The Access Type feature was something I “stole” from Google’s OAuth options.
It is a way of forcing the generation of access tokens to require a new explicit grant, by making grants non-refreshable.
Applications which require that every access token be explicitly granted by the resource owner.
You can enable it like this:
plugin :rodauth do
enable :oauth_authorization_code_grant
use_oauth_access_type? true
end
You can provide these extra parameters to the authorization URL, in order to generate “online” grants:
access_type: when set to “online”, a successful grant will generate a non-refreshable access token;approval_prompt(default: “force”): when “force”, it will always show the authorization form, in order for the resource owner to explicitly authorize; when “auto”, it will only do so on the first “online” grant for the combination of scopes/application/redirect uri, otherwise it will auto-submit the authorization request;Example: https://oauth-server.com/authorize?client_id=23uhu23d89u3298du21j38q&redirect_uri=https%3A%2F%2Fclient.com%2Fcallback&scope=bricks.build+bricks.destroy&state=23r0rif3j0923j&access_type=online&approval_prompt=auto
You can add the following column to the oauth grants table:
String :access_type, null: false, default: "offline"
And you can remove the refresh token column as well.