Feature Description
Add the core authentication endpoints to the Roger Protocol to support the OAuth2 PKCE (Proof Key for Code Exchange) flow, enabling secure client login (especially for CLIs and mobile apps) without requiring client secrets.
Implementation Details
Create a new core domain auth (src/core/auth) and create the following endpoints:
GET /auth/authorize (Browser Flow)
This endpoint must be opened by the user in a web browser. The node should display a login page/confirmation page.
The query parameters are:
- response_type: must be set to "code"
- client_id: placeholder for OAuth compliance
- redirect_uri: the uri the node should call with the authorization_code and state
- code_challenge: a sha-256 hash of your code_verifier
- code_challenge_method: must be set to "S256"
- state: a random string preventing attacker websites from calling the redirect uri with an attacker authorization_code
The responses are:
- 200 (OK): Render html page
- 302 (Redirect): Redirect back to redirect_uri with code and state
POST /auth/token
Exange an authorization_code + code_verifier (unhashed) for tokens
Request body:
- grant_type: must be set to "authorization_code"
- code: the authorization_code given by the node
- code_verifier: your unhashed code_verifier
Response:
{
"access_token": "ey23gjfID8...",
"refresh_token": "rfr_3498j...",
"token_type": "Bearer",
"expires_in": 3600,
"expires_at": "2026-06-25T21:11:31Z"
}
Feature Description
Add the core authentication endpoints to the Roger Protocol to support the OAuth2 PKCE (Proof Key for Code Exchange) flow, enabling secure client login (especially for CLIs and mobile apps) without requiring client secrets.
Implementation Details
Create a new core domain
auth(src/core/auth) and create the following endpoints:GET /auth/authorize (Browser Flow)
This endpoint must be opened by the user in a web browser. The node should display a login page/confirmation page.
The query parameters are:
The responses are:
POST /auth/token
Exange an authorization_code + code_verifier (unhashed) for tokens
Request body:
Response:
{ "access_token": "ey23gjfID8...", "refresh_token": "rfr_3498j...", "token_type": "Bearer", "expires_in": 3600, "expires_at": "2026-06-25T21:11:31Z" }