From 347c23c52b9cc9b3e960bbcd83874109797726f3 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 8 May 2023 10:58:52 +0300
Subject: Issues: New issue: Authorisation Code Flow

Add an issue detailing the current state and calling for the move over
to the "Authorisation Code Flow" for better security and to enable
easier integration with other applications.
---
 ...-authorisation-code-flow-for-authentication.gmi | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi

(limited to 'issues/authentication_authorisation')

diff --git a/issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi b/issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi
new file mode 100644
index 0000000..7a10fa9
--- /dev/null
+++ b/issues/authentication_authorisation/use-authorisation-code-flow-for-authentication.gmi
@@ -0,0 +1,25 @@
+# Use "Authorisation Code Flow" for Authentication
+
+## Tags
+
+* assigned: fredm
+* priority: critical
+* status: open
+* keywords: authentication, authorisation, oauth2, authorisation code flow
+* type: feature request, improvement
+
+## Description
+
+We use OAuth2 for our auth(entic|oris)ation system.
+
+Currently, the system is making use of the "Password Grant Flow"[0] which was easy to implement and use for verifying concepts during development, but is not recommended for actual web applications. This is because, the "Password Grant Flow"[0] is meant for highly-trusted applications.
+
+Instead, the OAuth2 specification recommends the use of the "Authorisation Code Flow"[1] (possibly with PKCE[2]) for web and mobile applications.
+
+With the "Authorisation Code Flow"[1] in place, we will also have the ability to reuse the auth(entic|oris)ation system for other applications, e.g. the QC App
+
+## Links
+
+=> https://oauth.net/2/grant-types/password/ 0
+=> https://oauth.net/2/grant-types/authorization-code/ 1
+=> https://www.oauth.com/oauth2-servers/pkce/ 2
-- 
cgit v1.2.3