OAuth 2.0 standards support in Mastodon
Technical Discussion
3
Posts
2
Posters
0
Views
-
So, as far as I can tell, Mastodon supports:
- Authorization code flow
- PKCE
- Authorization server metadata
It doesn't seem to support:
It instead uses a proprietary endpoint.
thisismissem is that about right? Is there work underway to support CIMD (preferred) or dynamic registration (less good but a more established standard)?
-
I believe CIMD is planned, and at some point expiring access tokens & refresh tokens will also land, and maybe in a distant future DPoP too.
DCR has a client registration proliferation problem, which is why Mastodon want CIMD.
-
Token revocation and userinfo endpoint are also implemented.
issindication on redirects is also recommended, but not planned yet
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Token revocation and userinfo endpoint are also implemented. iss indication on redirects is also recommended, but not planned yet
-
I believe CIMD is planned, and at some point expiring access tokens & refresh tokens will also land, and maybe in a distant future DPoP too.
DCR has a client registration proliferation problem, which is why Mastodon want CIMD.
-
So, as far as I can tell, Mastodon supports:
Authorization code flow PKCE Authorization server metadataIt doesn't seem to support:
OAuth Dynamic Client Registration Client ID Metadata DocumentsIt instead uses a proprietary endpoint.
thisismissem is that about right? Is there work underway to support CIMD (preferred) or dynamic registration (less good but a more established standard)?
-
@julian Nice workaround. They should describe it in the FEP
-
This way, @DailyRucks gives out permission slips which are “shaped” in a way that is instantly verifiable, no database and no internal state required.
The only problem is that the ID of the quoting post is an arbitrary URI, and passing full URIs as query string parameters is brittle. It seems to work for Mastodon post IDs, but other platforms might have more complex URI schemas.
I guess we'll see what happens! 😀
Project website with link to the git repository: https://fietkau.software/daily_rucks
🧵 6/6
-
That's why it's not possible to simply reply “ya sure” to every quote verification request. The response has to affirmatively state which quote it is for.
So I thought, instead of keeping a list of prior quotes in a local database, why not embed them in the ID (URI) of the verification stamp? That way the code could simply echo them back out for any future request.
Turns out this works! You can see an example here: https://fietkau.software/daily_rucks/ap/quoteAuth?stamp=2025-11-08;https%3A%2F%2Fexample.com%2Fsome-post
🧵 5/6
-
While reading FEP-044f, I had an idea for getting around that requirement. It's difficult to explain without getting extremely technical, but I think it could be interesting for platform implementers who want to offer blanket quotability to Mastodon users, but who have shied away from FEP-044f for its state management requirements.
Basically, a quote authorization stamp payload (see https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md#example-of-quoteauthorization) has to contain the IDs of the quoting post and the quoted post.
🧵 4/6
-
This bureaucracy is necessary for verification of consent, but it is a bit of a pain for software implementers who want to give blanket quoting permissions, like bot authors.
Making your account quotable by Mastodon takes more than a simple declaration: it has to have the ability to respond affirmatively to quote requests, and to confirm or deny the legitimacy of existing quotes.
Generally this means having to at least keep track of everyone who has quoted you.
🧵 3/6
