OAuth login issues with native apps

[joshlacal]

Describe the bug

I've been working on trying to get OAuth implemented in my Swift library and app, and I've run into some errors and some things that are confusing me compared to the specs.

From the specs:

redirect_uri (string, required): must match against URIs declared in client metadata and have a format consistent with the application_type declared in the client metadata. See below.

For native clients, the redirect_uri may use a custom URI scheme to have the operating system redirect the user back to the app, instead of a web browser. The custom scheme must match the client_id hostname in reverse-domain order. The URI scheme must be followed by a single colon (:) then a single forward slash (/) and then a URI path component. For example, an app with client_id https://app.example.com/client-metadata.json could have a redirect_uri of com.example.app:/callback.

redirect_uris (array of strings, required): the fully-qualified redirect/callback URL is declared here.

"Mobile or Desktop App": App Link (Android), Universal Link (iOS), or Client-specific URI scheme

In my app/library, so far I have tried: -blue.catbird:/callback -https://catbird.blue/oauth/callback -blue.catbird://callback -http://catbird.blue/callback

Each time I updated my client-metadata.json appropriately. But I continue to get 400 errors:

• Received 400 Bad Request: ["error_description": "Native clients must use HTTP redirect URIs (got blue.catbird:/callback)", "error": "invalid_redirect_uri"]
• Received 400 Bad Request: ["error": "invalid_redirect_uri", "error_description": "Native clients must use HTTP redirect URIs (got https://catbird.blue/oauth/callback)"]
• Received 400 Bad Request: ["error_description": "Native clients must use HTTP redirect URIs (got blue.catbird://callback)", "error": "invalid_redirect_uri"]
• (http://catbird.blue/callback) Received 400 Bad Request: ["error_description": "Loopback redirect URIs are only allowed for native apps", "error": "invalid_redirect_uri"]

Is the server expecting an HTTP (not HTTPS) localhost URI? My understanding is that contradicts the specs, as they should allow ? Native apps would have to implement a web server then I believe. Is that intended?

To Reproduce

Steps to reproduce the behavior:

1. Set Up Client Metadata (client-metadata.json):

   • client_id: "https://catbird.blue/oauth/client-metadata.json"
   • application_type: "native"
   • redirect_uris: Tried each of the following in separate attempts:
     • ["blue.catbird:/callback"]
     • ["https://catbird.blue/oauth/callback"]
     • ["blue.catbird://callback"]
     • ["http://catbird.blue/callback"]
   • response_types: ["code"]
   • grant_types: ["authorization_code", "refresh_token"]
   • scope: "atproto transition:generic transition:chat.bsky"
   • token_endpoint_auth_method: "none"
   • dpop_bound_access_tokens: true

2. Initiate the OAuth Authorization Flow:

   • Configure Swift library to start the OAuth flow with the specified client_id and redirect_uri.
   • Make a Pushed Authorization Request (PAR) to https://bsky.social/oauth/par with the above configuration.

3. Observe the Response:

   • The server responds with a 400 Bad Request error indicating an invalid_redirect_uri.

Expected Behavior

According to the atproto OAuth specifications:

• Custom URI Schemes for Native Clients:

  • The redirect_uri may use a custom URI scheme to redirect back to the app.
  • The custom scheme must match the client_id hostname in reverse-domain order.
  • The URI scheme must be followed by a single colon (:) and a single forward slash (/), then a URI path component.
  • Example from the spec:

    client_id: "https://app.example.com/client-metadata.json"
    redirect_uri: "com.example.app:/callback"

• Use of HTTPS URIs:

  • For mobile or desktop apps, a Universal Link (iOS) or App Link (Android) can be used.

I would expect the authorization server to accept redirect_uri values like blue.catbird:/callback or https://catbird.blue/oauth/callback for my native app, as they conform to the specifications.

Actual Behavior

The authorization server rejects both custom URI schemes and HTTPS URLs for the redirect_uri, returning errors that suggest native clients must use HTTP redirect URIs. When attempting to use an HTTP URI (http://catbird.blue/callback), I receive an error stating that "Loopback redirect URIs are only allowed for native apps," even though my application_type is set to "native".

Details

• Operating System: iOS
• Programming Language: Swift
• Authorization Server: Bluesky atproto OAuth server
• Client Metadata File (client-metadata.json):

  {
  "client_id": "https://catbird.blue/oauth/client-metadata.json",
  "application_type": "native",
  "redirect_uris": ["blue.catbird:/callback"],
  "response_types": ["code"],
  "grant_types": ["authorization_code", "refresh_token"],
  "scope": "atproto transition:generic transition:chat.bsky",
  "token_endpoint_auth_method": "none",
  "dpop_bound_access_tokens": true
  }

[matthieusieben]

Looks like a bug indeed. This bug should be addressed by this PR.

This is on the top of my list so should be fixed soon.

FYI, blue.catbird:/callback and https://catbird.blue/oauth/callback should work.

The following redirect uris are not allowed:

• blue.catbird://callback is not allowed (only a single slash can be used)
• http:// redirect uris are only allowed with 127.0.0.1 or [::1] hostname