2023/10/20

First, that hugo supports goat ascii diagrams out-of-the box.

Second, about OAuth 2.0 authentication + authorization flows:

Authorization Code Flow

From https://tools.ietf.org/html/rfc6749#section-4.1 and https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow

Note: IdP = “Identity Provider”. Also note that the OAuth 2.0 spec separates the user from the “user-agent”, which is typically the browser. For my notes I’m calling the human user the same thing as their browser.

Authorization Code flow with Proof Key for Code Exchange (PKCE)

Specified in https://www.rfc-editor.org/rfc/rfc7636 See also: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce

Note that the “code challenge” and “code verifier” are roughly equivalent to public and private keys, respectively. However, no specific cryptographic method is specified. The “code challenge” might be the hash of the “code validator”, etc.

Differences with vanilla Authorization Code Flow

--- Authorization code flow
+++ Authorization code flow with PKCE
@@ -1,8 +1,8 @@
 User -> Client                  : click login
-Client -> Authorization Server  : POST client ID, redirect URI
+Client -> Authorization Server  : POST client ID, redirect URI, code challenge
 Authorization Server -> User    : redirect to IdP
 User -> IdP                     : Log into IdP
 IdP -> Authorization Server     : ID token
 Authorization Server -> Client  : OTP
-Client -> Authorization Server  : OTP, client ID, client secret
+Client -> Authorization Server  : OTP, code verifier
 Authorization Server -> Client  : Access token, ID token