misskey-dev / misskey

🌎 A completely free and open interplanetary microblogging platform πŸš€
https://misskey-hub.net/
GNU Affero General Public License v3.0
10.08k stars 1.38k forks source link

Support OAuth Client ID Metadata Documents #14349

Open ThisIsMissEm opened 3 months ago

ThisIsMissEm commented 3 months ago

Summary

As the Misskey team is probably aware, given miauth, OAuth currently requires pre-registration of clients via either an out-of-band process or, in mastodon API verbage, a POST to /api/v1/apps. The latter is very similar to OAuth Dynamic Client Registration, which we've realised has some pretty big issues when it comes to federated and decentralised service using OAuth, as such, we've written a new IETF Internet Draft to simplify the process of getting a valid client when performing OAuth authorization code grant flows.

Here's the Mastodon ticket for supporting this new internet draft: https://github.com/mastodon/mastodon/issues/31151

https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html

By using this draft, which Mastodon plans to support, Bluesky is implementing and IndieAuth now uses, clients can register automatically with the OAuth Authorization Server (Misskey in this case)

Purpose

This allows you to completely deprecate miauth in favor of OAuth 2.0, whilst still not requiring an explicit application registration before starting the authorization code grant flow.

Do you want to implement this feature yourself?

ThisIsMissEm commented 3 months ago

Provided I can secure funding, I'd be able and willing to implement this in Misskey, and also help you team move towards a more standardised OAuth 2.0 implementation, for instance:

Here's how much is changing in the next release of Mastodon relating to OAuth 2.0: https://github.com/mastodon/documentation/pull/1445

kakkokari-gtyih commented 3 months ago

Misskey already implements IndieAuth-enhanced OAuth 2.0. Is there any difference between that and the method you propose?

https://misskey-hub.net/en/docs/for-developers/api/token/oauth/

ThisIsMissEm commented 3 months ago

Yes, this is the internet draft which IndieAuth has now adopted (no more parsing HTML for client metadata, just a JSON document)

https://indieauth.spec.indieweb.org/#changes-from-12-february-2022-to-this-version

(note: I'm working with Aaron Parecki, the current editor of the IndieAuth spec on this internet draft)