Add API authentication using OAuth2 Client Credentials flow#3951
Conversation
temporary
|
I'd highly encourage you to also implement RFC 8414: https://datatracker.ietf.org/doc/html/rfc8414 You can see this in Mastodon here: https://github.com/mastodon/mastodon/blob/main/app/controllers/well_known/oauth_metadata_controller.rb There is work to lift that up into doorkeeper, but I haven't had time to get back to it (funding): doorkeeper-gem/doorkeeper#1737 |
| base_controller "ActionController::Base" | ||
|
|
||
| # Enabled grant flows | ||
| grant_flows %w[client_credentials] |
There was a problem hiding this comment.
Usually client credentials grants aren't that often used, and instead authorization code is. Acting on behalf of the application and not the user is generally a bit weird, since it can lead to misauthorization or misattribution.
There was a problem hiding this comment.
Also, if you do support authorization code, be sure to use pkce:
pkce_code_challenge_methods ['S256']
(requires additional database stuff, see doorkeeper docs)
There was a problem hiding this comment.
Yeah, I was starting with client credentials because it's mainly intended for non-interactive machine-to-machine access to the app-owning user's stuff, so far at least. Happy to be told I'm doing it wrong though, parsing all the choices in OAuth is complex; I'll have another read into Authorization Code and see how I can do non-interactive client apps with it.
There was a problem hiding this comment.
yeah, for M2M client credentials is what you'd want, but usually many use-cases you want authorization code. Just be sure that when you're asserting scopes and fetching the user from the authorization, you're correctly handling whether you've client credentials or a regular access token.
2 participants
Users can now create an OAuth application and use it to read data that they have access to. API docs are all up to date with the change.