OAuth2 Overview
Production - OAuth2AuthorizationController, OAuth2ClientController, OAuth2TokenController
The IAM service implements an OAuth2 authorization server supporting the Authorization Code flow (with PKCE), Client Credentials grant, and token management including introspection and revocation.
Supported Grant Types
| Grant Type | Endpoint | Use Case |
|---|---|---|
| Authorization Code | GET/POST /api/v1/oauth2/authorize | Interactive user login for third-party apps |
| Authorization Code + PKCE | Same + code_challenge | Public clients (SPAs, mobile apps) |
| Client Credentials | POST /api/v1/oauth2/token | Service-to-service authentication |
| Refresh Token | POST /api/v1/oauth2/token | Token renewal |
OAuth2 Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/oauth2/authorize | Authorization endpoint (redirect) |
| POST | /api/v1/oauth2/authorize | Authorization endpoint (JSON response) |
| POST | /api/v1/oauth2/token | Token endpoint |
| POST | /api/v1/oauth2/revoke | Token revocation |
| POST | /api/v1/oauth2/introspect | Token introspection |
| POST | /api/v1/oauth2/clients | Register client |
| GET | /api/v1/oauth2/clients | List clients |
| GET | /api/v1/oauth2/clients/{id} | Get client |
| POST | /api/v1/oauth2/clients/{id}/regenerate-secret | Regenerate secret |
| DELETE | /api/v1/oauth2/clients/{id} | Delete client |
Section Pages
| Page | Description |
|---|---|
| Client Management | Client registration and credential management |
| Authorization Code | Authorization code flow with PKCE |
| Token Management | Token issuance, introspection, revocation |