Skip to content
Snippets Groups Projects

[#468] OAuth2 scopes

Merged Ivan Tashkinov requested to merge i1t/pleroma:468_oauth2_scopes into develop

Implements #468 (closed)

Notes:

  • apps.scopes sets the default set of scopes an app is capable of dealing with; these scopes are presented with checkboxes at /oauth/authorize page (along with email and password fields) so each user can restrict the scopes if desired (the choice is persisted as per-user-per-app oauth_authorizations.scopes and oauth_tokens.scopes)

  • if user authenticates on external service with Pleroma email and password, external service is able to control the scopes (e.g. PleromaFE shows email and password inputs and then requests read write follow scopes behind the scenes). Users should be adviced to never enter their Pleroma email and password on external services and use OAuth authentication / authorization (which asks for email and password on Pleroma premises at /oauth/authorize and lets user control the scopes)

  • attempting to use a token having any scopes which app doesn't support results in 403 (shouldn't happen in normal usage scenario)

  • Mastodon FE relies on read scope be enabled in order to function. Whilst it's technically possible to obtain a token without read permission (e.g. for exotic write-only use case), attempting to use such token with MastodonAPIController#index will redirect to login page (since it's piped through :oauth_read_or_unauthenticated) — we could also remove scope restriction from this route to enable using of MastoFE for posting only (this way it'll present comment form which'll work if write permission is present on the token) but for regular users this alternative behavior could be confusing, so not doing that as of the moment.

Edited by Ivan Tashkinov

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Ivan Tashkinov
  • Ivan Tashkinov changed the description

    changed the description

  • Author Contributor

    @lambadalambda @href @lanodan @eal @kaniini

    Pl. review this WIP prototype of OAuth2 scopes feature if you have time. Suggestions are welcome.

  • Ivan Tashkinov
  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Ivan Tashkinov added 1 commit

    added 1 commit

    Compare with previous version

  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Ivan Tashkinov added 1 commit

    added 1 commit

    Compare with previous version

  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Ivan Tashkinov added 1 commit

    added 1 commit

    Compare with previous version

  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Ivan Tashkinov added 1 commit

    added 1 commit

    Compare with previous version

  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Ivan Tashkinov added 1 commit

    added 1 commit

    Compare with previous version

  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Ivan Tashkinov added 118 commits

    added 118 commits

    Compare with previous version

  • Ivan Tashkinov changed the description

    changed the description

  • Ivan Tashkinov resolved all discussions

    resolved all discussions

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Please register or sign in to reply
    Loading