feat(api): OAuth callback → bearer token handoff for native clients #215
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#215
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
PR #194 added
/api/auth/tokenfor native clients using local-credentialpasswordgrants but explicitly deferred the OAuth completion → bearer token bridge. Today the OAuth callback issues a session cookie and redirects through the web flow. A native (Android, Flatpak) client cannot complete an OAuth2/OIDC login because it has no cookie store and cannot ride the cookie-redirect handoff.The discriminated-union
grantTypeshape on/api/auth/tokenwas deliberately left open so this can land without a breaking change.Source
PR #194 body ("Out of scope"):
Scope
/api/auth/tokenwithgrantType: "authorization_code"(Carol-issued code, not the IdP code).apps/api/app/api/auth/oauth/callback/[provider]/route.ts.apps/client/) to drive the new flow viaexpo-auth-sessionor equivalent.Acceptance criteria
grantType: "authorization_code".docs/api-conventions.mdor a sibling auth doc describes the native OAuth flow.Out of scope
Composes with
relation "oauth_inits" already exists(missing from teardown list) #259