simov / grant

OAuth Proxy
MIT License
4.09k stars 257 forks source link

Mastodon implementation misses the point #264

Open selfisekai opened 2 years ago

selfisekai commented 2 years ago

Grant requires to provide keys and the instance to log in to at initialization. This is not how Mastodon, or pretty much any federated social network works. The fundamental rule of Mastodon is, there's no single instance of it, anyone can set up their own instance, and communicate flawlessly with people from other instances. Per Mastodon docs: "The user must be able to login to any Mastodon server from the app. This means you must ask for the server's domain and use the app registrations API to dynamically obtain OAuth2 credentials.". The box is ticked on provider list, but the implementation is just nonsense.

simov commented 2 years ago

I see, thanks for the feedback. Grant tries to make certain developer workflows easier, for example having your OAuth app credentials on startup, but that is not a requirement.

For Mastodon specifically there is no default domain set, for that same reason that you mention above:

https://github.com/simov/grant/blob/0ba063bb1fa5fb9abd4c71ea3c808b2599950f60/config/oauth.json#L625-L630

What that means is that you have to either use the subdomain key, which is the domain in this case, or set the entire authorization URLs. I don't know what is your exact setup, but here is one example configuration:

{
  "defaults": {
    "origin": "https://your-proxy.com",
    "prefix": "/login",
    "transport": "querystring"
  },
  "mastodon": {
    "dynamic": [
      "subdomain",
      "key",
      "secret",
      "scope"
    ],
    "response": ["tokens"],
    "callback": "https://your-app.com/callback"
  }
}

Then the workflow is as follows:

  1. Obtain the domain name

  2. Obtain app credentials, for redirect URIs you should set https://your-proxy.com/login/mastodon/callback

  3. Navigate to https://your-proxy.com/login/mastodon with either POST or GET, in both cases you have to send subdomain=the.domain&key=the-key&secret=the-secret (URL Encoded)

  4. The user logs in, but in the end it is being redirected back to your app at https://your-app.com/callback?token=the-token, assuming you host your proxy as a standalone server, which is again optional

Let me know if that helps.