OAuth Roadmap #2656
Replies: 22 comments 53 replies
-
Exciting stuff! Re-reading the proposal, particularly the part that mentions the specs to be used: PAR, PKCE, and DPoP. I'm wondering how widespread these implementations are in the ecosystem? Or do we expect there to be lots of work in auth libraries to support atproto login? A specific related question: what's missing from https://authjs.dev to take advantage of this? Would be great if you folks could show a demo of it working with Auth.js! |
Beta Was this translation helpful? Give feedback.
-
Exciting! Are you all still thinking through whether or how much you plan to integrate and require OAuth directly into ATProto itself? Notably:
recommended is a useful word there, but notably it's not required. You also mention the phrase "login with atproto," which sounds great, but if it's OAuth-based, would obviously require PDSes to support OAuth. Long term, do you foresee that OAuth is more of a nice-to-have for PDSes, or closer to a requirement? |
Beta Was this translation helpful? Give feedback.
-
Do you have any guidance on what language to use for client applications with login forms? I'm particularly interested in staying true to the idea that their atprotocol network handle is the thing that they use and also reducing confusion about handles or identifiers for other services. |
Beta Was this translation helpful? Give feedback.
-
Will this work with Apple's AuthenticationServices (e.g. ASWebAuthenticationSession)? This is the standard mechanism used on iOS and it's fully integrated with the password autofill APIs - it's very easy for both developers and customers to use. The reason I ask is because I can't find any information about authorization endpoints or callback urls (ASWebAuthenticationSession needs both). |
Beta Was this translation helpful? Give feedback.
-
Late to this party. @bnewbold not sure if this is the best place or if I should comment directly on bluesky-social/atproto-website#326. Let me know. A few things:
|
Beta Was this translation helpful? Give feedback.
-
@bnewbold I've started trying to implement atproto OAuth for logging in a client application. So far I'm able to resolve a handle to a DID, retrieve the DID document and the AS metadata, and redirect to the AS. That's where I'm stuck. It's giving me a pretty opaque error: Any suggestions on how to debug? I'm writing my implementation from scratch because I want to reduce dependencies, and I want to learn the protocol. |
Beta Was this translation helpful? Give feedback.
-
@bnewbold where's the best place to give feedback on the protocol? I'm working on a universal login middleware with a focus on decentralized protocols. It can be dropped into any JavaScript backend (https://github.com/lastlogin-net/decent-auth-js). I've got a demo running here: https://decent-auth-demo.lastlogin.io/ It currently works with Mastodon, ATProto, and LastLogin. IndieAuth shouldn't be too hard to add. My main complaint is still that hosting the client metadata is required. This means my middleware won't work for atproto for self-hosted apps that don't have a public IP. It will still work for Mastodon and LastLogin, since Mastodon supports dynamic client registration and LastLogin support anonymous clients (only the clien_id URL is required to display to the user). One other nitpick is that I don't think you should show the client name to the user for unverified clients. Even if you show the client_id URL as well, if a malicious client used the name "Google" it could still trick some users. |
Beta Was this translation helpful? Give feedback.
-
Hi all, I'm currently implementing the atproto OAuth flow for a native application (mobile/desktop) and have a question regarding best practices for user handle resolution. In my implementation, I'm currently resolving user handles using ordinary DNS (unencrypted). However, I'm wondering whether it's considered best practice for native clients to use a more secure DNS resolution method, such as DNS over HTTPS, to enhance privacy and security. Could you please advise on what is generally recommended or expected for native OAuth clients in this context? Thanks |
Beta Was this translation helpful? Give feedback.
-
You should probably look at what https://oauth.net/ recommends (which is really "whatever works"). Having a strict requirement for DoH or some kind of check of DNSSEC might be a bit of overkill; but I can see that being a nice feature in an application.
…On Tue, Oct 1, 2024, at 13:17, llksz wrote:
Hi all,
I'm currently implementing the atproto OAuth flow for a native
application and have a question regarding best practices for user
handle resolution.
In my implementation, I'm currently resolving user handles using
ordinary DNS (unencrypted). However, I'm wondering whether it's
considered best practice for native clients to use a more secure DNS
resolution method, such as DNS over HTTPS, to enhance privacy and
security.
Could you please advise on what is generally recommended or expected
for native OAuth clients in this context?
Thanks
|
Beta Was this translation helpful? Give feedback.
-
It would be very nice if the option to give longer-lived or shorter-lived tokens were up to the user, rather than what seemed more "secure". I distrust backends/BFFs more than SPAs. With backends, even if there is an open source code available somewhere it is still essentially a black box that I can't peek into any time, meanwhile with SPAs I could easily do so even if it comes down to making sense of bundled/minified code. |
Beta Was this translation helpful? Give feedback.
-
One issue I'm running into with the current first-party implementation: it appears that the oauth authorize endpoint is hosted at |
Beta Was this translation helpful? Give feedback.
-
Any chance the auth page could hide the path part of the client-id URI if it's a set Also, the developer doc mentions a concept of trusted client IDs (where the client_name and logo_uri fields are used); is there going to be a formal way to apply for inclusion in bsky.social's trusted client list in the future? |
Beta Was this translation helpful? Give feedback.
