bluesky-social / atproto

Social networking technology created by Bluesky
Other
6.52k stars 456 forks source link

OAuth login issues with native apps #2814

Closed joshlacal closed 4 weeks ago

joshlacal commented 1 month ago

Describe the bug

I've been working on trying to get OAuth implemented in my Swift library and app, and I've run into some errors and some things that are confusing me compared to the specs.

From the specs:

redirect_uri (string, required): must match against URIs declared in client metadata and have a format consistent with the application_type declared in the client metadata. See below.

For native clients, the redirect_uri may use a custom URI scheme to have the operating system redirect the user back to the app, instead of a web browser. The custom scheme must match the client_id hostname in reverse-domain order. The URI scheme must be followed by a single colon (:) then a single forward slash (/) and then a URI path component. For example, an app with client_id https://app.example.com/client-metadata.json could have a redirect_uri of com.example.app:/callback.

redirect_uris (array of strings, required): the fully-qualified redirect/callback URL is declared here.

"Mobile or Desktop App": App Link (Android), Universal Link (iOS), or Client-specific URI scheme

In my app/library, so far I have tried: -blue.catbird:/callback -https://catbird.blue/oauth/callback -blue.catbird://callback -http://catbird.blue/callback

Each time I updated my client-metadata.json appropriately. But I continue to get 400 errors:

Is the server expecting an HTTP (not HTTPS) localhost URI? My understanding is that contradicts the specs, as they should allow ? Native apps would have to implement a web server then I believe. Is that intended?

To Reproduce

Steps to reproduce the behavior:

  1. Set Up Client Metadata (client-metadata.json):

    • client_id: "https://catbird.blue/oauth/client-metadata.json"
    • application_type: "native"
    • redirect_uris: Tried each of the following in separate attempts:
      • ["blue.catbird:/callback"]
      • ["https://catbird.blue/oauth/callback"]
      • ["blue.catbird://callback"]
      • ["http://catbird.blue/callback"]
    • response_types: ["code"]
    • grant_types: ["authorization_code", "refresh_token"]
    • scope: "atproto transition:generic transition:chat.bsky"
    • token_endpoint_auth_method: "none"
    • dpop_bound_access_tokens: true
  2. Initiate the OAuth Authorization Flow:

    • Configure Swift library to start the OAuth flow with the specified client_id and redirect_uri.
    • Make a Pushed Authorization Request (PAR) to https://bsky.social/oauth/par with the above configuration.
  3. Observe the Response:

    • The server responds with a 400 Bad Request error indicating an invalid_redirect_uri.

Expected Behavior

According to the atproto OAuth specifications:

I would expect the authorization server to accept redirect_uri values like blue.catbird:/callback or https://catbird.blue/oauth/callback for my native app, as they conform to the specifications.

Actual Behavior

The authorization server rejects both custom URI schemes and HTTPS URLs for the redirect_uri, returning errors that suggest native clients must use HTTP redirect URIs. When attempting to use an HTTP URI (http://catbird.blue/callback), I receive an error stating that "Loopback redirect URIs are only allowed for native apps," even though my application_type is set to "native".

Details

matthieusieben commented 1 month ago

Looks like a bug indeed. This bug should be addressed by this PR.

This is on the top of my list so should be fixed soon.

FYI, blue.catbird:/callback and https://catbird.blue/oauth/callback should work.

The following redirect uris are not allowed: