Security
Security considerations for the Auth Link API
Last updated
Security considerations for the Auth Link API
Last updated
The Auth Link API supports the plain Authorization Code Flow (RFC 6749) for confidential client applications (e.g. web app with a server side) and the PKCE (RFC 7636) extension for public client applications (e.g. Single Page (web) App or native mobile application).
The only requirement is that in the Authorization Code Exchange (POST /token
endpoint) the client_secret
parameter is given.
To implement the PKCE extension the code_challenge
and code_challenge_method
parameters must be passed in the initial Authorization Request (GET /link
redirect).
Then, the code_verifier
field must be given on the Authorization Code Exchange (POST /token
endpoint).
A good guide on PKCE can be found .
When embedding the Auth Link UI within a WebView you may choose to restrict access to only origins that match: https://*.open-utilities.com