Security

Security considerations for the Auth Link API

Authentication of Client Application

The Auth Link API supports the plain Authorization Code Flow (RFC 6749) for confidential client applications (e.g. web app with a server side) and the PKCE (RFC 7636) extension for public client applications (e.g. Single Page (web) App or native mobile application).

Confidential Client Applications

The only requirement is that in the Authorization Code Exchange (POST /token endpoint) the client_secret parameter is given.

Public Client Applications

To implement the PKCE extension the code_challenge and code_challenge_method parameters must be passed in the initial Authorization Request (GET /link redirect).

Then, the code_verifier field must be given on the Authorization Code Exchange (POST /token endpoint).

A good guide on PKCE can be found here.

WebView considerations

When embedding the Auth Link UI within a WebView you may choose to restrict access to only origins that match: https://*.open-utilities.com

PreviousAuth Link API NextGET /link

Last updated 3 years ago

hashtagAuthentication of Client Application

hashtagConfidential Client Applications

hashtagPublic Client Applications

hashtagWebView considerations

Authentication of Client Application

Confidential Client Applications

Public Client Applications

WebView considerations