Skip to content

Add OAuth2 PKCE Support for 3rd Party Apps #11814

New issue
New issue
Open
Open
Add OAuth2 PKCE Support for 3rd Party Apps#11814
Assignees
mheiman
Labels
Module: MobileMobile & Progressive Web AppTheme: SecurityType: Feature RequestIssue describes a feature or enhancement we'd like to implement. [managed]
@mekarpeles

Description

@mekarpeles
mekarpeles
opened on Feb 4, 2026

Problem Statement:

  • Patron goes to the Reader App and clicks "Login at Open Library".
  • This triggers an Open Library OAuth API request, which primes Open Library and issues an app_token to/for the Reader App.
  • The desired change: Add an API endpoint so that approved 3rd party apps can request an app_token for initiating the OAuth flow.
  • This token would be passed along to a browser that launches where the patron authenticates on openlibrary.org as usual.
  • Upon authentication success, OpenLibrary.org would redirect back with the authorization token.
  • The app uses the authorization_token to fetch the authentication cookie—matching how the Reader App works with "Basic Auth" (i.e., exchanging email + password for a cookie).

Proposed Implementation:

  • Only require the storage of a short-lived app_token, which must be kept alive just long enough for the authorization_token to make it back to the initiating app.
  • Store this token in memcached, specifically by creating a client on ol-mem0 to avoid cache misses.
  • Example code snippet: 
    # create a separate mc client dedicated to oauth
from infogami import config
from openlibrary.utils import olmemcache

mcs = config.get("oauth_memcache_servers")
mc_oauth = olmemcache.Client(mcs[0])
  • See Mark Heiman's PoC & documentation for details.

User Flow:

  • The app exchanges verification tokens with Open Library.
  • The app opens the Open Library login page in the user's browser.
  • After login, Open Library redirects to a pre-approved handler page that attempts to reopen the app (with user permission), passing a token for authentication.
  • The app then queries Open Library for an authentication cookie using this token.

Rationale / Benefits:

  • Enables full authentication integration for approved 3rd party apps like mobile Reader apps.
  • Supports users who log in via Archive.org Google authentication rather than local credentials.
  • Provides a platform-independent mechanism (works for iOS, Android, etc.).
  • Is designed to be orthogonal to broader Internet Archive authentication discussions and future changes.

Next Steps:

  • Solicit comments and questions from staff and community members.
  • Review by Open Library staff.
  • Potentially proceed to testing and integration, pending review.

Disclaimer: Code is AI-sourced but built atop well-known OAuth standards. Reference implementation reviewed by engineer with past OAuth experience.

Metadata

Metadata

Assignees

Labels

Module: MobileMobile & Progressive Web AppTheme: SecurityType: Feature RequestIssue describes a feature or enhancement we'd like to implement. [managed]

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions