[PDFBolt]

Good breakdown! OAuth2 is one of those things that feels simple until you actually have to implement it. Curious how do you see OAuth2 fitting into workflows where users need to generate and securely access documents, like PDFs? We’ve found that balancing ease of access with security (especially for things like temporary document URLs) can get tricky.

[adeptima]

Expand to OIDC and use session based mechanism with some kind of policy engine?

Never saw a good example of how to implement a proper access to pdf or other downloadable documents.

What is your approach? Any good code base in open source to learn from?

[PDFBolt]

Yeah, OIDC with session-based access makes sense, especially for enforcing policies dynamically. For secure PDF access, we’ve found pre-signed URLs to be a solid approach. They allow temporary, controlled access without requiring ongoing authentication.

Here’s a simple example using AWS S3 (or any S3-compatible storage) to generate a pre-signed URL for a PDF: https://github.com/pdfbolt/generate-s3-presigned-url

This works well for temporary document access in workflows like report generation, invoicing, and legal docs.

[adeptima]

Thanx for sharing!

What if pre-signed URL is leaked, you cannot invalidate a pre-signed URL without rotating credentials or changing bucket policies, right?

I was thinking about signed cookies or API gateways type of solutions.

[PDFBolt]

You're right. Pre-signed URLs can’t be revoked once issued, but one way to mitigate the risk is by setting a short expiration time when generating them. For example, if the URL is only valid for 5-10 minutes, it remains secure, and the risk of misuse is minimal.