OAuth 2.0 Authentication
Doc type: Reference
Overview
Yoyo Authorisation uses a standard OAuth2 authorization code flow with credentialed OAuth providers (Google). The system exposes OAuth2/OIDC endpoints for public clients that authenticate with client_id, exact redirect URI registration, and PKCE (S256).
Important: We only support OAuth through credentialed OAuth providers. Users authenticate via these providers (Google), not through direct email/password or passwordless flows.
Supported today
The following flows are available now:
| Flow | Status | Notes |
|---|---|---|
Authorization code + PKCE (response_type=code, grant_type=authorization_code) | Supported | Public client pattern with token_endpoint_auth_methods_supported=["none"]. |
OpenID Connect user info (GET /api/oauth/userinfo) | Supported | Requires a signed JWT with an allowlisted issuer and a valid sub claim. |
Not supported yet
The following OAuth2 grant types are not currently implemented:
| Flow or grant type | Status | Current behavior |
|---|---|---|
Implicit (response_type=token or id_token) | Not supported | Authorization endpoint returns unsupported_response_type. |
Client credentials (grant_type=client_credentials) | Not supported | Token endpoint returns unsupported_grant_type. |
| Resource owner password credentials | Not supported | No OAuth2 password grant endpoint is exposed. |
| Device authorization grant | Not supported | No device authorization endpoints are exposed. |
Refresh token grant (grant_type=refresh_token) | Not supported | Token endpoint returns unsupported_grant_type. |
Required constraints
OAuth2 clients must satisfy all of the following:
client_idmust be registered in hosted auth configuration.redirect_urimust exactly match a registered URI (host, path, and query).- PKCE
code_challenge_methodmust beS256. - Token issuer must be in
AUTH_OIDC_ISSUER_ALLOWLISTfor user info token validation.
Optional features
Email prefilling
OAuth clients can include an optional email query parameter when initiating the authorization flow:
https://auth-int.yoyogroup.com/api/oauth/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&code_challenge=<challenge>&code_challenge_method=S256&email=user%40example.com
Behavior:
- The email address is prefilled on the login page
- Email is normalized to lowercase and validated (basic format check)
- If the email domain is
yoyogroup.com, the OKTA SSO flow is automatically initiated - Invalid email formats are ignored (flow continues normally)
- Email is preserved through the authentication flow via redirect state cookies