Looking through a list of OAuth providers on Wikipedia, I made a short list of "important" OAuth2 providers that it may be good to test this repo against/adapt it to. The information on Wikipedia might be out of date, the providers might be diverging from specs in various ways, so we might simply not do some of them initially. Also, some providers might have extensive additional mechanisms, and be OAuth2 only in the sense of being based on OAuth2, yet still not be OIDC. I am suspecting Instagram might have something like that (perhaps it uses Facebook Connect). So we would address each provider separately.

• Amazon
• BitBucket [2]
• Discord
• Dropbox
• GitHub
• Instagram
• PayPal
• Reddit
• Stack Exchange
• Stripe
• Twitch
• Twitter

If we work on this, I'll gradually edit this issue with links to auth API docs, etc.

According to https://datatracker.ietf.org/doc/html/rfc6749#section-5.1 the scope in token response should be a space separated list of scopes which ocaml-oidc expects.

Twitch OIDC implementation returns "scope": ["openid"] (also documented here).

I'm not sure what ocaml-oidc should do here — ignore, fail (like it does now) or try to parse an array — but just creating the issue to discuss and at least to document this behaviour.

There are some parsing that is raising now, we should return results

In the OAuth2 example, it appears to be possible to trigger login without any user interaction by causing the user's browser to do a GET /auth on the app, since the handler does not check any cookies, CSRF tokens, etc.

A state parameter that is somehow associated with the client's user agent (usually meaning, with a cookie) is necessary to protect the OAuth2 callback from CSRF-like attacks. The library code appears to support passing state around, but the example does not use state, and it does not appear to be pointed out in the library docs.

Are there any plans to do an opam release soon? Just asking — could still work around this downstream using my much-overused rename-and-vendor workflow.

As discussed on slack, oidc misses PATCH which leads to type error

Originally posted by @JulesGuesnon in https://github.com/marigold-dev/marigold-dashboard/pull/54#discussion_r969723105

Since I'm not using esy anymore I should move everything to nix so that CI will work correctly

To run everything in 1 go with e2e tests we need to be able to register via some GUI or API