Thanks for diving in, happy to answer.
In the initial oAuth PKCE flow, how can I do the ObtainToken API call using authorization code to get my first access token, without having to reveal the Application Secret? The doco for ObtainToken doesn’t disclose any support for the PKCE flow as far as I can see? I could proxy it, of course, but hoping not to do that, for obvious security reasons. (I understand it’ll be necessary to redirect the oAuth callback/“Redirect URL”, no issue)
When you are using PKCE, you call Authorize with a
code_challenge parameter (this is standard for PKCE, and is usually some kind of random string you sha256 encode). Then, when you call
ObtainToken you do not pass in an application secret, and instead pass in the
code_verifier which is the plaintext of whatever your
Similarly, when using ObtainToken with refresh token, how can we use ObtainToken without needing to reveal our App secret?
You can set the
grant_type to “refresh_token” and you won’t need to pass in a client_secret if the refresh_token was originally granted via a PKCE flow.
The PKCE documentation states that the refresh token will only work once; does that imply that a new refresh token will be supplied as part of the refresh process? Just to get a feel of the intention, is the shorter refresh token life mentioned 30 days or more?
Because the PKCE-issued Refresh Token doesn’t require a client_secret, we have a few additional safety mechanisms for those refresh tokens: They can only be used once, when you redeem it you’ll get a new RT back with the new AT; they also expire after 90 days.
Similarly, perhaps less importantly, RevokeToken also requires Application Secret - can this be done without revealing app secret?
Currently, you cannot revoke without supplying the client_secret, but we’re still in beta and would love feedback around that, and what the desired use case would be!
I think that covers your questions, but don’t hesitate to reach back out! We can also connect on the buildwithsquare slack if you’d like something a little more realtime, just let me know!