Open erlend-sh opened 5 months ago
Just tested Gotosocial. Needs PKCE support like OpenGist: https://github.com/superseriousbusiness/gotosocial/issues/2225.
Do keep in mind that Mastodon does not implement OIDC for API access, but does for SSO; That is, Mastodon is always an OAuth 2 provider / authorization server, however it can be configured to do SSO via OIDC
That is to say, https://github.com/mastodon/mastodon/pull/30329 is probably entirely unrelated to what you're doing here, which seems to be SSO.
So what you'd want for Mastodon SSO to support PKCE is the PKCE configuration options passed to config.omniauth :openid_connect, oidc_options
in https://github.com/mastodon/mastodon/blob/e56fb9e4890435ef89b56ef5d1b9a8d0d46ab938/config/initializers/3_omniauth.rb — currently it does not include those options: https://github.com/omniauth/omniauth_openid_connect?tab=readme-ov-file#options-overview
Relying Parties is OIDC-speak for web apps.
Requirements.
We are testing for compatibility with the following RP apps:
IndieWeb
Fediverse
Alt-web