#oauth Timeline

307d

<a href="/tags/hollo/" rel="tag">#Hollo</a> 0.6.0 is coming soon!We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:Enhanced <a href="/tags/oauth/" rel="tag">#OAuth</a> <a href="/tags/security/" rel="tag">#security</a>RFC 8414 (OAuth metadata discovery) RFC 7636 (<a href="/tags/pkce/" rel="tag">#PKCE</a> support) Improved authorization flows following RFC 9700 best practicesNew featuresExtended character limit (4K → 10K) Code syntax highlighting Customizable profile themes EXIF metadata stripping for privacyImportant notes for updateNode.js 24+ required Updated environment variables for asset storage Stronger SECRET_KEY requirements (44+ chars)Special thanks to <a href="https://hachyderm.io/@thisismissem" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@thisismissem</a> for the extensive OAuth improvements that help keep the <a href="/tags/fediverse/" rel="tag">#fediverse</a> secure and compatible! 🙏Full changelog and upgrade guide coming with the release.<a href="/tags/activitypub/" rel="tag">#ActivityPub</a>

0 0 1 View Post & Replies See Original

219d

I wouldn’t say this is 100% accurate but enjoy it for what it is.. a nerdy concept explained with meme cats. 🐱 <a href="/tags/caturday/" rel="tag">#Caturday</a> <a href="/tags/oauth/" rel="tag">#oauth</a>

0 0 1 View Post & Replies See Original

1y

browsing the specs of OAuth 2.1 and found that PKCE is now mandatory for Authorization Code Flow (not only Desktops or frontend-only apps!): <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12" rel="nofollow" class="ellipsis" title="datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12</a>"The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters"<a href="/tags/oauth/" rel="tag">#oauth</a> <a href="/tags/oauth2_1/" rel="tag">#oauth2_1</a> <a href="/tags/pkce/" rel="tag">#pkce</a> <a href="/tags/authorizationcodeflow/" rel="tag">#authorizationcodeflow</a>

Edited 1y ago

0 0 1 View Post & Replies See Original

146d

Okay, my analysis is complete! Here are the core changes to <a href="https://github.com/toddsundsted/ktistec" rel="nofollow">Ktistec</a> required for Mastodon API compatibility:PKCE (Proof Key for Code Exchange) must be optional: Because Mastodon makes PKCE optional, clients don't support it, which means other servers can't require it. PKCE (and the code_challenge parameter) ensures that an authorization code can only be exchanged by the client that initiated the OAuth request. Support for the client_credentials grant type: The client_credentials grant type is used to grant a client app-level access without requiring user authentication. Mastodon requires this for some of its "public" API endpoints. This necessitates a change to the database schema to allow a null account id in the client secrets table. Addition of a created_at timestamp property: Mastodon requires a non-standard created_at property in the body of the /oauth/token endpoint response instead of (in addition to) the standard expires_in property. Support for both form-encoded and JSON request bodies: This isn't a Mastodon requirement per se but popular clients clearly demand some latitude in what they send. WebFinger must accept requests with no resource parameter: This is honestly a bug on my part. Mastodon-compatible endpoints: A boatload of them. Clients expect many endpoints and don't gracefully degrade if they're not present. Really I should just implement features like pinned posts and bookmarks...The only thing here that gives me heartburn is that PKCE is not required.<a href="/tags/ktistec/" rel="tag">#ktistec</a> <a href="/tags/mastodonapi/" rel="tag">#mastodonapi</a> <a href="/tags/oauth/" rel="tag">#oauth</a>

0 0 1 View Post & Replies See Original