[codex] clarify frontend PKCE with server-side token exchange#92
[codex] clarify frontend PKCE with server-side token exchange#92
Conversation
Deploying qf-api-docs with
|
| Latest commit: |
f156632
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e5f0cabb.qf-api-docs.pages.dev |
| Branch Preview URL: | https://docs-clarify-oauth-client-au.qf-api-docs.pages.dev |
There was a problem hiding this comment.
Pull request overview
Updates the OIDC/OAuth2 tutorial docs to clearly distinguish public vs confidential OAuth clients based on Hydra client registration, preventing integrations from incorrectly omitting client_secret and hitting invalid_client at the token endpoint.
Changes:
- Clarifies that client type is determined at registration time via
token_endpoint_auth_method(not at implementation time). - Updates quickstart guidance and examples to explicitly scope mobile/native flows to public clients (
token_endpoint_auth_method=none) and server flows to confidential clients (defaultclient_secret_basic). - Adds clearer troubleshooting/expectations around
invalid_clientwhen confidential client authentication is omitted.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| docs/tutorials/oidc/user-apis-quickstart.mdx | Tightens platform guidance so public/mobile examples only apply to token_endpoint_auth_method=none; reinforces server-side token exchange/refresh for confidential clients. |
| docs/tutorials/oidc/getting-started-with-oauth2.mdx | Adds an explicit registration-based client-type explanation, and annotates token/refresh exchange examples to match Hydra auth modes and avoid invalid_client. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://cdn.statically.io/img/avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f156632795
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 89fc2e2124
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Summary
token_endpoint_auth_method=noneWhy
The docs could be read as if direct in-app token exchange was the default path for every client. In practice, the current Request Access flow provisions confidential clients, so the recommended integration shape is: app handles login + PKCE, backend handles code exchange and refresh.
Validation
git diff --checkyarn buildoryarn typecheck; earlieryarn typecheckfailure insrc/theme/ApiDemoPanel/Curl/index.tsxis still unrelated to these docs changes