OAuth 2.0 Dynamic Client Registration Compatibility #30154
Comments
|
On an adjacent topic, we've noticed that most apps use a secret-based approach that is not necessarily useful, and instead have seen suggestions to have secret-less apps (the only secrets being the user auth tokens) that would be identified by a an actual deferenceable URL with the expected properties. What do you think of this approach, and how would it play into the OAuth 2.0 Dynamic Client Registration (that I am not familiar with)? |
This comment was marked as outdated.
This comment was marked as outdated.
|
The "secretless" that you mentioned @ClearlyClaire may be the "public client" vs "confidential client" concept, which we currently don't support. More on that here: https://auth0.com/docs/get-started/applications/confidential-and-public-applications So like, for a public client, you would only be able to use Authorization |
|
Have just discovered that Doorkeeper will seemingly issue a So we may need to look further into exactly how doorkeeper works here. |
Pitch
At present, Mastodon has an API endpoint for creating OAuth 2.0 applications and getting an
client_id/client_secretpair back, which can then be used in OAuth 2.0 flows. This endpoint isPOST /api/v1/apps, and whilst it is at a surface level fairly similar to OAuth 2.0 Dynamic Client Registration, there are a number of compatibility issues, as such we cannot advertise this endpoint as theregistration_endpointin the OAuth 2.0 Authorization Server Metadata endpoint (implementation in #29191).The following is a non-comprehensive list of incompatibilities or differences:
scopesinstead ofscope(https://datatracker.ietf.org/doc/html/rfc7591#section-2 scopes ), and it's possible to currently send an array of scopes which has odd behaviour (POST /api/v1/appsaccepts a scopes array but sets scopes to default scopes #30152)redirect_urisproperty currently must be a string, when RFC 7591 expects this to be an Array of string (https://datatracker.ietf.org/doc/html/rfc7591#section-2 redirect_uris) (fixed by Support multiple redirect_uris when creating OAuth 2.0 Applications #29192, but still accepts strings for backwards compatibility)client_uri(though we currently havewebsitewhich is analogous).logo_uri,tos_uri,policy_uriorcontacts(using these improves the authenticity and trust of applications registered, so supporting them should be recommended)software_idandsoftware_version— These can be used to prevent duplicate application registrations and group dynamically registered clients.tos_uribut for a Spanish language user you might havetos_uri#eswhich would be displayed to users who are using the Mastodon server in Spanish locale. This can apply to many different fields includingclient_name.token_endpoint_auth_methodofnoneinstead ofclient_secret_postorclient_secret_basic, and when creating theDoorkeeper::Applicationpassingconfidential: false, though I'm not sure if Doorkeeper actually fully supports public clients (since these don't get certain properties & grant flows)My suggestion would be to introduce a new endpoint which is compatible with RFC 7591. This may require extensions to Doorkeeper to support various things such as localisation & additional Application properties.
Originally I proposed a
POST /api/v2/appsendpoint, but given that this would be implementing the OAuth 2 specific response shapes, I think it'd actually be better asPOST /oauth/registrationinstead, as to indicate that it's not returning aApplicationnorCredentialApplicationentity, but returning what the spec says it should return.Motivation
By supporting RFC 7591, we'll be able to have standard OAuth 2.0 client libraries interact easily with our services, we also see an end-user benefit by being able to customise the UI during the OAuth 2.0 authorization flow to be localised for the user and to have richer information.
The text was updated successfully, but these errors were encountered: