summaryrefslogtreecommitdiff
path: root/issues
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-05-08 10:58:52 +0300
committerFrederick Muriuki Muriithi2023-05-08 10:58:52 +0300
commit347c23c52b9cc9b3e960bbcd83874109797726f3 (patch)
treecc7a2a8728083d6f6efeb5f53a9cfc6907cddd6e /issues
parent041f9443810186e5b522abd5fb95ab00e0311434 (diff)
downloadgn-gemtext-347c23c52b9cc9b3e960bbcd83874109797726f3.tar.gz
Issues: New issue: Authorisation Code Flow
Add an issue detailing the current state and calling for the move over to the "Authorisation Code Flow" for better security and to enable easier integration with other applications.
Diffstat (limited to 'issues')
-rw-r--r--issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi25
1 files changed, 25 insertions, 0 deletions
diff --git a/issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi b/issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi
new file mode 100644
index 0000000..7a10fa9
--- /dev/null
+++ b/issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi
@@ -0,0 +1,25 @@
+# Use "Authorisation Code Flow" for Authentication
+
+## Tags
+
+* assigned: fredm
+* priority: critical
+* status: open
+* keywords: authentication, authorisation, oauth2, authorisation code flow
+* type: feature request, improvement
+
+## Description
+
+We use OAuth2 for our auth(entic|oris)ation system.
+
+Currently, the system is making use of the "Password Grant Flow"[0] which was easy to implement and use for verifying concepts during development, but is not recommended for actual web applications. This is because, the "Password Grant Flow"[0] is meant for highly-trusted applications.
+
+Instead, the OAuth2 specification recommends the use of the "Authorisation Code Flow"[1] (possibly with PKCE[2]) for web and mobile applications.
+
+With the "Authorisation Code Flow"[1] in place, we will also have the ability to reuse the auth(entic|oris)ation system for other applications, e.g. the QC App
+
+## Links
+
+=> https://oauth.net/2/grant-types/password/ 0
+=> https://oauth.net/2/grant-types/authorization-code/ 1
+=> https://www.oauth.com/oauth2-servers/pkce/ 2