Closed joshlacal closed 4 weeks ago
Looks like a bug indeed. This bug should be addressed by this PR.
This is on the top of my list so should be fixed soon.
FYI, blue.catbird:/callback
and https://catbird.blue/oauth/callback
should work.
The following redirect uris are not allowed:
blue.catbird://callback
is not allowed (only a single slash can be used)http://
redirect uris are only allowed with 127.0.0.1
or [::1]
hostname
Describe the bug
I've been working on trying to get OAuth implemented in my Swift library and app, and I've run into some errors and some things that are confusing me compared to the specs.
From the specs:
In my app/library, so far I have tried: -blue.catbird:/callback -https://catbird.blue/oauth/callback -blue.catbird://callback -http://catbird.blue/callback
Each time I updated my client-metadata.json appropriately. But I continue to get 400 errors:
Is the server expecting an HTTP (not HTTPS) localhost URI? My understanding is that contradicts the specs, as they should allow ? Native apps would have to implement a web server then I believe. Is that intended?
To Reproduce
Steps to reproduce the behavior:
Set Up Client Metadata (
client-metadata.json
):client_id
:"https://catbird.blue/oauth/client-metadata.json"
application_type
:"native"
redirect_uris
: Tried each of the following in separate attempts:["blue.catbird:/callback"]
["https://catbird.blue/oauth/callback"]
["blue.catbird://callback"]
["http://catbird.blue/callback"]
response_types
:["code"]
grant_types
:["authorization_code", "refresh_token"]
scope
:"atproto transition:generic transition:chat.bsky"
token_endpoint_auth_method
:"none"
dpop_bound_access_tokens
:true
Initiate the OAuth Authorization Flow:
client_id
andredirect_uri
.https://bsky.social/oauth/par
with the above configuration.Observe the Response:
invalid_redirect_uri
.Expected Behavior
According to the atproto OAuth specifications:
Custom URI Schemes for Native Clients:
redirect_uri
may use a custom URI scheme to redirect back to the app.client_id
hostname in reverse-domain order.:
) and a single forward slash (/
), then a URI path component.Use of HTTPS URIs:
I would expect the authorization server to accept
redirect_uri
values likeblue.catbird:/callback
orhttps://catbird.blue/oauth/callback
for my native app, as they conform to the specifications.Actual Behavior
The authorization server rejects both custom URI schemes and HTTPS URLs for the
redirect_uri
, returning errors that suggest native clients must use HTTP redirect URIs. When attempting to use an HTTP URI (http://catbird.blue/callback
), I receive an error stating that "Loopback redirect URIs are only allowed for native apps," even though myapplication_type
is set to"native"
.Details
client-metadata.json
):