Open ThisIsMissEm opened 11 months ago
Sure, not a bad idea!
Related to https://github.com/superseriousbusiness/gotosocial/issues/1573
Yeah, I'd just recommend doing this soon, as a lot of Mastodon OAuth apps rely on the /api/v1/apps/verify_credentials
endpoint to ensure they've correctly registered a client through dynamic client registration.
Is your feature request related to a problem ?
This endpoint is available in Mastodon and allows an API client to introspect their current access token to gain information about the application that the token is for. We've recently been discussing changes to Mastodon to allow exposing the
client_id
andscopes
of the application, which would assist with understanding what permissions you have.Additionally, I'm looking at adding support for the OAuth 2.0 Server Metadata endpoint defined in RFC 8414, which would allow asking the server "hey, where do I do dynamic client registration" (the
POST /api/v1/apps
request) and "what scopes can I request when registering or authenticating an application?"In theory, OAuth 2.0 also has a standardised mechanism for token introspection, but this currently isn't a feature in Mastodon, as the devise library has a bug that prevents the token introspection functionality from working correctly.
Describe the solution you'd like.
Addition of the
/api/v1/apps/verify_credentials
endpoint which returns similar data to the Application model, but does not return theclient_secret
. It would additionally need to expose thescopes
for the App.Describe alternatives you've considered.
As noted, there is the alternative of OAuth 2.0 token introspection endpoint, but I'd recommend still implementing the
/api/v1/apps/verify_credentials
endpoint as to have compatibility with Mastodon.Additional context.
Mastodon's documentation on this API: https://docs.joinmastodon.org/methods/apps/#verify_credentials