Skip to content

[RFC]: Implement OAuth PKCE #14

Description

@OverDsh

Feature Description
Add the core authentication endpoints to the Roger Protocol to support the OAuth2 PKCE (Proof Key for Code Exchange) flow, enabling secure client login (especially for CLIs and mobile apps) without requiring client secrets.

Implementation Details
Create a new core domain auth (src/core/auth) and create the following endpoints:

GET /auth/authorize (Browser Flow)

This endpoint must be opened by the user in a web browser. The node should display a login page/confirmation page.
The query parameters are:

  • response_type: must be set to "code"
  • client_id: placeholder for OAuth compliance
  • redirect_uri: the uri the node should call with the authorization_code and state
  • code_challenge: a sha-256 hash of your code_verifier
  • code_challenge_method: must be set to "S256"
  • state: a random string preventing attacker websites from calling the redirect uri with an attacker authorization_code

The responses are:

  • 200 (OK): Render html page
  • 302 (Redirect): Redirect back to redirect_uri with code and state

POST /auth/token

Exange an authorization_code + code_verifier (unhashed) for tokens
Request body:

  • grant_type: must be set to "authorization_code"
  • code: the authorization_code given by the node
  • code_verifier: your unhashed code_verifier

Response:

{
 "access_token": "ey23gjfID8...",
 "refresh_token": "rfr_3498j...",
 "token_type": "Bearer",
 "expires_in": 3600,
 "expires_at": "2026-06-25T21:11:31Z"
}

  • I checked that my feature request isn't a duplicate.
  • I have read the CONTRIBUTING.md file.
  • I certify that this contribution is my own original work, or that I have the clear legal right to submit it under the project's Apache License 2.0.

Metadata

Metadata

Assignees

Fields

No fields configured for Feature.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions