Question 1

How to use OAuth2c for authorization code flow with PKCE?

Accepted Answer

Use the --pkce flag along with --grant-type authorization_code and --auth-method none. The README provides examples for public clients, showing how to set up secure flows without a client secret.

Question 2

OAuth2c vs using curl for OAuth requests?

Accepted Answer

OAuth2c automates the entire OAuth flow, including browser interaction and token exchange, whereas curl requires manual crafting of requests and handling redirects. OAuth2c is better for complex flows and security extensions like JARM and PAR.

Question 3

How to automate token refresh in a CI/CD pipeline with OAuth2c?

Accepted Answer

Use the --silent flag to run non-interactively and pipe the output to extract tokens. The README shows examples using jq to set environment variables for refresh tokens in subsequent calls.

Question 4

Does OAuth2c support OAuth 2.1 or only OAuth 2.0?

Accepted Answer

OAuth2c is compliant with OAuth 2.0, OIDC, and extensions like FAPI. While OAuth 2.1 is not explicitly mentioned, it supports key features like PKCE which are part of OAuth 2.1, as seen in the advanced extensions.

Question 5

How to handle OAuth flows without a browser in OAuth2c?

Accepted Answer

For non-interactive flows like device grant or client credentials, no browser is needed. Use --no-browser flag or choose grants like device flow, demonstrated in the examples with specific commands.

Question 6

Setting up OAuth2c for Financial-grade API (FAPI) compliance?

Accepted Answer

OAuth2c supports JARM and PAR, which are essential for FAPI. Use flags like --response-mode query.jwt and --par to enable these security features, as outlined in the extensions section with sample commands.

oauth2c

What is oauth2c?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions