Does the OAuth domain to be the same as the plugin api domain?

kevinpiac · April 30, 2023, 3:33pm

Hey,

I was going through your documentation to implement the OAuth flow.
As we are building a tool helping plugin creators to implement SignIn through our platform, I wanted to know if that’s okay if the API plugin domain is not the same as the AUTH domain.

Here is an example (truncated) manifest:

{
    "auth": {
      "type": "oauth",
      "client_url": "https://auth.pluginlab.ai/authorize",  << DIFFERENT URL
      "authorization_url": "https://auth.pluginlab.ai/auth", << DIFFERENT URL
      "authorization_content_type": "application/json",
    },
    "api": {
        "type": "openapi",
        "url": "https://example.com/openapi.yaml", << DIFFERENT URL
        "is_user_authenticated": false
    },
}

In this example you can see API domain is example.com whereas AUTH domain is auth.pluginlab.ai.

Would that be okay?

Let me know if that needs to be clarified

Thanks for your response

sps · April 30, 2023, 5:40pm

Hi @kevinpiac

You might find reading domain security and verification guidelines helpful.

kevinpiac · April 30, 2023, 6:03pm

Hey @sps ,

Thanks for your answer!

Actually, I might be missing something but I don’t find any response to my question on this page.

The documentation explains the domain constraints related to contact_info, legal_info and api.url but there is no constraint mentioned for authorization and client_url (auth flow).

Please let me know if I’m missreading something.

sps · April 30, 2023, 7:44pm

Thanks for clarification.

Yes indeed there doesn’t seem to be any such requirement about the authorization url directly mentioned in the docs.