OAuth2 Grant Types¶
The OAuth 2.0 specification is an authorization framework that contains a set of methods, or grants, that a client application can use to obtain an access token. Each grant type is designed for a specific use case:
The access token can then be passed to an API endpoint, which checks it to determine validity and authorization scope.
PhotoPrism currently supports practical token-based API access via the token endpoint. The authorization endpoint exists, but the Authorization Code Flow is not usable yet.
Server Endpoints¶
| Resource | Endpoint | Methods |
|---|---|---|
| Authorization | /api/v1/oauth/authorize |
GET |
| Token | /api/v1/oauth/token |
POST |
| UserInfo | /api/v1/oauth/userinfo |
GET |
| Revocation | /api/v1/oauth/revoke |
POST |
| Registration | not implemented | |
| Introspection | not implemented | |
| End Session | not implemented | |
| Device Authorization | not implemented |
Clients can query the /.well-known/oauth-authorization-server and /.well-known/openid-configuration endpoints for automatic service discovery:
- https://demo.photoprism.app/.well-known/oauth-authorization-server
- https://demo.photoprism.app/.well-known/openid-configuration
The token endpoint accepts client_credentials requests and PhotoPrism-specific password and session grants. The authorization and userinfo endpoints are currently placeholders that return 405 Method Not Allowed, and the discovery metadata intentionally advertises only the interoperable parts that are implemented today.
Access Tokens¶
When clients have a valid access token, e.g. obtained through the POST /api/v1/oauth/token endpoint, they can use a standard Bearer Authorization header to authenticate their requests:
Authorization: Bearer <token>
Submitting the access token with a custom X-Auth-Token header is supported as well:
curl -H "X-Auth-Token: 7dbfa37b5a3db2a9e9dd186479018bfe2e3ce5a71fc2f955" \
http://localhost:2342/api/v1/photos?count=10
Besides using the API endpoints provided for this, you can also generate valid access tokens by running the photoprism auth add command in a terminal.
App passwords can be used as access tokens in the Bearer Authorization header without first creating a session access token, and to obtain short-lived session access tokens through the POST /api/v1/session endpoint.
Related Issues¶
- API: Expose Prometheus-style metrics endpoint #3730
- Monitoring: Add a Prometheus-compatible API endpoint #213
- Account: Add Support for 2-Factor Authentication #808
- Account: Add Support for OpenID Connect (OIDC) #782
- Multi-User Photo Gallery with private and shared photos/albums #98
Protocol References¶
- https://datatracker.ietf.org/doc/html/rfc8693
- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#oauth2
- https://www.scottbrady91.com/oauth/client-authentication#:~:text=OAuth%20client%20secrets
- https://www.scottbrady91.com/oauth/oauth-is-not-user-authorization
- https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
- https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
- https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/
- https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/
- https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/
- https://www.oauth.com/oauth2-servers/authorization/requiring-user-login/
- https://www.oauth.com/oauth2-servers/authorization/the-authorization-interface/
- https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
- https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens
- https://oauth.net/2/grant-types/client-credentials/
- https://oauth.net/2/scope/
- https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
- https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-client-credentials-flow#example-post-to-token-url
- https://auth0.com/intro-to-iam/what-is-oauth-2
- https://auth0.com/docs/authenticate/protocols/oauth
- https://auth0.com/docs/secure/tokens/id-tokens/id-token-structure
- https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
- https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2#grant-type-client-credentials
- https://aaronparecki.com/oauth-2-simplified/
- https://rclone.org/webdav/
- https://owncloud.dev/clients/rclone/webdav-sync-oidc/
- https://www.webdavsystem.com/server/documentation/choosing_authentication/
- http://www.webdav.org/specs/rfc2617.html#rfc.section.4.1
- https://frontegg.com/blog/oauth-grant-types
Authentication Libraries¶
- zitadel/oidc
- https://pkg.go.dev/golang.org/x/oauth2
- https://pkg.go.dev/golang.org/x/oauth2/jwt
- go-oauth2/oauth2
- pquerna/otp
Documentation Examples¶
- https://learn.microsoft.com/en-us/machine-learning-server/operationalize/how-to-manage-access-tokens
- https://docs.semui.co/administration-guide/openid
- https://api.stackexchange.com/docs/authentication
- https://dev.fitbit.com/build/reference/web-api/developer-guide/authorization/
- https://cloudentity.com/developers/basics/oauth-client-authentication/client-secret-authentication/
- https://developer.okta.com/docs/reference/api/oidc/#get-started
- https://www.authelia.com/configuration/identity-providers/open-id-connect/
- https://goauthentik.io/integrations/sources/oauth/#openid-connect
- https://developers.google.com/identity/openid-connect/openid-connect
- https://connect2id.com/products/server/docs/api
- https://connect2id.com/products/server/docs/api/discovery
- https://connect2id.com/products/server/docs/api/authorization
- https://connect2id.com/products/server/docs/api/token
- https://www.zoho.com/accounts/protocol/oauth/token-limits.html
- https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods
- https://help.akana.com/content/current/cm/api_oauth/oauth_oauth20/m_oauth20_getTokenPOST.htm
- https://help.akana.com/content/current/cm/api_oauth/aaref/Ref_Values.htm#values_oauthgranttypes