zelo72/documentation
1
0
Fork 0
mirror of https://github.com/mastodon/documentation synced 2025-04-11 22:56:17 +02:00
Code Issues 6 Releases Wiki Activity
documentation/content/en/methods/oauth.md
trwnh ffbe66a389
Update content for 4.0, part 2 (#1060) 
* fix relrefs around trends and related entities

* revert moving caption-links to middle of page

* hide empty menu in table of contents

* clarify edit notifs are only for boosted statuses

* following/followers no longer need auth

* fix typo

* specify cooldown period for account Move

* use the correct cooldown

* add missing parameters to accounts/id/statuses

* link to account_statuses_filter.rb

* fix typo (#1072)

* fix typo (#1073)

* fix link to http sig spec (#1067)

* simply HTTP request examples in api methods docs

* add missing client_secret to oauth/token (#1062)

* Add any, all, none to hashtag timeline

* minor formatting changes

* Update signature requirements and advice

* fix public key -> private key

* clarify use of RSA with SHA256

* Add note about saving your profile after adding rel-me link

* v2 filters api

* comment out params that shouldn't be used in v2 filter api

* admin trends

* remove old todo

* canonical email blocks + scheduled statuses

* remove under-construction warnings from finished pages

* verify api method params with source code

* fix typo (#1088)

* fix broken caption-links (#1100)

* fix formatting of entities (#1094)

* Remove keybase section from user guide (#1093)

* fix typos (#1092)

* Verify limits are accurate (#1086)

* add mention of iframe limitation (#1084)

* Add CORS header to WEB_DOMAIN example (#1083)

* Fix typo (#1081)

* pin http sigs spec at draft 8

* Revert "pin http sigs spec at draft 8"

This reverts commit 9fd5f7032b69b29e77599dd62adfe8d2f5cd4f20.

* add case sensitivity warning to 4.0 roles

* Add url length note to bio (#1087)

* remove follow scope from examples (#1103)

* clarify usage of update_credentials to update profile fields

* add noindex to Account entitity

* remove required hint from technically not required property
2022-12-14 22:55:30 +01:00

6.1 KiB
Raw Blame History

title description menu aliases
oauth API methods Generate and manage OAuth tokens.
docs
weight name parent identifier
10 oauth methods-apps methods-oauth
/methods/oauth
/api/methods/oauth
/methods/apps/oauth

Authorize a user

GET /oauth/authorize HTTP/1.1

Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired redirect_uri, or show the authorization code if urn:ietf:wg:oauth:2.0:oob was requested. The authorization code can be used while requesting a token to obtain access to user-level methods.

Returns: String (URL) or HTML response
OAuth: Public
Version history:
0.1.0 - added
2.6.0 - added force_login
3.5.0 - added lang

Request

Query parameters
response_type
{{}} String. Should be set equal to code.
client_id
{{}} String. The client ID, obtained during app registration.
redirect_uri
{{}} String. Set a URI to redirect the user to. If this parameter is set to urn:ietf:wg:oauth:2.0:oob then the authorization code will be shown instead. Must match one of the redirect_uris declared during app registration.
scope
String. List of requested OAuth scopes, separated by spaces (or by pluses, if using query parameters). Must be a subset of scopes declared during app registration. If not provided, defaults to read.
force_login
Boolean. Forces the user to re-login, which is necessary for authorizing with multiple accounts from the same instance.
lang
String. The ISO 639-1 two-letter language code to use while rendering the authorization form.

Response

200: OK

The authorization code will be returned as a query parameter named code.

redirect_uri?code=qDFUEaYrRK5c-HNmTCJbAzazwLRInJ7VHFat0wcMgCU
400: Client error

If the authorization code is incorrect or has been used already, the request will fail.

{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}

Obtain a token

POST /oauth/token HTTP/1.1

Obtain an access token, to be used during API calls that are not public.

Returns: [Token]({{< relref "entities/token" >}})
OAuth: Public
Version history:
0.1.0 - added

Request

Form data parameters
grant_type
{{}} String. Set equal to authorization_code if code is provided in order to gain user-level access. Otherwise, set equal to client_credentials to obtain app-level access only.
code
String. A user authorization code, obtained via GET /oauth/authorize.
client_id
{{}} String. The client ID, obtained during app registration.
client_secret
{{}} String. The client secret, obtained durign app registration.
redirect_uri
{{}} String. Set a URI to redirect the user to. If this parameter is set to urn:ietf:wg:oauth:2.0:oob then the token will be shown instead. Must match one of the redirect_uris declared during app registration.
scope
String. List of requested OAuth scopes, separated by spaces (or by pluses, if using query parameters). If code was provided, then this must be equal to the scope requested from the user. Otherwise, it must be a subset of scopes declared during app registration. If not provided, defaults to read.

Response

200: OK

Store this access_token for later use with auth-required methods. The token should be passed as an HTTP Authorization header when making API calls, with the value Bearer access_token

{
  "access_token": "ZA-Yj3aBD8U8Cm7lKUp-lm9O9BmDgdhHzDeqsY8tlL0",
  "token_type": "Bearer",
  "scope": "read write follow push",
  "created_at": 1573979017
}
400: Client error

If you try to request a scope that was not included when registering the app, the request will fail.

{
  "error": "invalid_scope",
  "error_description": "The requested scope is invalid, unknown, or malformed."
}
401: Unauthorized

If client_id and client_secret do not match or are invalid, the request will fail.

{
  "error": "invalid_client",
  "error_description": "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
}

Revoke a token

POST /oauth/revoke HTTP/1.1

Revoke an access token to make it no longer valid for use.

Returns: empty object
OAuth: Public
Version history:
x.x.x - added

Request

Form data parameters
client_id
{{}} String. The client ID, obtained during app registration.
client_secret
{{}} String. The client secret, obtained during app registration.
token
{{}} String. The previously obtained token, to be invalidated.

Response

200: OK

If you own the provided token, the API call will provide an empty response. This operation is idempotent, so calling this API multiple times will still return OK.

{}
403: Forbidden

If you provide a token you do not own, or no token at all, the API call will return a 403 error.

{
  "error": "unauthorized_client",
  "error_description": "You are not authorized to revoke this token"
}

See also

{{< page-relref ref="methods/apps#create" caption="POST /api/v1/apps" >}}

{{< caption-link url="https://github.com/mastodon/mastodon/blob/main/app/controllers/oauth/authorizations_controller.rb" caption="app/controllers/oauth/authorizations_controller.rb" >}}

{{< caption-link url="https://github.com/mastodon/mastodon/blob/main/app/controllers/oauth/authorized_applications_controller.rb" caption="app/controllers/oauth/authorized_applications_controller.rb" >}}

{{< caption-link url="https://github.com/mastodon/mastodon/blob/main/app/controllers/oauth/tokens_controller.rb" caption="app/controllers/oauth/tokens_controller.rb" >}}