I’m building the Publishing service for Lightroom that needs to communicate with API server. Since I don’t trust Adobe or Lightroom to keep users info secure I’d like to know what would be the perfect flow for this case.
Requirements for the API server are few, valid JWT, permissions (scopes) and user ID (sub?).
At this point, I have the implementation that uses id_token but that doesn’t implement refresh_token and I kind of need that since it’s not nice to ask the user to log in every 30 days and republish all synced collections.
My team and I are working on verifying that this would be the correct approach for your use case. Authorization Code with PKCE may in fact be the correct way, but I would like to follow up with you to confirm that. We are currently exploring this specific use case and ensuring we consider areas for vulnerabilities. If we are able to move forward with that approach we would be able to get a refresh token by including the offline_access under scopes along with ensuring that we have enabled the Allow Offline Access field in our API Settings. Will response back shortly.
Last night I implemented Authorization Code Grant flow ( not PKCE ) with the refreshing token and it works quite good. PKCE needs code challenge and code verifier, which I need to investigate how to in sandboxes environment for LUA. I can’t install anything with LuaRocks so most of the libraries are not suitable If you have any clue on this I’d love to hear it. Also, that would enrich examples for Auth0 Flow
