Separate OAuth Authorization Grants from Access Tokens #125
Comments
|
I expect that resolving this issue would likely mean that all access tokens / access grants would need to be invalidated, requiring people using hollo to reauthenticate / login again. |
I think it's not a big deal. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently our database contains just an access_tokens table, which stores authorization grants that haven't yet been approved (i.e., aren't yet valid access tokens)
In order to implement security features in OAuth such as PKCE, we'd need to store additional information with the authorization grant. Likewise, we'd need to adjust the access tokens model in order to support Refresh Grants (allowing shorter-lived access tokens)
Additionally in the OAuth flow, only specific grant types can pass certain parameters to the oauth token endpoint, e.g.,
scopeisn't valid for an authorization code grant.Separating these tables would make our oauth implementation more understandable.
The text was updated successfully, but these errors were encountered: