[feature] /api/v1/apps/verify_credentials for OAuth Token introspection

[ThisIsMissEm]

Is your feature request related to a problem ?

This endpoint is available in Mastodon and allows an API client to introspect their current access token to gain information about the application that the token is for. We've recently been discussing changes to Mastodon to allow exposing the client_id and scopes of the application, which would assist with understanding what permissions you have.

Additionally, I'm looking at adding support for the OAuth 2.0 Server Metadata endpoint defined in RFC 8414, which would allow asking the server "hey, where do I do dynamic client registration" (the POST /api/v1/apps request) and "what scopes can I request when registering or authenticating an application?"

In theory, OAuth 2.0 also has a standardised mechanism for token introspection, but this currently isn't a feature in Mastodon, as the devise library has a bug that prevents the token introspection functionality from working correctly.

Describe the solution you'd like.

Addition of the /api/v1/apps/verify_credentials endpoint which returns similar data to the Application model, but does not return the client_secret. It would additionally need to expose the scopes for the App.

Describe alternatives you've considered.

As noted, there is the alternative of OAuth 2.0 token introspection endpoint, but I'd recommend still implementing the /api/v1/apps/verify_credentials endpoint as to have compatibility with Mastodon.

Additional context.

Mastodon's documentation on this API: https://docs.joinmastodon.org/methods/apps/#verify_credentials

[tsmethurst]

Sure, not a bad idea!

Related to https://github.com/superseriousbusiness/gotosocial/issues/1573

[ThisIsMissEm]

Yeah, I'd just recommend doing this soon, as a lot of Mastodon OAuth apps rely on the /api/v1/apps/verify_credentials endpoint to ensure they've correctly registered a client through dynamic client registration.