Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OAuth Client ID Metadata Documents #14349

Open
1 task
ThisIsMissEm opened this issue Jul 31, 2024 · 3 comments
Open
1 task

Support OAuth Client ID Metadata Documents #14349

ThisIsMissEm opened this issue Jul 31, 2024 · 3 comments
Labels
✨Feature This adds/improves/enhances a feature

Comments

@ThisIsMissEm
Copy link

Summary

As the Misskey team is probably aware, given miauth, OAuth currently requires pre-registration of clients via either an out-of-band process or, in mastodon API verbage, a POST to /api/v1/apps. The latter is very similar to OAuth Dynamic Client Registration, which we've realised has some pretty big issues when it comes to federated and decentralised service using OAuth, as such, we've written a new IETF Internet Draft to simplify the process of getting a valid client when performing OAuth authorization code grant flows.

Here's the Mastodon ticket for supporting this new internet draft: mastodon/mastodon#31151

https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html

By using this draft, which Mastodon plans to support, Bluesky is implementing and IndieAuth now uses, clients can register automatically with the OAuth Authorization Server (Misskey in this case)

Purpose

This allows you to completely deprecate miauth in favor of OAuth 2.0, whilst still not requiring an explicit application registration before starting the authorization code grant flow.

Do you want to implement this feature yourself?

  • Yes, I will implement this by myself and send a pull request
@ThisIsMissEm ThisIsMissEm added the ✨Feature This adds/improves/enhances a feature label Jul 31, 2024
@ThisIsMissEm
Copy link
Author

Provided I can secure funding, I'd be able and willing to implement this in Misskey, and also help you team move towards a more standardised OAuth 2.0 implementation, for instance:

  • supporting RFC 8414 for Authorization Server Metadata discovery
  • supporting PKCE for Authorization Code grant flows
  • supporting Issuer Identification for OAuth flows.

Here's how much is changing in the next release of Mastodon relating to OAuth 2.0: mastodon/documentation#1445

@kakkokari-gtyih
Copy link
Contributor

Misskey already implements IndieAuth-enhanced OAuth 2.0. Is there any difference between that and the method you propose?

https://misskey-hub.net/en/docs/for-developers/api/token/oauth/

@ThisIsMissEm
Copy link
Author

ThisIsMissEm commented Aug 1, 2024
edited
Loading

Yes, this is the internet draft which IndieAuth has now adopted (no more parsing HTML for client metadata, just a JSON document)

https://indieauth.spec.indieweb.org/#changes-from-12-february-2022-to-this-version

(note: I'm working with Aaron Parecki, the current editor of the IndieAuth spec on this internet draft)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
✨Feature This adds/improves/enhances a feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ThisIsMissEm @kakkokari-gtyih