feat: allow introspection and device code endpoints to use Federated Client Credentials #81

New Issue

Closed

opened 2025-07-08 08:39:14 -04:00 by AtHeartEngineer · 0 comments

AtHeartEngineer commented 2025-07-08 08:39:14 -04:00

Owner

Copy Link

Originally created by @ItalyPaleAle on 6/9/2025

Follow-up from #566 to complete the work started there

• Add support for using federated client credentials to the introspection endpoint, to validate auth and refresh tokens. Calls to the endpoint use Authorization: Bearer <jwt> for authorization.
• Add support for using federated client credentials to the device code endpoint
• As part of that change, and for other reasons discussed on Discord, the refresh token's format has changed, and it's now a JWT containing the actual refresh code (stored in the DB, hashed), plus the ID of the client that uses it and the ID of the user it belongs to
  • This is required because otherwise there's no way to know the client ID when introspecting a refresh token using federated client credentials
  • It also allows more careful database lookups
  • The RFC doesn't mandate anything about the format of refresh tokens, which are opaque strings for clients, so this remains fully-compliant

*Originally created by @ItalyPaleAle on 6/9/2025* Follow-up from #566 to complete the work started there - Add support for using federated client credentials to the introspection endpoint, to validate auth and refresh tokens. Calls to the endpoint use `Authorization: Bearer <jwt>` for authorization. - Add support for using federated client credentials to the device code endpoint - As part of that change, and for other reasons discussed on Discord, the refresh token's format has changed, and it's now a JWT containing the actual refresh code (stored in the DB, hashed), plus the ID of the client that uses it and the ID of the user it belongs to - This is required because otherwise there's no way to know the client ID when introspecting a refresh token using federated client credentials - It also allows more careful database lookups - The RFC doesn't mandate anything about the format of refresh tokens, which are opaque strings for clients, so this remains fully-compliant

AtHeartEngineer closed this issue 2025-07-08 08:39:14 -04:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/kyles-pagination-attempt

i18n_crowdin

feat/self-host-icons

feat/pagination-improvements

slog-gorm

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

breaking

breaking

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

feature

go

go

javascript

javascript

javascript

javascript

javascript

javascript

needs more upvotes

needs more upvotes

needs more upvotes

needs more upvotes

needs more upvotes

needs more upvotes

open to pull requests

open to pull requests

open to pull requests

open to pull requests

open to pull requests

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

AtHeartEngineer

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#81