OAuth Migration

Hello folks! We’re migrating our API over to using a new internal provider for our OAuth 2.0 requests. This change will allow us to continue improving our support for OAuth standards like PKCE.

There should be no change required on your end to continue accessing the API. To see if you need to make any changes, we’ve identified some key changes below you should be aware of.

Timeline

On 2021-08-20T12:00:00Z we will be rolling out the below changes, so you need to ensure the changes will not negatively impact your app before then!

Key Changes

(ordered by potentially required impact)

  1. Access & Refresh Token Length Changes
    Previously the access & refresh tokens were alpha numeric based lowercase values 64 characters in length. Newly issued access & refresh tokens will still be alpha numeric based but now mixed with uppercase values and up to 255 characters in length. All existing access & refresh tokens will continue to be valid in their existing format until they are refreshed.

    Examples:
    Old Token: b765e84e8699e797c7a0b5ceb170cfb3af490da5218207f79f4c59e346c659ec
    New Token: RO8mcRW74RSAyUr91y4GXYAqkx1AX4Bz28Y2D0zPw6r0DkVoi1Nc6PjBgaMZem6JmeEeKVCx3pLEkqj7BA2xjf

  2. New Client ID’s are now UUID-based
    Previously the Client ID’s where alpha numeric based lowercase values 64 characters in length. The new Client IDs are UUID’s instead. We generated a new Client ID for each application, but have implemented backwards compatibility for your old Client ID. Once the feature is released, you can visit your applications page to find out your new Client ID.

    Examples:
    Old Client ID: 692f5f308a0984ea31597764dcabade6a82350b746162339c2c8f0110d083983
    New Client ID: 01c12535-e124-4f4a-9c3d-e780a73cf2a1

  3. Client Secret Length Changes
    Previously the Client Secret’s where alpha numeric based lowercase values 64 characters in length. Newly generated Client Secret’s are still alpha numeric based but now mixed with uppercase values and up to 255 characters in length. All existing Client Secret’s will be migrated so they will continue to work.

    Examples:
    Old Client Secret: c1a380075e3a75014a20075eda0352b3cdf5142d4a0c35dd7e66ba78e4f79be2
    New Client Secret: ahGUJIyuk8KnRKmYXNDVONInw7OTexhtTaJWJDxdv8UCECB8e3OoaCGIwdjscPJZnxIqLP2CT20C0ToxZ2SQ7V

  4. New Features
    Our introspection and revocation routes are now completely supported. You will be able to introspect tokens using: https://glimesh.tv/api/oauth/introspect and revoke tokens using https://glimesh.tv/api/oauth/revoke as per their RFCs.

    Additionally PKCE will now be allowed so you can authenticate mobile & native clients without having to require your users generate their own keys, or accidentally sharing your client secret.

Recommendations

If you want to future proof your app, you can do the following after the feature has been released:

  • Rotating your keys in your applications page. This will generate your a new secret to add to your app. You can use your newly generated UUID based Client ID as well. There is no need to refresh any of your tokens outside of their normal cycle, as they will be automatically refreshed into the new format as they expire.
  • Monitor your apps logs & active users during the release to ensure there are no unexpected problems.

Support & Contact

If you have any questions about this change, or if you need help implementing them, please reach out to us in the #dev-questions channel on Discord or if you are not on Discord you can email me at luke@glimesh.tv

3 Likes