Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document new OAuth changes for 4.3.0 #1445

Merged
merged 26 commits into from
Oct 10, 2024

Conversation

ThisIsMissEm
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm commented May 15, 2024

This branch is based on #1444

@ThisIsMissEm
Copy link
Contributor Author

I have noticed that there is some churn here due to my editor using Prettier for markdown documents. We may want to consider adopting prettier for this repository.

@ThisIsMissEm ThisIsMissEm force-pushed the chore/document-oauth-changes branch from 92be172 to 9e25eff Compare May 15, 2024 19:12
@ThisIsMissEm ThisIsMissEm mentioned this pull request May 17, 2024
79 tasks
@ThisIsMissEm ThisIsMissEm requested a review from mjankowski June 9, 2024 18:46
@andypiper andypiper self-assigned this Jun 10, 2024
@andypiper andypiper added the API The Mastodon core API label Jun 10, 2024
content/en/api/oauth-scopes.md Outdated Show resolved Hide resolved
content/en/api/oauth-scopes.md Outdated Show resolved Hide resolved
content/en/api/oauth-scopes.md Show resolved Hide resolved
content/en/client/authorized.md Outdated Show resolved Hide resolved
content/en/client/authorized.md Outdated Show resolved Hide resolved
content/en/methods/oauth.md Outdated Show resolved Hide resolved
content/en/methods/oauth.md Outdated Show resolved Hide resolved
content/en/methods/push.md Show resolved Hide resolved
content/en/methods/streaming.md Show resolved Hide resolved
content/en/methods/streaming.md Show resolved Hide resolved
Copy link

This pull request has merge conflicts that must be resolved before it can be merged.

@ThisIsMissEm
Copy link
Contributor Author

Have address majority of the code review comments and left replies where I disagree with said comments or need more information.

Copy link

This pull request has resolved merge conflicts and is ready for review.

Copy link

This pull request has merge conflicts that must be resolved before it can be merged.

Copy link

This pull request has resolved merge conflicts and is ready for review.

@ThisIsMissEm ThisIsMissEm force-pushed the chore/document-oauth-changes branch 2 times, most recently from 26f9c77 to 4c929cf Compare October 1, 2024 19:58
Comment on lines -37 to +59
Password grant flow
: For bots and other single-user applications

Client credentials flow
: For applications that do not act on behalf of users

### Token revocation endpoint (RFC 7009 Section 2) {#revoke}
Mastodon has historically supported the Password Grant flow, however, usage is [not recommended](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-resource-owner-password-cre) by the OAuth 2 Specification authors due to security issues, and has subsequently been removed from future versions of Mastodon. Instead, it is recommended that you create an OAuth Application for that user, and use the generated Access Token for interacting with the API.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ClearlyClaire This is the change I did for the removal of the Password Grant Flow Type. Since it's not actually deprecated in 4.3, I've just made it a paragraph explaining it has been supported, but not when it's removed.


## OAuth 2 Security Considerations

### Proof Key for Code Exchange (PKCE) {#pkce}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ClearlyClaire this is the documentation I've gone with to explain PKCE, I think linking to OAuth.net's documentation around PKCE explains this better than I could here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have separately documented on the oauth/authorize and oauth/token endpoints that we accept the PKCE parameters.

@ThisIsMissEm ThisIsMissEm force-pushed the chore/document-oauth-changes branch from 4c929cf to fb058f0 Compare October 1, 2024 20:20
@ThisIsMissEm
Copy link
Contributor Author

@renchap have rebased this and finished the two remaining tasks.

@vmstan vmstan requested review from a team October 8, 2024 15:04
Copy link
Contributor

@oneiros oneiros left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added two tiny, tiny remarks, otherwise this looks good to me and should be merged asap.

content/en/methods/oauth.md Outdated Show resolved Hide resolved
content/en/api/oauth-scopes.md Outdated Show resolved Hide resolved
@oneiros oneiros merged commit cb3aa4d into mastodon:main Oct 10, 2024
@oneiros
Copy link
Contributor

oneiros commented Oct 10, 2024

I took the liberty to commit my two small adjustments, so that we can finally merge.

Feel free to open up a follow-up PR if you disagree with my changes. And thanks for all the hard work on this!

@ThisIsMissEm ThisIsMissEm deleted the chore/document-oauth-changes branch October 10, 2024 16:48
@ThisIsMissEm
Copy link
Contributor Author

@oneiros those changes looked good, I think in the future reworking all this documentation to be more like AT Protocol's OAuth documentation might be a good idea. I think the current tutorial-based documentation leaves a lot to be desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
API The Mastodon core API
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants