Most apps treat OAuth as a black box. This project unpacks it — the token lifecycle, CSRF state, and refresh rotation are all implemented by hand, which makes the security trade-offs explicit rather than hidden behind a dependency.