glow_auth

Functions

pub fn main() -> Nil

Endpoints

https://datatracker.ietf.org/doc/html/rfc6749#section-3o) OAuth2 defines two authorization server endpoints:

  • Authorization endpoint - obtain auth from resource owner via rediredct

    • MAY have query component
    • MUST NOT have fragment component
    • MUST use TLS
    • MUST support GET method
    • MAY support POST as well
    • Params without value MUST be same as omission
    • No repeat params
    • MUST include response_type RESPONSE
    • MUST include “code” for AuthCode, “token” for Implicit
    • MUST return error if response_type is missing or misunderstood
  • Token endpoint - used to retrieve a token

    • MAY have query component
    • MUST NOT have fragment component
    • MUST use TLS
    • MUST be “POST”
    • Params without value MUST be same as omission
    • No repeat params
    • scope space-delimited case insensitive strings defined by auth server
      • MAY full or partly ignore
      • If different, MUST include scope in response
      • A default must be defined

… and one client endpoint

  • Redirection endpoint - auth server redirects user here with a cred or code
    • MAY have query component
    • MUST NOT have fragment component
    • SHOULD use TLS for “code” or “token”
    • Typically are registered in advance of usage
    • Receiving response SHOULD NOT do js, but redirect again without exposing creds

AuthCode flow

Generate an authorisation uri, used by AuthCode and Implicit flows Fetch a token using ‘code’ from authorisation uri redirect Decode token response

Refresh flow

Fetch a token using ‘refresh’ token Decode token response

ClientCredentials flow

Fetch a token Decode token response

Requesting resources

Append a token to a request header Detect token is expiring, and deal

  • Use refresh flow if given a refresh token in a token response
  • Use plain fetch a token if ClientCredentials flow

Considering concurrency

Receiving a code in an AuthCode flow redirect:

  • If an auth code is used more than once, it MUST be denied, and all tokens previously issued based on it