View Source MyApp.CharonOauth2.Plugs.AuthorizationEndpoint (CharonOauth2 v0.0.5)
The Oauth2 authorization endpoint.
This endpoint is meant to be combined with a first-party web client in which a user can grant or deny access.
So it does not, by itself, behave as an oauth2 authorization endpoint (for example, it only supports POST requests).
The endpoint returns a JSON response with 200 OK and a redirect_to
parameter,
that the web client should then, you know, redirect to.
The redirect may also contain an error result.
However, there are some errors that must not result in redirection,
for example errors in validating the redirect URI itself.
Such errors result in a 400 response with an error description,
that the companion web client may show to the user at its discretion.
User must be logged-in using Charon (at least Charon.TokenPlugs.verify_token_signature/2
must be called on the conn.)
behaviour
Behaviour
The endpoint essentially upserts a user's authorization for a client (if the request is valid, of course). A subtlety to note is that the endpoint does not ever reduce the authorized scopes, it only expands them. The reason for this is that an Oauth2 client may request multiple access tokens, some of which have a smaller scope than others. If we reduced the scopes to the request scope, the user would need to re-grant permission every time.
In other words, this endpoint is not intended to manage a user's authorizations.
It is probably a good idea for a user to be able to fully revoke or reduce the scope of an authorization.
For such purposes, applications can simply add authorization CRUD functionality to their API,
using MyApp.CharonOauth2.Authorizations
functions.
usage
Usage
alias Elixir.MyApp.CharonOauth2.Plugs.AuthorizationEndpoint
# this endpoint MUST only be useable by the first-party authorizing client!!!
forward "/oauth2/authorize", AuthorizationEndpoint, config: @config