required "client_secret" param is missing when calling "Mastodon" /oauth/token

[diligiant]

Encountered while trying to login with a newly downloaded app on the Play Store (says v60.01 (361)).

Rigorous OAuth servers won't let this pass ;)

[yvolk]

Hello @diligiant Maybe you mean the Friendica's bug that we discussed recently: https://github.com/andstatus/andstatus/issues/569#issuecomment-1383509331 Please read there. And Friendica was fixed.

[diligiant]

Hello @yvolk, so you're basically pointing out that you have the only complaint app amongst the ≈30 I tested ;) thank you so much. What a world!

[diligiant]

@yvolk you made me read a lot ;) Here rfc6749 section-2.3.1](https://datatracker.ietf.org/doc/html/[rfc6749#section-2.3.1), I read :

Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters: client_id REQUIRED client_secret REQUIRED

and later a POST /token example is provided.

it is also explained here OIDC Core, 9. Client Authentication (references 2.3.1 too).

[yvolk]

@diligiant OK, let's read and investigate more :-) First of all, as https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 says and as even your quote has "Alternatively ..." meaning that "including the client credentials in the request-body" is only one of several possible methods and this method is "NOT RECOMMENDED" - read this in the spec:

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes)

AndStatus does use HTTP Basic authentication scheme, preferred by the spec. More details with a link to ScribeJava team response (ScribeJava library is actually signing requests for us...) see here: https://github.com/andstatus/andstatus/issues/530

[diligiant]

I did a little experiment with a mock mastodon

• no /well-known/oauth-authorization-server
• oauth-authorization-server with token_endpoint_auth_methods_supported: client_secret_post
• oauth-authorization-server with token_endpoint_auth_methods_supported: [client_secret_basic, client_secret_post]

and tested with ≈20 iOS and Android apps. This doesn't change anything; they all go but you for "client_secret_post". This was reason of my issue, "go with the flow" even if that's unfortunate.

My mock is much better thanks to this exchange so thank you.

[yvolk]

@diligiant AndStatus does work with Mastodon servers, and this is the most important thing. So your "Mastodon mock" also should work with AndStatus in order to be a correct mock :-)

[yvolk]

@diligiant And BTW I don't only "go with the flow", but also change the flow sometimes: I took part in ActivityPub spec and my suggestions were included in its text https://www.w3.org/TR/activitypub/

[diligiant]

I was about to start with "I've read along that you're been thorough" so yeah! (a genuine thank you as you've made me read.)

And that's exactly my point: unless I've missed it many times, Masto doesn't mention BasicAuth, just the secret_post stuff. Whether it's on because the underlying sdk does it by default or because they've enabled it without bothering to update the documentation, that's "not good".

Things should be easy and predictable for you; it's not.

[yvolk]

Masto doesn't mention BasicAuth...

We have different points of view. Looking wider in space and in time today's Mastodon is one of many client-to-server implementations. AndStatus supported Twitter, Gnu Social and Pump.io when Mastodon didn't exist yet. In recent years I'm mostly working on support of ActivityPub Client-to-Server (C2S) API, and we progressed here with three different server systems: Pleroma (some years ago), Microblog.pub and Friendica. I think Mastodon will "change its flow" and will have to join the AP C2S club also :-)

So no wonder that AndStatus works not like the other 30 apps that you tested: our main focus is on compliance to open specifications, sustainability and openness to new solutions. This is why when I searched for the proper OAuth implementation some years ago I chose ScribeJava library that "Supports all (50+) major 1.0a and 2.0 OAuth APIs out-of-the-box". And this is why AndStatus happened to work in a more OAuth 2.0 compliant way ;-)