🔐
OAuth 2.1 Authorization
Authorization Code + PKCE, zero secret leakage
Open platform standard OAuth 2.1 authorization code flow. SPA / mobile / iframe all use PKCE, no client secret exposure. state prevents CSRF, 5-minute code cache prevents replay.
example.http
# 1. 引导用户授权
GET /oauth/authorize?
response_type=code&
client_id=YOUR_APP_KEY&
redirect_uri=https://yourapp.com/callback&
scope=openid%20profile&
state=RANDOM_STATE&
code_challenge=BASE64URL(SHA256(verifier))&
code_challenge_method=S256
# 2. 回调接收 code,换 token
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=AUTH_CODE&
redirect_uri=https://yourapp.com/callback&
client_id=YOUR_APP_KEY&
code_verifier=ORIGINAL_VERIFIER
# 3. 调用 API(Bearer JWT)
GET /oauth/userinfo
Authorization: Bearer <access_token>Core Features
6 core features, each works standalone
OAuth 2.1 security
Deprecates implicit / password, enforces PKCE per latest RFC
Auth Code + PKCE
Unified secure flow for SPA / mobile / iframe
CSRF protection
Random state returned as-is
JWT (RFC 9068)
access_token is JWT, iss=UM, locally verifiable
Refresh Token
Long-session scenarios, refresh_token renews access_token
5-minute code cache
Same code consumed once within 5 minutes
API Endpoints
Via /api/* call the following endpoints
| Method | Path | Description |
|---|---|---|
| GET | /oauth/authorize | Authorization endpoint |
| POST | /oauth/token | Token endpoint (code-for-token / refresh) |
| GET | /oauth/userinfo | OIDC UserInfo |
| POST | /oauth/revoke | Revoke token |