...
Endpoint | Request Body | Response Body | Notes |
---|---|---|---|
LoginRequest may support an additional boolean In addition to the existing fields, LoginResponse will include The tokens are bound to client 0, the “first-party” Synapse OAuth client. | |||
This is the default login endpoint for users who sign in through external IdPs, like Google. Session can be extended to return an | |||
None | Extension/replacement of Session as stated above, requiring a valid This request requires a Session because a user must agree to the terms of use before a token can be used to authenticate. |
Other Considerations and Questions
Should access/refresh tokens issued to client 0 have different durations?
Should we implement the single-use refresh token revocation scheme outlined in Requirements for OAuth 2 public clients?
Refresh tokens are already single-use. The gist of the extension is that if an expired refresh token is used, the related active refresh token is also expired.