tsmethurst
commented
1 month ago It looks like that bot uses the OAuth password grant flow to get an access token. Mastodon does allow this grant flow, but we made a conscious decision in GoToSocial not to support it; the reason being that it's against OAuth 2.0 best practice, since it requires giving an application your password: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-resource-owner-password-cre
A safer way to authenticate bots like this -- and one which is also supported regardless of whether OIDC is configured or not -- is to provide an out-of-band authorization code to the application, which the app then exchanges for an access token. This is how the toot CLI works, for example, in addition to a bunch of other Mastodon-compatible bots/tools like Fedifetcher.
I don't know if Hypebot supports this type of authentication, but I'd really recommend it as it's safer and more compliant with OAuth best practices, in addition to working fine with OIDC enabled.
Worth noting that at the moment it's a bit of a pain to get an out-of-band token in GoToSocial, as unlike Mastodon we don't yet have a place in the admin panel for creating such tokens, so you have to do a bunch of manual curl requests to get one generated. Better support for token creation + management is on the roadmap for the coming year.
philskents
Is your feature request related to a problem ?
I run GTS as a personal instance and I would love to use something like Hypebot to bring me cool posts from other instances from accounts I do not follow. Most of these tools do however require User/Password style credentials to post to my instance and I use OIDC so it just doesn't work.
Describe the solution you'd like.
A method to sign into an account with a local credential (like an API key) for automated services.
Describe alternatives you've considered.
NONE
Additional context.
No response