Skip to content

OAuth2l v1.3.0 Release

Compare
Choose a tag to compare
@andyrzhao andyrzhao released this 19 Jul 20:42
· 9 commits to master since this release
c5870a6

This release contains major security updates.

Features added:

  1. 3LO Loopback Flow:
  • Add support for 3LO loopback flow, which redirects the authorization code to a localhost server (managed by OAuth2l) to complete the 3LO flow. This is in contrast with the deprecated 3LO Out-of-band (OOB) flow that required users to manually copy-and-paste the auth code.
  • The 3LO loopback flow is automatically triggered when using a client ID credentials file where redirect_uris is set to "localhost" (this is the default value for credentials file obtained from Google Cloud Console). Furthermore, the browser will be automatically be opened to bring up the consent page (unless this behavior is disabled using the flag "disableAutoOpenConsentPage").
  1. PKCE:
  • Add PKCE (Proof Key Code Exchange) to 3LO flow, which protects against CSRF and authorization code injection attacks.