STiBaRC is now fully OAuth 2.0 and OpenID Connect Core 1.0 compliant!

herronjo Verified (he/him)
04/03/26, 5:53 AM
To the best of my knowledge, anyway. It passed all the standard tests I put it through. The discovery metadata documents can be found at: OAuth 2.0: https://stibarc.com/.well-known/oauth-authorization-server OIDC: https://stibarc.com/.well-known/openid-configuration Putting these into any standard OAuth/OIDC library will make it Just Work™, as long as you've registered an app at the developer portal (https://stibarc.com/developer) and give it your client ID (and secret if necessary). If you don't know the basics of OAuth already, here's a good start! https://oauth.net/getting-started/ You can read the discovery documents to learn what endpoints to use if you don't want to use a library, and that guide should tell you what data to send and parameters to set. PKCE isn't supported yet, so if your app can't store secrets (like the client_secret), you'll have to use the implicit grant (public client type). But it will be soon (but still optional)!
Upvotes2 Downvotes0 Link

2 Comments

herronjo Verified (he/him)
04/03/26, 5:57 AM
Speaking of which, I will eventually do a v5 that cleans up the API paths and makes the API more ~RESTful~, including moving the session from the body to the Authorization parameter, like it always should have been. There will be new scopes that better align with OAuth principles (read: and write: variants of scopes per-resource, instead of the broad scopes we have today), and a transition path during that change, with an eventual deprecation of the legacy scopes. Existing sessions will have their scopes adjusted to provide the same access they had before.
Upvotes1 Downvotes0 Link
herronjo Verified (he/him)
04/03/26, 5:54 AM
I'll provide actual OAuth/OIDC documentation around the same time I do the API v4 docs
Upvotes1 Downvotes0 Link