API Authentication

[mike-pisman]

The server should provide a method for registering apps, and use appropriate Client ID and Client Secret for refreshing an access token.

Documentation and Standards

Browser Base Apps

Check OAuth documentation to learn more about Client ID and Secret, specifically sections 5, 8, 7.1, and 12.7

Additional information can be found in IETF standard

Native apps

For best practices regarding native applications(android, ios, mac, linux, etc) check RFC 8252

Authentication Flow

Summary

In short, according to the documentation, since browser based apps cannot store secrets securely, they either should not be able to refresh Auth token at all, or use alternative flow(3 common patterns listed bellow) with PKCE implementation. This also refferse to use of cookies, since they are directly related to access tokens.

Since native Apps, like the upcoming mobile app, can store client secret securely(embedded in the source code), there is no need for alternative flow. However, the client(application) needs to be registered with the server before initiating communication.

The 3 recommended flows are:

• Backend For Frontend (BFF)
• Token-Mediating Backend
• Browser-based OAuth 2.0 client

Task list

Server side

• [FEAT]: Client ID and Client Secret api#84
• Modify authentication to provide refresh token only if the app supplies correct Client ID and Secret
• Improve cookie handling
• Add Token-Mediating Backend or BFF for browser applications

Admin UI

• Add interactive way to generate/regenerate/delete credentials in the Admin Web UI

Mobile App

• Add Client ID and Secret to configuration

Web App

• Generate PKCE token and exchange for an access token
• Replaces JWT authorization with cookies