It should be mentioned that authorisation code obtained by this program shouldn't be exposed on the client side thus I would highly recommend processing code grant on a separate axum server and communicating with it by reqwest crate. Understanding RFC6749 will help with correct implementation. If I missed something correct me.
it is quite impossible to avoid getting the code to the client for the simple reason that it's the whole point of the flow 😅
I've actually implemented the code using the document you linked and this later extension in rfc7636 for working with public oauth clients like native desktop clients (IE tauri)
you're right to be worried about code hijacking, but that's exactly what pkce is for. It makes sure that it is only possible for the requester of the code to be the exchanger of the code.
There's no need for any other servers besides the callback server to catch the code and csrf state. I hope that clears things up!
I think you are right! I am just surprised how axum server in tauri app is used just to process the OAuth2 callback, it's interesting. I thought that auth code would be processed on the centralised server to which all desktop clients would be connected with an API. Maybe I've got confused with different types of OAuth2 specs 😅.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
It should be mentioned that authorisation code obtained by this program shouldn't be exposed on the client side thus I would highly recommend processing code grant on a separate axum server and communicating with it by
reqwestcrate. Understanding RFC6749 will help with correct implementation. If I missed something correct me.it is quite impossible to avoid getting the code to the client for the simple reason that it's the whole point of the flow 😅
I've actually implemented the code using the document you linked and this later extension in rfc7636 for working with public oauth clients like native desktop clients (IE tauri)
you're right to be worried about code hijacking, but that's exactly what pkce is for. It makes sure that it is only possible for the requester of the code to be the exchanger of the code.
There's no need for any other servers besides the callback server to catch the code and csrf state. I hope that clears things up!
I think you are right! I am just surprised how axum server in tauri app is used just to process the OAuth2 callback, it's interesting. I thought that auth code would be processed on the centralised server to which all desktop clients would be connected with an API. Maybe I've got confused with different types of OAuth2 specs 😅.