Comments (4)
On an adjacent topic, we've noticed that most apps use a secret-based approach that is not necessarily useful, and instead have seen suggestions to have secret-less apps (the only secrets being the user auth tokens) that would be identified by a an actual deferenceable URL with the expected properties. What do you think of this approach, and how would it play into the OAuth 2.0 Dynamic Client Registration (that I am not familiar with)?
from mastodon.
Yeah, so, even in Dynamic Client Registration, you're still generated a secret, but the assumption is more that you can't keep a secret, so those clients expiry more quickly. If we wanted to reduce the reliance on the secret, we'd probably need to look at DPoP + PKCE where the token is bound to the client.
from mastodon.
The "secretless" that you mentioned @ClearlyClaire may be the "public client" vs "confidential client" concept, which we currently don't support. More on that here: https://auth0.com/docs/get-started/applications/confidential-and-public-applications
So like, for a public client, you would only be able to use Authorization code
grant flow with PKCE, and not the other grant flows (e.g., client_credentials). DPoP can be added to further enhance security. When using Authorization Code Flow with Proof Key for Code Exchange (PKCE), no application needs to be registered first, since the client cannot keep anything about the application a secret, doorkeeper does support PKCE.
from mastodon.
Have just discovered that Doorkeeper will seemingly issue a client_secret
for a non-confidential client (I don't think it should?), and will allow a client_credentials
grant flow for a non-confidential client (it shouldn't per specification, but it's hard to link to the section), and allows passing a client_secret
(or not) for authorization_code
grant flow for non-confidential clients...
So we may need to look further into exactly how doorkeeper works here.
from mastodon.
Related Issues (20)
- Feature request: show why a message is shown in web UI HOT 4
- Expose report categories via API HOT 5
- Improve Streaming's Server Sent Events code HOT 1
- tootctl domains purge fails when an account has notifications allowed
- Advertise deprecated endpoints via Deprecation headers ( draft-ietf-httpapi-deprecation-header-03 ) HOT 3
- Adjust Development > Applications form to more clearly support multiple redirect_uris
- Keyboard focus gets lost when opening a post with media using the keyboard shortcut
- Very bad user experience, thread context lost, when someone replies to a post that is locally blocked
- "If you trust this link, click it to continue." breaks embeds, adds friction HOT 1
- Notifications are big in screen size & data volume - Collapse them instead HOT 1
- Video attachments from RSS feeds can't play in Chromium web browsers (Android)
- Server signed Actor Delete activities HOT 3
- self-destructing server returns 500 instead of 410 to activitypub requests HOT 1
- Pre-emptive account level blocking (e.g. threads) HOT 2
- Tracking issue RE: Paperclip, Azure EOL, rest client, etc HOT 7
- Rename read:me scope to "profile"
- A vertical video filmed on a samsung mobile phone appears horizontal (cropped, not rotated) HOT 5
- How does the image get stored/loaded? HOT 1
- Link previews don’t respect the post’s language settings
- Pictures from other Servers not Showing up? HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mastodon.