Temporary authorization codes issued to clients after user consent (pending grants).
| Name | Type | Default | Nullable | Children | Parents | Comment |
|---|---|---|---|---|---|---|
| client_id | uuid | false | public.oauth_clients | Client receiving the authorization code. | ||
| code_challenge | text | true | PKCE code_challenge derived from code_verifier. | |||
| code_challenge_method | pkce_method | true | PKCE method (“S256” strongly recommended). | |||
| created_at | timestamp with time zone | now() | false | Creation timestamp. | ||
| digest | bytea | false | One-time authorization code (hashed at rest). | |||
| dpop_jkt | text | true | DPoP JKT field (currently unused; DPoP binding occurs at /token endpoint, not at /authorize). | |||
| expires_at | timestamp with time zone | false | Expiration time for the code (short-lived). | |||
| jti | uuid | gen_random_uuid() | false | Unique identifier for logging/trace. | ||
| metadata | jsonb | ‘{}’::jsonb | false | Free-form JSON for diagnostics (device/ip, etc.). | ||
| nonce | varchar(64) | true | OIDC nonce to be echoed into the ID token. | |||
| redirect_uri | text | false | Must match the value used in the authorize request. | |||
| scopes | text[] | ‘{}’::text[] | false | Scopes approved for this code. | ||
| updated_at | timestamp with time zone | now() | false | Last update timestamp (maintained by trigger). | ||
| used | boolean | false | false | TRUE once exchanged; codes are single-use. | ||
| user_id | uuid | false | public.users | End-user (resource owner) who authorized the client. |
| Name | Type | Definition |
|---|---|---|
| dpop_jkt_shape_chk | CHECK | CHECK (((dpop_jkt IS NULL) OR ((length(dpop_jkt) >= 43) AND (length(dpop_jkt) <= 128)))) |
| expires_at_reasonable | CHECK | CHECK ((expires_at <= (now() + ‘00:15:00’::interval))) |
| oauth_auth_codes_client_id_fkey | FOREIGN KEY | FOREIGN KEY (client_id) REFERENCES oauth_clients(id) ON DELETE CASCADE |
| oauth_auth_codes_client_id_not_null | n | NOT NULL client_id |
| oauth_auth_codes_created_at_not_null | n | NOT NULL created_at |
| oauth_auth_codes_digest_not_null | n | NOT NULL digest |
| oauth_auth_codes_expires_at_not_null | n | NOT NULL expires_at |
| oauth_auth_codes_jti_not_null | n | NOT NULL jti |
| oauth_auth_codes_metadata_not_null | n | NOT NULL metadata |
| oauth_auth_codes_pkey | PRIMARY KEY | PRIMARY KEY (digest) |
| oauth_auth_codes_redirect_uri_not_null | n | NOT NULL redirect_uri |
| oauth_auth_codes_scopes_not_null | n | NOT NULL scopes |
| oauth_auth_codes_updated_at_not_null | n | NOT NULL updated_at |
| oauth_auth_codes_used_not_null | n | NOT NULL used |
| oauth_auth_codes_user_id_fkey | FOREIGN KEY | FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE |
| oauth_auth_codes_user_id_not_null | n | NOT NULL user_id |
| pkce_pairing_chk | CHECK | CHECK ((((code_challenge IS NULL) AND (code_challenge_method IS NULL)) OR ((code_challenge IS NOT NULL) AND (code_challenge_method IS NOT NULL)))) |
| redirect_uri_valid | CHECK | CHECK (is_valid_oauth_uri(redirect_uri)) |
| scopes_token_chars | CHECK | CHECK (scopes_all_valid(scopes)) |
| Name | Definition | Comment |
|---|---|---|
| idx_oauth_auth_codes_expires_at | CREATE INDEX idx_oauth_auth_codes_expires_at ON public.oauth_auth_codes USING btree (expires_at) | Speeds eviction/lookup of expiring authorization codes. |
| oauth_auth_codes_pkey | CREATE UNIQUE INDEX oauth_auth_codes_pkey ON public.oauth_auth_codes USING btree (digest) |
| Name | Definition |
|---|---|
| set_timestamp_oauth_auth_codes | CREATE TRIGGER set_timestamp_oauth_auth_codes BEFORE UPDATE ON public.oauth_auth_codes FOR EACH ROW EXECUTE FUNCTION trigger_set_timestamp() |
Generated by tbls