This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
The OAuth2 docs/rfcs contain a lot of different grant types/flows, we need to decide to which to implement. There are a few groups I'd like to consider:
- OAuth2.0 (the ones defined in rfc6749) grant types: Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials
- Refresh token (defined in rfc6749, but not as a grant type)
- Authorization Code w/ PKCE (not defined in rfc6749)
- Other extension grant type (e.g.: Device code)
- All flows
- Only OAuth2.0 flows (rfc6749)
- Non-deprecated flows in rfc6749 + PKCE
Chosen option: Non-deprecated flows in rfc6749 + PKCE, because
- It needs the least amount of work we need to cover our main
- We can disable deprecated flows/grant_types (protecting our users)