Auth: Add `authorize` API endpoint to implement the authorization code flow #2132

New issue

Open

opened 2026-02-20 01:06:49 -05:00 by deekerman · 3 comments

deekerman commented

2026-02-20 01:06:49 -05:00

Owner

Originally created by @lastzero on GitHub (Jul 3, 2024).

As a user, I want to be able to connect mobile/native apps to my PhotoPrism instance(s) without having to manually generate app passwords through the web interface and then enter them in the app's settings.

For this, the GET /api/v1/oauth/authorize API endpoint should gather consent and authorization from resource owners when using the Authorization Code Grant flow, optionally with PKCE:

https://github.com/photoprism/photoprism/blob/develop/internal/api/oauth_authorize.go

Since we are using the (OpenID Foundation certified) github.com/zitadel/oidc library for the recently released OIDC client implementation, the authorize and userinfo API endpoints should also be based on it (as much as possible):

In addition, all pull requests should include unit tests - at least for the core functionality - to ensure that the changes work as expected: https://docs.photoprism.app/developer-guide/pull-requests/#acceptance-criteria

Documentation:

Protocol References:

Related Issues:

Originally created by @lastzero on GitHub (Jul 3, 2024). **As a user, I want to be able to connect [mobile/native apps](https://docs.photoprism.app/developer-guide/native-apps/) to my PhotoPrism instance(s) without having to manually [generate app passwords](https://docs.photoprism.app/user-guide/users/client-credentials/#app-passwords) through the web interface and then enter them in the app's settings.** For this, the `GET /api/v1/oauth/authorize` API endpoint should gather consent and authorization from resource owners when using the Authorization Code Grant flow, optionally with PKCE: - https://github.com/photoprism/photoprism/blob/develop/internal/api/oauth_authorize.go Since we are using the (OpenID Foundation certified) [`github.com/zitadel/oidc`](https://github.com/zitadel/oidc) library for the [recently released OIDC client](https://docs.photoprism.app/developer-guide/api/oidc/) implementation, the [`authorize`](https://github.com/photoprism/photoprism/issues/4368) and [`userinfo`](https://github.com/photoprism/photoprism/issues/4369) API endpoints should also be based on it (as much as possible): - https://github.com/photoprism/photoprism/tree/develop/internal/auth/oidc - https://github.com/zitadel/oidc In addition, all pull requests should [include unit tests](https://docs.photoprism.app/developer-guide/code-quality/#test-automation-guidelines) - at least for the core functionality - to ensure that the changes work as expected: https://docs.photoprism.app/developer-guide/pull-requests/#acceptance-criteria --- Documentation: - https://docs.photoprism.app/developer-guide/api/#openid-configuration - https://docs.photoprism.app/developer-guide/api/oidc/#service-discovery - https://docs.photoprism.app/developer-guide/api/oauth2/ Protocol References: - https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2 - https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/ - https://www.oauth.com/oauth2-servers/authorization/requiring-user-login/ - https://www.oauth.com/oauth2-servers/authorization/the-authorization-interface/ - https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/ - https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow Related Issues: - https://github.com/photoprism/photoprism/issues/4369 - https://github.com/photoprism/photoprism/issues/782 - https://github.com/photoprism/photoprism/issues/3943

deekerman added the

labels

2026-02-20 01:06:49 -05:00

deekerman commented

2026-02-20 01:06:50 -05:00

Author

Owner

@andiz2 commented on GitHub (Jul 13, 2024):

Hi friends! I can take care of this endpoint :).
Would be so much fun.

@andiz2 commented on GitHub (Jul 13, 2024): Hi friends! I can take care of this endpoint :). Would be so much fun.

deekerman commented

2026-02-20 01:06:50 -05:00

Author

Owner

@lastzero commented on GitHub (Jul 13, 2024):

@andiz2 Excellent! Since we are using the (OpenID Foundation certified) github.com/zitadel/oidc library for the recently released OIDC client implementation, the authorize and userinfo API endpoints should also be based on it (as much as possible). I suggest starting with GET /api/v1/oauth/userinfo as this should be easier.

Do you already have experience developing in Go? I'll be happy to help and give feedback on possible solutions before you implement them :)

@lastzero commented on GitHub (Jul 13, 2024): @andiz2 Excellent! Since we are using the (OpenID Foundation certified) [`github.com/zitadel/oidc`](https://github.com/zitadel/oidc) library for the [recently released OIDC client](https://docs.photoprism.app/developer-guide/api/oidc/) implementation, the `authorize` and `userinfo` API endpoints should also be based on it (as much as possible). I suggest starting with [`GET /api/v1/oauth/userinfo`](https://github.com/photoprism/photoprism/issues/4369) as this should be easier. Do you already have experience developing in Go? I'll be [happy to help](https://www.photoprism.app/contact) and give feedback on possible solutions before you implement them :)

deekerman commented

2026-02-20 01:06:51 -05:00

Author

Owner

@andiz2 commented on GitHub (Jul 13, 2024):

@lastzero Thanks for infos :). I've developed some projects in Go before so I can say I have some experience but I appreciate your kindness and will contact you for clarifications and feedback for sure.

@andiz2 commented on GitHub (Jul 13, 2024): @lastzero Thanks for infos :). I've developed some projects in Go before so I can say I have some experience but I appreciate your kindness and will contact you for clarifications and feedback for sure.