Thom Seddon

I really like this changeset - Shell - great idea, this would be significantly more useful than the current "addclient" with no clear method to use it. I know this...

> But I'm not to sure of automatically decrypting client_secret in Client::afterFind(). > Queries for Client usually is performed against client_id. And decrypting is only needed for viewing secrets in...

Why can't we just use Security::rijndael with the random iv? And, i'm confused, a previous comment outlines the following behaviours: - **encrypted**: client_secret - **hashed**: auth_code, access_token, and refresh_token But...

> We will need to know the client_id to get the encrypted access_tokens.access token. > Then decrypt it to compare against $oauth_token from the request. The access token is hashed,...

I think we (me) may have our wires crossed - in my opinion, the ideal would be to encrypt client_secret and hash access_token. Where we are at the moment is...

Awesome - sorry for the confusion

I've just implemented a complete rewrite using a newer library that actually looks a lot like this - I will use your ideas here to package it as a plugin...

Absolutely no worries, there's no expectation for you to maintain it :) Will get it done over coming weeks, will also try to start adding some tests!!

Yes it uses bshaffer's: https://github.com/bshaffer/oauth2-server-php and it does seem to have implicit grant. I have started this but getting the required functionality into an authenticate object has proved a little...

It will probably take a few more weeks to get it out, sorry if it doesn't sit well with your schedules