How to specify scopes

[scripting]

I'm getting ready to hook my linkblogging tool Radio3 up to Mastodon via the API.

I have it working, as long as I set everything up by hand. Now I'm tuning things up, and trying to specify the scopes that Radio3 needs.

Basically two operations.

1. Post a toot with a bit of text and a link.

2. Get the user's profile information so we know what to put in the dialogs.

Everything works if I say write read as the scopes.

But that's ridiculous -- I don't want to write or read everything (as the confirmation says). This will scare a lot of people off. It would scare me off.

So I went through the configuration process and guessed that read:accounts is what I want for the profile info, so I changed the setup to this: write read:accounts. But when I tried to authorize, I got this message: The requested scope is invalid, unknown, or malformed. I think what that means is that I've used the wrong syntax. But it's hard to say.

So I'm looking for help from people with experience with more granular permissions...

[scripting]

I changed the name of the repo to Mastodon-API, given that's what we're working on here. ;-)

[billstclair]

The scopes that are allowed have changed as Mastodon has been developed.

There'a a list here: https://docs.joinmastodon.org/api/oauth-scopes/#versions

social.scotfr.ee is version 4.0.3, so it should support the granular scopes, in particular, read:accounts, and the scopes are sent over the wire as a space-separated string, which is what you're using, I think. But I've never used anything besides read write follow push, so I can't vouch for whether read:accounts will work.

Here's the authorize URL that my application (Mammudeck.com) generates. It always uses "read write follow push" as scopes (url-encoded):

https://social.scottfr.ee/oauth/authorize?client_id=%3Cclient_id%3E&redirect_uri=localhost%3A%2F%2Flogin&response_type=code&scope=write%20read%20follow%20push

I used "<client_id>" as the client_id, and "localhost://login" as the redirect_uri.

[scotthansonde]

I think the 'scope' in the authorize URL has to exactly match the 'scopes' that were registered over the API at /api/v1/apps.

Playing with curl, I was able to register two apps that were identical except for the scopes

'write read:accounts' only:

curl -X POST \
        -F 'client_name=Scott Test Application' \
        -F 'redirect_uris=urn:ietf:wg:oauth:2.0:oob' \
        -F 'scopes=write read:accounts' \
        -F 'website=https://myapp.example' \
        https://social.scottfr.ee/api/v1/apps
{"id":"37",...}

all scopes:

curl -X POST \
        -F 'client_name=Scott Test Application' \
        -F 'redirect_uris=urn:ietf:wg:oauth:2.0:oob' \
        -F 'scopes=read write follow push' \
        -F 'website=https://myapp.example' \
        https://social.scottfr.ee/api/v1/apps
{"id":"38",...}

When I tried to authorize the "all scopes" app with "&scope=write+read:accounts", I got the "The requested scope is invalid, unknown, or malformed." error.

Authorizing the "'write read:accounts' only" app with "&scope=write+read:accounts" succeeded.

https://social.scottfr.ee/oauth/authorize?client_id=%3Cclient_id%3E&scope=write+read:accounts&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code

[scripting]

The thing I'm really confused about is when you use "scope" and when it's "scopes".

And when do you replace a space with a + and when do you not?

I think when I figure that out it'll start working. ;-)

[scripting]

Bing!

[scotthansonde]

There a note in the Mastodon OAuth Scopes docs

Mind the scope vs scopes difference. This is because scope is a standard OAuth parameter name, so it is used in the OAuth methods. Mastodon’s own REST API uses the more appropriate scopes.

So for the REST API it's 'scopes' and for the OAuth URL it's 'scope'.

As for the plus sign for the space, it's in the query string of a URL so the space needs to be encoded. The example I copied used '+', but '%20' works as well.

[scripting]

@scotthansonde -- I read that comment last night after finishing work and thought that must be where the problem is.

Then I read your comment carefully, esp the examples, and that's what helped me pull it together.

Now to figure out how to narrow the write access so that I'm only writing new posts, I think there is a setting for that....

[scripting]

BTW, I'm going to upload the source here instead of the new repo I was starting. This is the place where we work on the Mastodon-API, this is where the source code belongs.

[billstclair]

If you want to login to a random Mastodon server, the app needs to be generated on the fly, not statically-created on the server, via /api/v1/apps : https://docs.joinmastodon.org/methods/apps/#create

(Maybe you’re already doing this)

Of course, you can save the app, in a cookie or LocalStorage, and reuse it later.

On Nov 27, 2022 at 7:37:50 AM, Scott Hanson @.***> wrote:

There a note in the Mastodon OAuth Scopes https://docs.joinmastodon.org/api/oauth-scopes/ docs

Mind the scope vs scopes difference. This is because scope is a standard OAuth parameter name, so it is used in the OAuth methods. Mastodon’s own REST API uses the more appropriate scopes.

So for the REST API it's 'scopes' and for the OAuth URL it's 'scope'.

As for the plus sign for the space, it's in the query string of a URL so the space needs to be encoded. The example I copied used '+', but '%20' works as well.

— Reply to this email directly, view it on GitHub https://github.com/scripting/Mastodon-API/issues/5#issuecomment-1328238117, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAJ7KN5SSHTAQZPKVPZJ6TWKNIZ5ANCNFSM6AAAAAASMFLPBU . You are receiving this because you commented.Message ID: @.***>

[scripting]

Bing! Bing! Bing!

By george I think I'm beginning to get the hang of this. ;-)

[scripting]

@billstclair --

Yes, I know -- and I am not doing that. I was, but punted on it, because I couldn't sort it all out, and I was running out of time. I have a personal hard break tomorrow. I want to get this thing in solid form before I go. I can't come back to a mess.

And I think for Radio3 we're going to say you have to create an account on our server to spew your links out to the fediverse.

Or run a copy of the server.

Or wait for the next rev once we put out all the other fires I have to put out.

[billstclair]

The whole login process is documented at https://github.com/billstclair/elm-mastodon/blob/master/src/Mastodon/Login.elm#L71, though some of the language is specific to my Elm implentation. You DO need to save the client_id and client_secret, in one of the browser databases (or the file system, if this is done by a server, not the web client), so that you'll have them in your hand when /oauth/authorize redirects to your client page.

It was a bear to figure out.

[scripting]

Friends -- the new bridge is up and running and ready to test.

First, you'll have to get an account on the new server. You will have to give a reason for wanting the account, say it's to test Radio3.

http://social.masto.land/

Once you've got the account, go here.

http://test.masto.land/

Click the Masto sign on button.

You should see the authorization screen. Look it over make sure it looks right to you. All we're going to do is post toots on your behalf, and verify your account.

Once authorized, click the Masto toot button and enter a Hello World type message.

Hopefully it showed up on social.masto.land.

You can create more messages if you like. :smile:

Finally click the Get your info button, and open the JavaScript console. You should see a JSON object that has your user info in it.

Please say whether it worked or not, and obviously say what went wrong if something did go wrong.

And that's it, that's all we're trying to do for now.

[scotthansonde]

@scripting For me everything worked as intended. The authorization, the test toot, and the user info in the console.

[moosebegab]

Everything worked for me.

(I had to google about how to open JavaScript Console. I figured it out and it worked.)

[billstclair]

Works for me.