http – OAuth for command line application

I’m planning to add an “official” command line tool for developers to interact with our API. The tool is basically just a glorified curl client, interacting with the API via HTTPS exclusively. To make this convenient for developers, it should allow them to authorize the CLI using their existing user account, using an authorization_code grant.

Therefore, the user interaction should work like the following:

  1. The user executes acme-cli login.
  2. The CLI uses OpenID discovery to locate our OAuth endpoints, and builds an authorization URL. The client_id is hard-coded in the CLI source code; to prevent having to include the client_secret, we use PKCE to generate a local challenge.
  3. The CLI generates a random, unique hash as a device identifier. It then opens a URL in the user’s browser with the device identifier and full authorization URL as query parameters:<deviceId>&authorization_url=<authorization_url>
    This endpoint stores the device ID in a session cookie, then redirects to the authorization URL.
  4. The user signs in and authorizes the CLI to access their account on their behalf.
  5. The OAuth server redirects them to the redirect URI, which points to another endpoint on our application server:<authorization_code>&state=<state>
    This endpoint stores the authorization code to be fetched by the CLI instance later on together with the device identifier (step 3) from the cookie.
  6. After opening the authorization link in the user’s browser, the CLI regularly polls an endpoint on the application server, passing their device identifier, for the authorization code:<device_id>
    As soon as the code is available, it exchanges it for an access token as an ordinary web application would.
  7. If the authorization code isn’t fetched within 60 seconds, the TTL expires and it is purged.

This process is defined pretty well by OAuth, apart from the signaling mechanism between our server and the CLI application instance running on the developer’s computer.

Considering we use PKCE, even leaking the authorization code somehow should not be a problem, as it is useless without the code verifier, so I think this process should be as secure as the OAuth spec allows. Are there any flaws I’ve overlooked? Is there a better or more secure way to implement this?

oauth 2.0 – AppAuth loopback authentication fails on macOS with Chrome

We’re using AppAuth for a macOS application to authenticate Google accounts. This has been working for years, except recently Chrome has started to block all http connections by default. The loopback server in AppAuth is hard-coded to work with http connections only. The following issue also seems to have gone unanswered:

What other options do we have for using a https loopback server on macOS for OAuth2 authentication? We need the loopback server to be able to extract parameters Google sends back after authentication. Asking users to switch from Chrome is not desirable.

How do I profile A REST API request from the Simple oauth module?

I am trying to profile a REST API endpoint (/oauth/token) for performance issue. I want to see what database queries are executed during that API request.

Can I get it using webprofiler with the Devel module?

How to profile REST API request – /oauth/token from Simple oauth module in Drupal 8

I am trying to profile REST API endpoint – /oauth/token for performance issue. I want to see what are the sql queries executed during that api request. Can I get it using webprofiler in devel module? What is the best way to do it?

authentication – While we put elaborate standards to authenticate users (eg via OAuth), why do APIs only need an API Key?

Today, OATH is the standard for Authenticating Users. It employs an elaborate setup to eliminate all vulnerabilities.

YET, when it comes to APIs, the standard is just have an API Key inserted in the HTTP Request Header. Voila, you’re in. This is even adopted by google.

Why is this so? These API endpoints are public!

magento2 – Do Magento 2 Integration OAuth Access Tokens Never Expire?

Hi I just want to make sure that if I created an integration via OAuth authentication

I would use the access token of which for Magento 2 API calls. It is my experience that they never expire, is this claim absolutely true?

Insofar that the behavior is different from the admin and customer access tokens that do expire and have to regenerate a token else get a 401 error

oauth – What are the best practices to create a safe and performant user registration and validation with Nodejs and Postgres?

I’ve been asked to write an app with registration and login systems. In essence, I’ve already wrote the first version of their app using PHP, some javascript/jquery and storing data in MySQL. It worked for a time but now they are growing and expanding so they want something more performant and in realtime with push notifications. You know, the whole nine.

I’m always up to a great challenge especially if I need to learn new technologies. So I have leveled up my game and Im now learning to use Nodejs, Postgres and So far I’m understanding the basics fairly well. Ran a few tests and it’s top notch.

The only thing that has been plaguing me for the past week is security and registration. I’ve been doing extensive research on OAuth2 and PKCE Flow. I’m trying to figure out the best practices without compromising UX.

I’d be happy to read more on the subject or if there are any API available. I’m thinking perhaps it’s not safe to handle registration and login by myself. The methodology used with PHP and MYSQL is very backward in my opinion and I’m looking for something more modern working with Nodejs and Postgres. Most login and registration systems, for example Google, send temporary numbers that expires within 30 mins and they can recognize your device and send alerts if you login from a device they dont recognize asking you if it’s you who just logged in. That’s the level I’m trying to reach. Any suggestion?

With PHP and MySQL the current registration flow is as follow :
enter image description here

node.js – Next.js – Como fazer para os dados recebidos pelo github oauth no Back-End seja enviado para meu Front-End

Galera, estou estudando Next.js o conceito de Serveless, e em um dos meus testes eu fiz uma pequena API que recebe os dados do usuário no Github, porém eu estou perdido em descobrir uma forma de enviar meus dados recebidos de volta para o front-end, eis o código:

//const client_id = process.env.GITHUB_CLIENT_ID
//const client_secret = process.env.GITHUB_CLIENT_SECRET

async function getAccessToken({ code, client_id, client_secret }) {
    const request = await fetch("", {
        method: "POST",
        headers: {
            "Content-Type": "application/json"
        body: JSON.stringify({
    const text = await request.text()
    const params = new URLSearchParams(text)
    return params.get("access_token")

async function fetchGitHubUser(token) {
    const request = await fetch("", {
        headers: {
            Authorization: "token " + token
    return await request.json()

export default async (request: NowRequest, response: NowResponse) => {

    const code = request.query.code
    const access_token = await getAccessToken({ code, client_id, client_secret })
    const userGithub = await fetchGitHubUser(access_token)

    const user = {
        username: userGithub.login,
        avatar: userGithub.avatar_url

    return response.json(user)

Como eu faço para conseguir manipular os dados recebidos pela API no Next.js ?

plugins – How do I read Jira issues in a WordPress site using OAuth?

We’re trying to setup the Jira REST api and are getting hung up on the OAuth authentication process. We followed the Atlassian (Jira) examples for this but they are seemingly outdated and not working.

I wonder if there are ways to easily setup OAuth with WordPress so that it can talk to 3rd party applications like Jira?
Thank you for your help.