You can safely hand an app "you may post on your behalf." No password changes hands, only a duplicate key (a token)—and the manner that keeps it from being abused even if it's overheard along the way (PKCE) comes built in.
The keywork is meticulous. Redeeming the duplicate key takes a row lock, and the shadow of the passphrase is checked with a constant-time comparison—using the same ticket twice, and peeking through a gap, are both sealed off by the construction itself.
Highlights
- Client authentication comes in three ways: client_secret_basic, client_secret_post, and none (public clients)
- /token, /revoke, and /userinfo are intentionally left out of csrf() (with the reason in a comment on the wall)
- The signpost at
/.well-known/oauth-authorization-server(RFC 8414) also stands at the root of the hall
A passage from the sutra
if (accessGrant.codeChallenge && accessGrant.codeChallengeMethod) {
if (
!form.code_verifier ||
accessGrant.codeChallengeMethod !== "S256"
) {
return c.json(INVALID_GRANT_ERROR, 400);
}
const expectedCodeChallenge = await calculatePKCECodeChallenge(
form.code_verifier,
);
if (
!timingSafeEqualString(
expectedCodeChallenge,
accessGrant.codeChallenge,
)
) {
return c.json(INVALID_GRANT_ERROR, 400);
}
} Try it yourself
The app first hands over only the shadow of its passphrase, and shows the real one at redemption. The Key Room recomputes the shadow and compares — a shadow cannot be reversed into a passphrase (the same One-Way Door).