...
To securely support OAuth 2 public clients, these actions are needed (backfill this list with Jira tickets when confirmed):
Support PKCE in the authorization code flow:
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-6337 Add field to label OAuth 2 clients as either “public” or “confidential”; backfill existing clients as “confidential”“confidential”:
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-6338 Public clients should not be issued secrets
Note: Refresh tokens become single-use bearer tokens.
Public clients should be required to use PKCE
Don’t save consent records for public OAuth clients
Revoke the current iteration of a refresh token when an expired/used refresh token is usedDon’t save consent records for public OAuth clients:
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-6339
To fully support Synapse command line clients, in addition to the above, we must:
Add a bootstrapped OAuth client for Synapse command line appsfor Synapse command line apps:
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-6340 Add service to issue a (user-authenticated) refresh token for the Synapse command line apps OAuth client:
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-6341
Background
There are currently many ways to authenticate a request to Synapse, including
...