| Next revision | Previous revision |
| oauth:reference [2026/02/11 19:56] – created flash | oauth:reference [2026/02/11 22:50] (current) – documented some of them flash |
|---|
| ====== OAuth Endpoint Reference ====== | ====== OAuth Endpoint Reference ====== |
| |
| This page contains a list of all available OAuth related endpoints, what parameters they take and what output they may provide. | This page contains a list of all available OAuth related endpoints, what parameters they take and what output they may provide. If you're looking to implement the bare minimum, you'll only have to care about [[reference#get_flashiinetoauth2authorize|GET flashii.net/oauth2/authorize]] and [[reference#post_apiflashiinetoauth2token|POST api.flashii.net/oauth2/token]]. |
| |
| ===== GET api.flashii.net/.well-known/oauth-authorization-server ===== | ===== GET api.flashii.net/.well-known/oauth-authorization-server ===== |
| |
| | //To learn more about discovering authorization server metadata, see [[discovery|oauth:discovery]].// |
| |
| ===== GET api.flashii.net/.well-known/oauth-protected-resource ===== | ===== GET api.flashii.net/.well-known/oauth-protected-resource ===== |
| |
| | //To learn more about discovering authorization server metadata, see [[discovery|oauth:discovery]].// |
| |
| ===== POST api.flashii.net/oauth2/introspect ===== | ===== POST api.flashii.net/oauth2/introspect ===== |
| ===== GET flashii.net/.well-known/oauth-authorization-server ===== | ===== GET flashii.net/.well-known/oauth-authorization-server ===== |
| |
| | //To learn more about discovering authorization server metadata, see [[discovery|oauth:discovery]].// |
| |
| ===== GET flashii.net/.well-known/oauth-protected-resource ===== | ===== GET flashii.net/.well-known/oauth-protected-resource ===== |
| |
| | //To learn more about discovering authorization server metadata, see [[discovery|oauth:discovery]].// |
| |
| ===== GET flashii.net/.well-known/openid-configuration ===== | ===== GET flashii.net/.well-known/openid-configuration ===== |
| |
| | //For more details on how to use OpenID Connect with Flashii, see [[openid|oauth:openid]].// |
| |
| ===== GET flashii.net/.well-known/webfinger ===== | ===== GET flashii.net/.well-known/webfinger ===== |
| |
| | //For more details on how to use OpenID Connect with Flashii, see [[openid|oauth:openid]].// |
| |
| ===== GET fii.moe/verify ===== | ===== GET fii.moe/verify ===== |
| |
| | A shorter alternative for the [[reference#get_flashiinetoauth2verify|GET flashii.net/oauth2/verify]]. |
| | Used in the response body for [[reference#post_apiflashiinetoauth2request-authorize|POST api.flashii.net/oauth2/request-authorize]]. |
| |
| ===== GET flashii.net/oauth2/authorize ===== | ===== GET flashii.net/oauth2/authorize ===== |
| |
| | //For more details on how to use the normal authorization flow, see [[authorize|oauth:authorize]].// |
| | |
| | Page through which a user reviews an authorization request. |
| | |
| | ==== Request ==== |
| | |
| | === Query parameters === |
| | |
| | * ''response_type'' <color #ed1c24>(required)</color> - Response type of the token request. Must be either ''code'' for normal authorization requests or ''code id_token'' for OpenID Connect authorization requests. |
| | * ''client_id'' <color #ed1c24>(required)</color> - Client ID for the client/application that is making this authorization request. |
| | * ''redirect_uri'' <color #ed1c24>(required)</color> if more than one URI is registered, <color #c8bfe7>(optional)</color> if there's only one - Redirect URI to return to after the user has reviewed the authorization request. Must be registered. If the an unknown redirect URI is specified, the error will be rendered to the user without redirecting. |
| | * ''scope'' <color #c8bfe7>(optional)</color> - Scope of this authorization request. |
| | * ''state'' <color #c8bfe7>(optional)</color> - A state parameter that will be included in the query parameters of the ''redirect_uri'' value. May not be longer than 1000 characters. |
| | * ''code_challenge'' <color #ed1c24>(required)</color> if public client, <color #c8bfe7>(optional)</color> if confidential client - PKCE code challenge, if ''code_challenge_method'' is ''S256'' the value must be 43 characters long and contain a URI BASE64 encoded SHA256 HMAC hash, if ''plain'' the value must be be at least 43 characters and at most 128 characters. ''S256'' is recommended. |
| | * ''code_challenge_method'' <color #c8bfe7>(optional)</color> - Processing method for the ''code_challenge'' value. If specified, must be either ''plain'' for passthru, or ''S256'' for HMAC SHA256. If left unspecified, ''plain'' will be used. If specified, ''code_challenge'' must also be specified. |
| | |
| | ==== Response ==== |
| | |
| | * <color #00a2e8>HTTP 200</color> ''text/html'': A HTML document through which the user reviews the authorization request. If the specified ''redirect_uri'' is recognized, the user agent will be redirect to it with the outcome of the authorization request. In both cases the ''state'' parameter will be passed along. If an ''error'' parameter is included, an additional ''error_description'' parameter containing an English explanation of the error may be included, an additional ''error_uri'' parameter containing a URI to relevant documentation may also be included. |
| | * If the user approved the authorization request, the user agent will redirect to the relevant URI with the ''code'' parameter set to an authorization code that can be used with the authorization code token flow. Optionally, if the ''openid'' scope was requested, an ''id_token'' token containing a JWT will be included. |
| | * If the user denied the authorization request, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''access_denied''. |
| | * If a server error (HTTP 500) occurred, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''server_error''. |
| | * If a public client attempted to request authorization without a PKCE ''challenge_code'' parameter, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''invalid_request''. |
| | * If the user waited too long before pressing the Authorize button, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''invalid_request''. |
| | * If the ''code_challenge'' and/or ''code_challenge_method'' parameters are not set to an acceptable value, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''invalid_request''. |
| | * If the ''response_type'' parameter is not set to an acceptable value, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''unsupported_response_type''. |
| | * If an unsupported scope is requested in the ''scope'' parameter, the user agent will redirect to the relevant URI with the ''error'' parameter set to ''invalid_scope''. The ''error_description'' message will contain which requested value caused the problem. |
| |
| ===== GET flashii.net/oauth2/verify ===== | ===== GET flashii.net/oauth2/verify ===== |
| |
| | //To learn more about the device token authorization, see [[device-authorize|oauth:device-authorize]].// |
| | |
| | User verification page for the device token flow. |
| | |
| | ==== Request ==== |
| | |
| | === Query parameters === |
| | |
| | * ''code'' <color #c8bfe7>(optional)</color> - Value of ''user_code'' received in the response body of [[reference#post_apiflashiinetoauth2request-authorize|POST api.flashii.net/oauth2/request-authorize]]. |
| | |
| | ==== Response ==== |
| | |
| | * <color #00a2e8>HTTP 200</color> ''text/html'': A HTML document through which the user reviews the authorization request. The document will either confirm that that the authorization request succeeded or explain why it failed. No redirects will occur. |
| |
