Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
projects:member_portal:oauth [2025/10/13 11:15] samp20projects:member_portal:oauth [2025/10/13 12:14] (current) samp20
Line 5: Line 5:
 ^ Column ^ Type ^ Obtained from ^ Description ^ ^ Column ^ Type ^ Obtained from ^ Description ^
 | id | UUID | Generated | ID to keep track of the request | | id | UUID | Generated | ID to keep track of the request |
-secret | str | Generated | Secret stored in a flow cookie |+token_hash | str | Generated | Hash of a secret token stored in a flow cookie |
 | session_id | Optional FK | Logged in session | Associated login session | | session_id | Optional FK | Logged in session | Associated login session |
 | client_id | FK | Query string | The OAuth client sending this request | | client_id | FK | Query string | The OAuth client sending this request |
Line 51: Line 51:
 Note that only ''azp'' is missing from  the OpenID core spec as we don't plan to use any extensions to the spec. Note that only ''azp'' is missing from  the OpenID core spec as we don't plan to use any extensions to the spec.
  
 +==== The access and refresh tokens ====
  
 +While the Hackspace services might be spread across multiple servers, we will use a single logical API approach for our access tokens. This means that all scopes will be part of a single global namespace. For example ''email:send'' might allow sending emails via and email service.
 +
 +The Access token will be a transparent signed JWT with the following claims:
 +
 +^ Claim ^ Description ^ Obtained from ^
 +| iss | Issuer of the token | The portal base URL |
 +| sub | Subject | The user or client subject depending on whether it was a Authorization Code flow, or Client Credentials |
 +| aud | The global scope namespace | Configuration value e.g. ''hackspace'' |
 +| exp | Expiry | Relatively short configuration value e.g. 1 hour |
 +| iat | Issued at | Timestamp when the token was created |
 +| jti | Unique identifier | Randomly generated |
 +| client_id | Client identifier | The OAuth client that requested the token |
 +| scope | Granted scopes | Requested scopes filtered by the user's permissions |
 +
 +The refresh token will be an opaque token with a corresponding table containing the same information as the access token. The table may also contain a reference to the user's session ID so the token can be revoked if the session ends.
  • projects/member_portal/oauth.1760354116
  • Last modified: 8 weeks ago
  • by samp20