Chris Coutinho
15113dbb03
fix: remove Hybrid Flow, make Progressive Consent default (ADR-004)
Eliminates scope escalation security vulnerability by removing Hybrid Flow
and making Progressive Consent the only OAuth mode.
Changes:
- Delete oauth_callback() and oauth_token() (Hybrid Flow only, ~314 lines)
- Fix scope flows: Flow 1 requests resource scopes, Flow 2 requests identity+offline
- Remove ENABLE_PROGRESSIVE_CONSENT flag (always enabled in OAuth mode)
- Update documentation to reflect Progressive Consent as default
- Delete test_adr004_hybrid_flow.py test file
- Remove unused variables (ruff lint fixes)
Security improvements:
- No scope escalation: client gets exactly what it requests
- Clear separation: MCP session tokens vs Nextcloud offline tokens
- OAuth2 compliant: follows best practices for scope handling
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-04 00:26:07 +01:00
..
2025-11-04 00:03:24 +01:00
2025-11-04 00:26:07 +01:00
2025-10-24 01:04:30 +02:00
2025-10-19 18:02:43 +02:00
2025-10-14 02:08:45 +02:00
2025-10-24 04:38:49 +02:00
2025-10-14 23:43:03 +02:00
2025-10-14 02:08:45 +02:00
2025-10-14 02:08:45 +02:00
2025-10-24 06:18:13 +02:00
2025-10-25 20:16:14 +02:00
2025-10-18 22:02:26 +02:00