Aero2
A full-stack OIDC (OpenID Connect) implementation built with React, Vite, Hono, and Cloudflare Workers.
Aero2 provides both an OIDC Provider (OP) for issuing tokens and a Relying Party (RP) for authenticating users via external identity providers like GitHub and Google.
Features
- OIDC Provider (OP) — Issue access tokens and ID tokens, manage OAuth clients, expose standard OIDC endpoints
- Relying Party (RP) — Authenticate users via GitHub, Google, or other OAuth2/OIDC providers
- Role-Based Access Control — Granular permissions with admin and user roles
- User Management — Automatic user creation and identity linking
- Edge Deployment — Runs on Cloudflare Workers with D1 database and Durable Objects
Security Highlights
- PKCE required (S256) for all authorization requests
- RS256-only algorithm restriction
- Refresh token HMAC hashing
- SSRF protection for IdP URLs
- CSRF protection via state validation, cookie binding, Origin/Referer checks
- HSTS and secure cookie attributes
Tech Stack
| Layer | Technology |
|---|---|
| Frontend | React 19 + TypeScript + Vite |
| Backend | Hono (edge-native web framework) |
| Database | Cloudflare D1 (SQLite) |
| Key Management | Durable Objects for JWKS rotation |
| Runtime | Cloudflare Workers |
| CI/CD | GitHub Actions |
Quick Links
- Quickstart — Get running locally in 5 minutes
- Development Workflow — CI/CD pipeline, environments, migrations
- API Reference — All endpoints documented
- Security Controls — Detailed security implementation
- Security Audit — Full codebase security analysis