View Source MyApp.CharonOauth2.Plugs.TokenEndpoint (CharonOauth2 v0.0.5)
The Oauth2 token endpoint.
There is no need to pass the conn through Plug.Parsers
, because it does so by itself.
The endpoint only accepts content type application/x-www-form-urlencoded
with utf-8 params.
The exceptions raised by Plug.Parsers simply bubble up,
your application must return appropriate responses for them (Phoenix applications should do so by default).
usage
Usage
alias Elixir.MyApp.CharonOauth2.Plugs.TokenEndpoint
# this endpoint must be public, without any additional authentication requirements
forward "/oauth2/token", TokenEndpoint, config: @config
client-authentication
Client authentication
Confidential clients must authenticate using their client secret (and public clients may do so too although there would be little point in it if they can't keep their secret, you know, secret).
HTTP Basic authentication takes precedence over req body credentials. Although the spec says clients must not use more than one auth method, it doesn't say auth servers should reject such requests, so we simply decided that HTTP Basic takes priority, because the same spec says that HTTP Basic, at least, must be supported for clients that identify using a client password.
IF HTTP Basic auth is used, an authentication failure results in a 401 response with header "www-authenticate" set to "Basic", instead of a "normal" 400-with-JSON error response.
authorization-code-with-proof-key-for-code-exchange-pkce-enforced
Authorization code with Proof Key for Code Exchange (PKCE) enforced
The Oauth 2.1 draft spec recommends enforcing PKCE for the authorization_code grant under all circumstances. That is what we do.
sessions
Sessions
Tokens handed out by this endpoint are backed by a server-side session (that is only loaded on refresh, by default).
The session type is :oauth2
, separating these sessions from other sessions that the user may have in Charon
.
The purpose of this separation is to be able to call delete-all and not drop oauth2-client connections,
or the other way around.