Hollo Hall · Annex

The Key Room

ja· en· ko
If you're new hereThe mechanism that hands an app a duplicate key: "you may post on your behalf."

You can safely hand an app "you may post on your behalf." No password changes hands, only a duplicate key (a token)—and the manner that keeps it from being abused even if it's overheard along the way (PKCE) comes built in.

The keywork is meticulous. Redeeming the duplicate key takes a row lock, and the shadow of the passphrase is checked with a constant-time comparison—using the same ticket twice, and peeking through a gap, are both sealed off by the construction itself.

Highlights

  • Client authentication comes in three ways: client_secret_basic, client_secret_post, and none (public clients)
  • /token, /revoke, and /userinfo are intentionally left out of csrf() (with the reason in a comment on the wall)
  • The signpost at /.well-known/oauth-authorization-server (RFC 8414) also stands at the root of the hall

A passage from the sutra

          if (accessGrant.codeChallenge && accessGrant.codeChallengeMethod) {
            if (
              !form.code_verifier ||
              accessGrant.codeChallengeMethod !== "S256"
            ) {
              return c.json(INVALID_GRANT_ERROR, 400);
            }

            const expectedCodeChallenge = await calculatePKCECodeChallenge(
              form.code_verifier,
            );

            if (
              !timingSafeEqualString(
                expectedCodeChallenge,
                accessGrant.codeChallenge,
              )
            ) {
              return c.json(INVALID_GRANT_ERROR, 400);
            }
          }
src/oauth.tsx L323-L343— Inspecting PKCE—recomputing it here, comparing in constant time

Try it yourself

The app first hands over only the shadow of its passphrase, and shows the real one at redemption. The Key Room recomputes the shadow and compares — a shadow cannot be reversed into a passphrase (the same One-Way Door).

Floor plan

src/oauth.tsx
/authorize and /token. PKCE S256, the FOR UPDATE redemption
src/oauth/middleware.ts
tokenRequired/scopeRequired plus three ways of client authentication
src/oauth/endpoints/metadata.ts
The RFC 8414 signpost

Neighboring rooms

Outside links