-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow clients to always exchange authorization codes at the token endpoint #58
Comments
Sounds good to me. |
Seems reasonable! |
Sounds fine to me. What would this mean for the spec? If the token endpoint can now handle all types of code exchanges, would this shorten 5.3? I am always for a shorter specification as it makes it less likely things are forgotten or left unimplemented. If the exchange with the authorization endpoint is kept for backwards compatibility reasons, should we discourage new clients of making that request at all? Possibly gearing up to deprecating that request entirely for a future IndieAuth update? |
Emphasis by me. When I was writing up #62 and rereading this issue, I realised that this does not seem to be in the current spec. Per the code exchange step in 5.3.3. a token endpoint should not return a token only if no scopes were granted. We should clarify how access tokens and the different profile scopes are related. More thoughts in #62. |
|
I believe this is addressed with the latest refresh. We can reopen if not. |
One of the last deviations from OAuth 2.0 is that currently the spec requires clients to send the authorization code back to the authorization endpoint for the "login" flow when the client doesn't expect an access token back. In OAuth 2.0, the authorization code is always exchanged at the token endpoint.
The reason for this behavior in IndieAuth was prior to the changes in #42 and #44, this allowed the authorization endpoint to be the only one that needed to be aware of user's URLs, and token endpoints could be standalone. The token endpoint could turn around and go verify the authorization code at the authorization endpoint.
I would like to suggest that the spec allows clients to be more like standard OAuth clients where they can always exchange the authorization code at the token endpoint, whether or not they expect an access token in the response or just the user's profile URL.
This wouldn't actually be a major change for current IndieAuth servers, since it's very likely that some of them already support this behavior at the token endpoint. It just means that the token endpoint would not throw an error if the authorization code had no scopes granted.
The proposed change would mean:
The text was updated successfully, but these errors were encountered: