Hi all,
Currently, I am working on a proof of concept to implement Personal Access
Tokens (PAT) as a OAuth2 custom grant type because of the similarities
between OAuth2 and Personal Access Tokens (PAT).
Since the PATs are created, managed and used by users, there is a
requirement of listing the t
> On Apr 1, 2022, at 3:24 AM, Dhaura Pathirana
> wrote:
>
> I would like to know if anyone has seen this (listing token metadata) as a
> common use case in OAuth2 and a standard way of doing it had been proposed
> before?
OAuth Token Introspection (RFC 7662) defines a way to query for activ
Dear Dhaura,
My recommendation to you (undergraduate? LinkedIn says so) is to
investigate the following as the first step.
- ID Token (OpenID Connect Core 1.0, Section 2)
- UserInfo Endpoint (OpenID Connect Core 1.0, Section 5.3)
In general, inventing a new grant type should be the last
I'm tempted to say user created PATs are incompatible with OAuth, and OAuth
already has a solution which avoids the user having to manually create
these sorts of tokens. Is there a reason OAuth wouldn't be able to handle
the specific use case.
Warren Parad
Founder, CTO
Secure your user data with
Thank you all for the quick replies and I really appreciate the
suggestions.
One thing that I want to clarify is that, in this use case, the requirement
is to list all the access tokens (metadata) (that belong to a single owner)
issued for the custom grant but in the introspection specification on
For the listing of all the user's toke, there isn't a standard for that.
Additionally these should still be OAuth flow generated tokens via that
third party. OAuth tokens are for clients on behalf of users, your use case
directly matches with the expectation of OAuth.
Lastly, if you want to add an
