class OAuthTagger
- OAuthTagger
- Tagger
- Reference
- Object
Defined in:
tagger/taggers/oauth.crConstant Summary
-
OAUTH_FLOW_CONTEXT_SEGMENTS =
Set {"oauth", "oauth2", "oauth20", "openid", "oidc", "auth", "authentication", "sso"} -
Auth/SSO context segments that mark a
/callback,/authorize, or/redirecthandler as part of an OAuth/OIDC sign-in flow rather than a payment IPN or a post-action redirect. This mirrors the set the webhook tagger uses to exclude these same callbacks from being tagged as webhooks — keeping the two taggers consistent about what/auth/<provider>/callbackis. -
OAUTH_FLOW_VERB_SEGMENTS =
Set {"callback", "authorize", "authorization", "redirect"} -
OAuth-flow verbs: the redirect out to the IdP (
/redirect,/authorize) and the authorization-code handler coming back (/callback). Many social-login handlers expose no statically extractable params (thecode/statearrive at runtime), so the param-corroborated checks below miss them. -
STRONG_URL_PARTS =
Set {"oauth", "oauth2", "oauth20", "openid", "oidc"} -
URL path segments that, on their own, strongly imply an OAuth/OIDC surface. Any OAuth parameter alongside one of these is enough.
-
WEAK_URL_PARTS =
Set {"authorize", "authorization", "token", "callback"} -
URL path segments shared with non-OAuth routes — a CSRF/email "token", a payment "callback", a generic "authorize". These need corroborating parameters before flagging.
-
WORDS =
Set {"grant_type", "code", "redirect_uri", "redirect_url", "client_id", "client_secret", "response_type", "scope", "state", "code_challenge", "code_challenge_method", "code_verifier", "refresh_token", "access_token", "id_token", "nonce", "audience", "device_code"}