Rostyslav Khoptiy
Rostyslav Khoptiy
Implement PKCE for authorization code grant type, as per [RFC-7637](https://datatracker.ietf.org/doc/html/rfc7636): - add string fields `code_challenge` and `code_challenge_method` to `oauth_access_grants` table which will contain the PKCE information. Add instructions for upgrading....
Relevant to [issue](https://github.com/danschultzer/phoenix_oauth2_provider/issues/40) Implement token introspection as per [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662): - introspection works on either access token or refresh token - introspection only works for tokens from the provided client Useful...
Closes #40 Depends on https://github.com/danschultzer/ex_oauth2_provider/pull/90 Add endpoint for token introspection
Depends on https://github.com/danschultzer/ex_oauth2_provider/pull/91 Add support for sending `code_challenge` and `code_challenge_method` to underlying library on authorization code grant.
Split `oath_routes` into 2 separate macros to allow more granular control and for better protection of the `/oauth/application` endpoint, allowing for example only admins to view and manage their OAuth...
From what I can tell there currently isn't a way for a third party service to tell if an access token is still valid without querying the authorization server's DB...
Is there a way to disable the '/applications' routes (`/oauth/applications` in my case) or to enable them to only certain kinds of users (admins)? I want to be able to...