Versions Compared

Old Version 1

changes.mady.by.user Nick Grosenbacher

Saved on

compared with

New Version Current

changes.mady.by.user Nick Grosenbacher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Endpoint

Request Body

Response Body

Notes

POST /login

LoginRequest

LoginResponse

LoginRequest may support an additional boolean refreshToken field that defines whether a refresh token should be returned.

In addition to the existing fields, LoginResponse will include accessToken and (if specified) refreshToken. (If a v2 service, no sessionToken would be returned)

The tokens are bound to client 0, the “first-party” Synapse OAuth client.

POST /oauth2/session

OAuthValidationRequest

Session

This is the default login endpoint for users who sign in through external IdPs, like Google. Session can be extended to return an accessToken. (if a v2 service, no sessionToken would be returned)

POST /termsOfUse

Session

None

Extension/replacement of Session as stated above, requiring a valid accessToken (or sessionToken).

This request requires a Session because a user must agree to the terms of use before a token can be used to authenticate.

Other Considerations and Questions

  • Should access/refresh tokens issued to client 0 have different durations?

  • Should we implement the single-use refresh token revocation scheme outlined in Requirements for OAuth 2 public clients?

    • Refresh tokens are already single-use. The gist of the extension is that if an expired refresh token is used, the related active refresh token is also expired.