Skip to content

[#468] OAuth2 scopes

Ivan Tashkinov requested to merge i1t/pleroma:468_oauth2_scopes into develop

Implements #468 (closed)


  • apps.scopes sets the default set of scopes an app is capable of dealing with; these scopes are presented with checkboxes at /oauth/authorize page (along with email and password fields) so each user can restrict the scopes if desired (the choice is persisted as per-user-per-app oauth_authorizations.scopes and oauth_tokens.scopes)

  • if user authenticates on external service with Pleroma email and password, external service is able to control the scopes (e.g. PleromaFE shows email and password inputs and then requests read write follow scopes behind the scenes). Users should be adviced to never enter their Pleroma email and password on external services and use OAuth authentication / authorization (which asks for email and password on Pleroma premises at /oauth/authorize and lets user control the scopes)

  • attempting to use a token having any scopes which app doesn't support results in 403 (shouldn't happen in normal usage scenario)

  • Mastodon FE relies on read scope be enabled in order to function. Whilst it's technically possible to obtain a token without read permission (e.g. for exotic write-only use case), attempting to use such token with MastodonAPIController#index will redirect to login page (since it's piped through :oauth_read_or_unauthenticated) — we could also remove scope restriction from this route to enable using of MastoFE for posting only (this way it'll present comment form which'll work if write permission is present on the token) but for regular users this alternative behavior could be confusing, so not doing that as of the moment.

Edited by Ivan Tashkinov

Merge request reports