OAuth

HQ can act as an OAuth 2.0 Authorization Server (AS).

It is embedded -- no external AS is required. The implementation lives in internal/oauth2/ and follows the Authorization Code grant flow (RFC 6749 Section 4.1), with optional PKCE (RFC 7636) and support towards OAuth 2.1.

Discovery & Registration

Server Metadata (RFC 8414): Clients discover HQ's OAuth endpoints via GET /.well-known/oauth-authorization-server, which returns the issuer URL, endpoint URLs, supported grant types, scopes, token endpoint auth methods, and PKCE support.
Dynamic Client Registration (RFC 7591): When the dcr config flag is enabled, clients can self-register via POST /oauth2/register. DCR-created apps are placed into a configured default org. Each registered app receives a client_id and client_secret (bcrypt-hashed at rest).
Manual Registration: Apps can also be created via the HQ API (provenance "api" vs "dcr").

Configuration

Add to the HQ config.

 auth:
    oauth2:
      authorizationServer:
        enabled: true
        issuerURL: "https://hq.example.com"

  issuerURL is the only field that's conditionally required (when enabled is true)

PreviousGeneric SSO NextHQ

Last updated 14 days ago

Was this helpful?

Good evening

hashtagDiscovery & Registration

hashtagConfiguration

Discovery & Registration

Configuration