zelo72/documentation
1
0
Fork 0
mirror of https://github.com/mastodon/documentation synced 2025-04-11 22:56:17 +02:00
Code Issues 6 Releases Wiki Activity
documentation/content/en/spec/oauth.md
Moritz 5ebc8ad418
Replace and fix broken links with hugos relref (#801) 
As discussed in #764 there are quite a lot of outdated links in the
mastodon documentation. In basically all cases this was resolved by
simply wrapping the old plain markdown link in hugos `relref`
function[^0].

While quite a lot of links on the `/zh-cn/` also appear to be broken,
these can not be fixed by just wrapping them in `relref`[^0]. Those are
all links to `/spec/` subpages which are just not translated to `/zh-cn/`
version. Therefore, `/zh-cn/spec/` has been excluded from the automated
checking as described in the next section.

The page has been checked using the linkchecker[^1] utility. One process
is running `hugo serve` in order to see all changes in real time and
notice errors directly in your browser. In a separate command prompt the
command `linkchecker http://localhost:1313 --ignore-url=/zh-cn/spec` is
being fired up. Note the `--ignore-url=/zh-cn/spe` to exclude the just
not existing parts of the page as mentioned in the previous paragraph.

There still is some ToDo on the table since quite a lot of the anchors
appear to not be set or at least differ from previous versions. One
example: on `/client/authorized/` is a link to
`/client/token/#creating-our-application` while the id of referenced
heading is `app`. These changes **do not** fix those Issues as it would
require way more time.

[^0]: https://gohugo.io/functions/relref/
[^1]: https://github.com/linkchecker/linkchecker

Close #764
2020-08-10 23:01:50 +02:00

3.1 KiB
Raw Blame History

title description menu
OAuth An open standard for token-based authentication and authorization on the Internet
docs
weight parent
50 spec

What is OAuth?

The Mastodon API has many methods that require authentication from a client or authorization from a user. This is accomplished with OAuth 2.0, an authorization framework described in RFC 6749 that allows third-party applications to obtain limited access to an HTTP service on behalf of a resource owner, through the use of a standardized authorization flow that generates a client access token to be used with HTTP requests.

Mastodon supports the following OAuth 2 flows:

  • Authorization code flow: For end-users
  • Password grant flow: For bots and other single-user applications
  • Client credentials flow: For applications that do not act on behalf of users

To obtain an OAuth token for a Mastodon website, make sure that you allow your users to specify the domain they want to connect to before login. Use that domain to [acquire a client id/secret]({{< relref "../methods/apps/#create-an-application" >}}) and then [proceed with normal OAuth 2]({{< relref "../methods/apps/oauth.md" >}}).

OAuth 2 endpoints implemented

The following descriptions are taken from the Doorkeeper documentation. Mastodon uses Doorkeeper to implement OAuth 2. For more information on how to use these endpoints, see the [API documentation for OAuth.]({{< relref "../methods/apps/oauth.md" >}})

{{< caption-link url="https://github.com/tootsuite/mastodon/blob/master/config/initializers/doorkeeper.rb" caption="Doorkeeper config initializer" >}}

[GET /oauth/authorize]({{< relref "../methods/apps/oauth.md#authorize-a-user" >}})

Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired redirect_uri, or show the authorization code if urn:ietf:wg:oauth:2.0:oob was requested.

[POST /oauth/token]({{< relref "../methods/apps/oauth.md#obtain-a-token" >}})

Obtain an access token. This corresponds to the token endpoint, section 3.2 of the OAuth 2 RFC.

[POST /oauth/revoke]({{< relref "../methods/apps/oauth.md#revoke-token" >}})

Post here with client credentials to revoke an access token. This corresponds to the token endpoint, using the OAuth 2.0 Token Revocation RFC RFC 7009.

Common gotchas

  • When registering an application using Mastodon's REST API, there is a scopes parameter. When interfacing with OAuth endpoints, you must use the scope parameter instead, and this parameter's value must be a subset of the scopes registered with the app. You cannot include anything that wasn't in the original set.
  • When registering an application using Mastodon's REST API, there is a redirect_uris parameter. When interfacing with OAuth endpoints, you must use the redirect_uri parameter instead, and this parameter's value must be one of the redirect_uris registered with the app.