Open miniluz opened 2 months ago
miniluz
commented
2 months ago First of all, a client registration endpoint is needed. Only public clients will be supported. They will be asked for a name and a single, concrete redirect uri and will be returned a UUID.
miniluz
commented
2 months ago A table is also needed for the given authorization codes that stores the proof needed for PKCE, along with the user and scope, created time, expiring time and validity.
Similarly, a table is needed for the granted tokens with the same structure: user, tags, created time, expiring time and validity.
These two tables should only be accessible by the administration server, requiring a change in the architecture:
+---------------+ +---------------+
| Code & Token | | Code & Token |
| Database | | Database |
| (Users) | | (Clients) |
+---------------+ +---------------+
^ ^
RW RW
+-------|-------+ +---------------+ +---------------+ +-------|-------+ +---------------+
| Authorization | | User | | Configuration | | Authorization | | User |
| Server --R-->| Database |<-RW-- Server | | Server --R-->| Database |
| (Users) | | (Users) | | (Clients) | | (Clients) | | (Clients) |
+---------------+ +---------------+ +---------------+ +---------------+ +---------------+
^ ^ ^
| | |
logs in accesses authenticates
using +---------------------+
| |
+-------|-------+ +-------|-------+
| | | |
| Users | | Clients |
| | | |
+---------------+ +---------------+
The structure of the database needs to be provided based on the OAuth 2.0 RFC and on the architecture.