Skip to content

docs: OAuth2 Authorization Server specification#3160

Open
RomainRicord wants to merge 2 commits into01-edu:masterfrom
RomainRicord:feat/oauth2-authorization-server
Open

docs: OAuth2 Authorization Server specification#3160
RomainRicord wants to merge 2 commits into01-edu:masterfrom
RomainRicord:feat/oauth2-authorization-server

Conversation

@RomainRicord
Copy link

@RomainRicord RomainRicord commented Mar 10, 2026
edited
Loading

Summary

  • Add technical specification for an OAuth2 Authorization Code flow
  • Based on analysis of the actual auth architecture: @01-edu/api Gitea token exchange, JWT auto-refresh, Hasura claims
  • Builds on existing infrastructure — zero breaking changes

What Changed in This Update

Updated the proposal based on analysis of the existing codebase (01-edu/01-edu-api, 01-edu/hubspot):

  • Documented the actual auth flow: Gitea token → /api/auth/token → JWT → /api/auth/refresh
  • Added architecture diagram showing current components
  • Showed how each existing component maps to the OAuth2 equivalent
  • Referenced @01-edu/api source code and hubspot integration as precedent
  • Clarified that Hasura configuration is completely unchanged

What the Spec Covers

  • Current architecture diagram (Basic Auth + Gitea Token Exchange)
  • OAuth2 Authorization Code flow built on existing infrastructure
  • New API endpoints (/api/oauth/authorize, /token, /revoke, /userinfo, discovery)
  • Database schema for clients, authorization codes, and consent
  • Scope-to-Hasura-role mapping for granular permissions
  • JWT claims structure compatible with existing Hasura configuration
  • Security considerations (PKCE, token rotation, rate limiting)

Backward Compatibility

All existing endpoints and the @01-edu/api package continue to work unchanged. The OAuth2 endpoints are purely additive.

Closes #3159

Test plan

  • Review the specification for completeness
  • Verify the proposed flow aligns with the existing Gitea token exchange architecture
  • Confirm JWT claims structure works with existing HASURA_GRAPHQL_JWT_SECRET

@RomainRicord
docs: add OAuth2 Authorization Server proposal
754ddfd 
Add technical specification for implementing OAuth2/OIDC as an
authorization server, enabling third-party applications to authenticate
users without handling their passwords.

This is an additive proposal with zero breaking changes to the existing
Basic Auth + Hasura JWT architecture.
@RomainRicord
docs: update OAuth2 proposal with actual auth architecture
6390570 
Updated the specification based on analysis of the existing codebase:

- Document the Gitea token exchange flow (GET /api/auth/token?token=)
  used by @01-edu/api package
- Document the JWT auto-refresh mechanism (GET /api/auth/refresh)
- Show how OAuth2 builds on existing infrastructure instead of replacing it
- Add architecture diagram of current auth flow
- Reference @01-edu/api source and hubspot integration as precedent
- Clarify that zero configuration changes needed on Hasura side
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: OAuth2 Authorization Server for Third-Party Integrations

1 participant

@RomainRicord