OAuth 2.0
Authrim implements OAuth 2.0 with modern security best practices, including support for OAuth 2.1 recommendations.
Overview
- Standards: RFC 6749, RFC 6750
- OAuth 2.1: Aligned with OAuth 2.1 draft
- Security: Following OAuth Security BCP
Supported Grant Types
Authorization Code Grant
The recommended grant for all clients:
POST /token HTTP/1.1Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=auth_code_value&redirect_uri=https://app.example.com/callback&client_id=client_id&code_verifier=pkce_verifierRefresh Token Grant
Exchange a refresh token for new tokens:
POST /token HTTP/1.1Content-Type: application/x-www-form-urlencodedAuthorization: Basic <base64(client_id:client_secret)>
grant_type=refresh_token&refresh_token=refresh_token_valueClient Credentials Grant
For machine-to-machine authentication:
POST /token HTTP/1.1Content-Type: application/x-www-form-urlencodedAuthorization: Basic <base64(client_id:client_secret)>
grant_type=client_credentials&scope=api.read api.writeDevice Authorization Grant
For input-constrained devices (see Device Flow):
POST /token HTTP/1.1Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=device_code_value&client_id=client_idJWT Bearer Grant
For identity federation with trusted assertion issuers:
POST /token HTTP/1.1Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=jwt_assertion&client_id=client_idEndpoints
| Endpoint | Method | Description |
|---|---|---|
/authorize | GET/POST | Authorization endpoint |
/token | POST | Token endpoint |
/revoke | POST | Token revocation |
/introspect | POST | Token introspection |
Token Types
Access Tokens
JWT-formatted access tokens containing:
{ "iss": "https://auth.example.com", "sub": "user-id-123", "aud": "https://api.example.com", "exp": 1699880000, "iat": 1699876400, "jti": "unique-token-id", "scope": "read write", "client_id": "my_client_id"}Refresh Tokens
Long-lived tokens for obtaining new access tokens:
- Rotation: Refresh tokens are rotated on each use
- Expiration: Configurable lifetime (default: 30 days)
- Revocation: Can be revoked via
/revokeendpoint
Client Authentication
client_secret_basic
HTTP Basic authentication with client credentials:
Authorization: Basic <base64(client_id:client_secret)>client_secret_post
Client credentials in request body:
POST /tokenContent-Type: application/x-www-form-urlencoded
client_id=my_client_id&client_secret=my_client_secret&grant_type=...private_key_jwt
JWT client assertion signed with client’s private key:
POST /tokenContent-Type: application/x-www-form-urlencoded
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJhbGciOiJSUzI1NiJ9...&grant_type=...none
For public clients (must use PKCE):
POST /tokenContent-Type: application/x-www-form-urlencoded
client_id=public_client_id&grant_type=authorization_code&code=...&code_verifier=...Token Introspection
Check if a token is active and get its metadata:
POST /introspect HTTP/1.1Content-Type: application/x-www-form-urlencodedAuthorization: Basic <base64(client_id:client_secret)>
token=access_token_value&token_type_hint=access_tokenResponse:
{ "active": true, "scope": "read write", "client_id": "my_client_id", "token_type": "Bearer", "exp": 1699880000, "iat": 1699876400, "sub": "user-id-123", "aud": "https://api.example.com", "iss": "https://auth.example.com"}Token Revocation
Revoke an access token or refresh token:
POST /revoke HTTP/1.1Content-Type: application/x-www-form-urlencodedAuthorization: Basic <base64(client_id:client_secret)>
token=token_value&token_type_hint=refresh_tokenResponse: 200 OK (always, per RFC 7009)
Response Modes
query (default for code)
Authorization code in query string:
https://app.example.com/callback?code=abc123&state=xyzfragment (default for implicit)
Token in URL fragment:
https://app.example.com/callback#access_token=abc123&token_type=Bearerform_post
Authorization response submitted via POST:
<form method="post" action="https://app.example.com/callback"> <input type="hidden" name="code" value="abc123"> <input type="hidden" name="state" value="xyz"></form>Error Responses
Standard OAuth 2.0 error format:
{ "error": "invalid_request", "error_description": "The request is missing a required parameter"}Error Codes:
| Error | Description |
|---|---|
invalid_request | Missing or invalid parameter |
unauthorized_client | Client not authorized for grant type |
access_denied | User denied authorization |
unsupported_response_type | Response type not supported |
invalid_scope | Requested scope is invalid |
server_error | Server encountered an error |
temporarily_unavailable | Server is temporarily unavailable |
invalid_client | Client authentication failed |
invalid_grant | Grant is invalid or expired |
unsupported_grant_type | Grant type not supported |
OAuth 2.1 Alignment
Authrim follows OAuth 2.1 recommendations:
- PKCE required for authorization code flow
- Refresh token rotation enabled by default
- No implicit grant for new applications
- No password grant (removed)
- Exact redirect URI matching
Security Best Practices
- Use PKCE - Required for all authorization code flows
- Use state parameter - Prevent CSRF attacks
- Validate redirect URIs - Exact matching only
- Use short-lived access tokens - 1 hour or less
- Rotate refresh tokens - One-time use
- Implement token binding - Consider DPoP for high-security