Document public-client (PKCE) OAuth flow and CLI browser login#1031
Merged
Conversation
The DNSimple OAuth provider now supports public clients that authenticate with PKCE (RFC 7636, S256) instead of a client secret, plus loopback redirect URIs with dynamic ports (RFC 8252 section 7.3) for native and CLI apps. The CLI also now defaults to an interactive browser login. Update the customer-facing docs to match: - content/v2/oauth.md: introduce confidential vs public clients; add the PKCE parameters (code_challenge / code_challenge_method on authorize, code_verifier on token exchange); mark client_secret as confidential-only; extend the invalid_grant / invalid_request error cases for PKCE; add a "Native and CLI apps (loopback redirect URIs)" section. Note that creating a public OAuth application is currently available upon request. - content/cli.md: document browser login as the default for `dnsimple auth login`, with API token login available via `--with-token` (paste or pipe). Restructure the Authentication section into Browser login, Token login, and Managing contexts.
Pemacaa
reviewed
Jun 17, 2026
Pemacaa
reviewed
Jun 17, 2026
Pemacaa
reviewed
Jun 17, 2026
Pemacaa
approved these changes
Jun 17, 2026
weppos
added a commit
to dnsimple/dnsimple-support
that referenced
this pull request
Jun 18, 2026
Updates the CLI and OAuth support articles to match the [new browser-based OAuth login](dnsimple/cli#42) for the DNSimple CLI and the underlying OAuth flow changes (PKCE and public clients). Related to dnsimple/dnsimple-developer#1031
- Align the public-client availability note with the support article framing (web apps registered by default; public clients on request). - Remove the duplicate availability note from the loopback section; the note in the client-types intro is enough.
weppos
added a commit
to dnsimple/dnsimple-support
that referenced
this pull request
Jun 18, 2026
Follow-up to #1984. The OAuth applications article described the loopback callback URL port matching inaccurately for `localhost`: it grouped `http://localhost` with the loopback IP literals and said *"the port is matched leniently."* Only the loopback IP literals `127.0.0.1` and `::1` get port leniency (RFC 8252 §7.3); `localhost` is matched strictly, including its port. Rather than restate the precise runtime matching rule here (which is exactly how the `localhost` error crept in), this article now keeps to the **registration constraint** (what callback URL forms you may enter) and defers the **runtime matching semantics** to the [OAuth developer guide](https://developer.dnsimple.com/v2/oauth/), which already owns that detail and is already linked from this article. The precise rule now lives in exactly one customer-facing place (the developer guide, dnsimple/dnsimple-developer#1031), so it can't drift across surfaces again.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DNSimple introduced a new OAuth mechanism for the CLI, along with changes to the OAuth flow itself. This updates the customer-facing developer docs to match.
On the server, the OAuth provider now supports public clients that authenticate with PKCE (RFC 7636,
S256) instead of aclient_secret, plus loopback redirect URIs with dynamic ports (RFC 8252 §7.3) for native and CLI apps. On the CLI side,dnsimple auth loginnow defaults to an interactive browser login, with API token login available via--with-token.Related to dnsimple/dnsimple-support#1984