Auth (OAuth2 + PKCE)
User identity across the RBS ecosystem. Camino is the OAuth2 provider; every other app is a client.
Status: LIVE Provider: Camino (camino.redbroomsoftware.com) Flow: OAuth2 Authorization Code with PKCE (RFC 7636) Scopes: openid profile email
TL;DR
1. Your app → Camino /oauth/authorize?client_id=&code_challenge=...
2. User logs in at Camino
3. Camino → your app /oauth/callback?code=&state=
4. Your app → Camino /oauth/token (exchange code + code_verifier)
5. Your app → Camino /oauth/userinfo (Bearer <access_token>)Endpoints
| Method | Path | Purpose |
|---|---|---|
| GET | /.well-known/openid-configuration | OIDC discovery |
| GET | /oauth/authorize | Start auth flow |
| POST | /oauth/token | Exchange code or refresh token |
| GET | /oauth/userinfo | Current user (Bearer access token) |
| POST | /oauth/revoke | Revoke access or refresh token |
SDK helpers
ts
import { RBSAuth, generateState, validateState } from '@r-bsoftware/ecosystem-sdk'For the complete sequence diagram, client registration procedure, and reference implementations, see the SDK source (rbs-auth.ts, ecosystem-auth.ts) and the OIDC discovery document at https://camino.redbroomsoftware.com/.well-known/openid-configuration.
Server-to-server
For partner apps that don't need a user session, use API keys instead:
http
Authorization: Bearer <api_key>API keys are provisioned in Colectiva — contact api-support@redbroomsoftware.com.
Gotchas
- Refresh tokens rotate. Every
/oauth/tokencall withgrant_type=refresh_tokenreturns a new refresh token — persist it or lose the session. - State parameter is required. Use
generateState()/validateState()from the SDK for CSRF protection. Raw random bytes are not sufficient; the SDK enforces replay detection. - Pre-registered clients only. There are 21 OAuth clients registered in Camino today (one per ecosystem app). New third-party integrations require a registration ticket — not self-service yet.
- PKCE is mandatory for all flows (no public/confidential distinction). S256 code challenge is the only accepted method.
Source of truth
- OpenID discovery document:
https://camino.redbroomsoftware.com/.well-known/openid-configuration - SDK source:
@r-bsoftware/ecosystem-sdk→rbs-auth.ts,ecosystem-auth.ts - OIDC discovery:
https://camino.redbroomsoftware.com/.well-known/openid-configuration