-
@bnewbold dou you have any expectation when this oauth feature moves to next phase, if possible, could you update expected date(season) of phases. |
Beta Was this translation helpful? Give feedback.
-
Hi, I tried to log in via bsky.social/oauth and an app password and got only a generic error message. It worked than by using my main password. I think we should make the error message clearer. |
Beta Was this translation helpful? Give feedback.
-
Are authorization servers required to issue refresh tokens or is it optional? |
Beta Was this translation helpful? Give feedback.
-
I have an existing social media infrastructure that I would like to merge into the ATmosphere. The Mathematical Mesh provides a range of end-to-end secure communications modes including messaging, blogging, document annotation etc. I will be adding voice and video in the near future. This is all using industry standard cryptography (X448 and ML-KEM) and provides post-quantum security. This is an application that would typically be used inside an organization or group needing highly confidential communications using a custom client. But all the interaction modes can be performed using the traditional TLS-to-plaintext-on-the-server. What I would like to do is to offer a mechanism whereby people can log into their ATmosphere PDS, read a post inviting them to join a private group hosted on a separate serve running my code, they follow the link, it asks them to sign in which they can do with their Atmosphere PDS account, then they ask to join the group and if/when approved get a DM to their Atmosphere account saying they are in and then return to the group server and do the normal sort of forum interaction mode. I can see several approaches that might work for this but thought I would check in to see whether this is a mode that is anticipated for use and if so what is the best approach. I do attend IETF and will be in Bangkok but would prefer to get started on this as soon as possible. |
Beta Was this translation helpful? Give feedback.
-
Examples like https://docs.bsky.app/docs/starter-templates/bots are still showing password logins. Are there any examples out there which show the new oauth flow? |
Beta Was this translation helpful? Give feedback.
-
Question: what is the behavior of I know it sounds useless, but it can serve as proof of ownership and there's a few niche use cases for it (like a site wanting to verify social media account authenticity). |
Beta Was this translation helpful? Give feedback.
-
Given @tom-sherman 's comment above
and that app passwords are deprecated, will there be an oauth solution for service accounts before app password functionality is totally turned off? |
Beta Was this translation helpful? Give feedback.
-
I have implemented the BSky OAUTH profile so I can use it as a replacement for accounts in my private forum software. The original idea being that BlueSky is a Twitter thing and that is good for Twitter like things but I also want a Facebook thing and a TikTok thing and I want all of them to be accessible through a single handle. So, I can have a personal blog and post documents and videos there under the same handle I use on BlueSky and people can comment on it there using their handles. The overall effect being similar to Facebook groups but without the horrible Facebook experience. I went through my feed and a third of it was disinformation from right wing thugs, only a quarter was stuff I actually asked for. But, I am now thinking we should go further and correct the misfire that happened with OpenId. The original idea for OpenID was that you would have a username you could use anywhere. What it has become is you can use your Apple, Google or Facebook account anywhere. That is a complete fail and there is no point in trying to fix it through OpenID. Now before going onto my proposal, a bit about myself. I was part of the original CERN Web team, an early employee at VeriSign who had a big influence on the WebPKI and SAML. I have put together schemes that are widely deployed and used. So what I am going to propose might seem overly ambitious but no more so than what I have done in the past. Also, BlueSky are using a LOT of existing work here and it is important that everyone gets a fair slice of credit. In particular, Mike Jones put a heck of a lot of OAUTH and OpenID together and so did many others. And it really wasn't their fault that three trillion dollar companies worked out how to turn an identity system originally intended to DEcentralize the Web to centralize it even further. The key here is that every Web user should have an online identity that they and they alone control that they can use to log in to 'Anything'. And that is what we now have with the BSky OAUTH profile plus their PLC DID scheme. OK, so it is not 100% yet and there are changes that are going to be needed for end-to-end secure chat, voice, video. But all we need to deliver a powerful first installment of an actually open ID is a name and some branding. For the name, I suggest 'anything' because you can use the same handle to log into anything. The secondary thing here is a play on Elon Musk's talk of an 'everything client' when he was buying Twitter. It is pretty clear at this point Musk is going nowhere, he is losing users and more importantly, he has lost mindshare. Nobody is going to be looking for an everything client from the Daily Stormer. I was already working on a client of the type Musk described so I grabbed the name with the intention of turning it into a generic like 'browser' is a generic. So you would have your browser on your machine and you would have your everything. Together you have 'anything and everything'. |
Beta Was this translation helpful? Give feedback.
-
The reference implementation gives Is there any spec/guidance on which modes a server implementation is required to implement? |
Beta Was this translation helpful? Give feedback.
-
OAuth is nigh! Protocol support has been a long time coming and we are pumped. It should greatly improve the user and developer experiences building secure apps and integrations on atproto. And could make the handles-and-DIDs identity system a more useful, re-usable, and inter-operable component for other non-atproto apps and protocols to built on.
At the same time, authentication and authorization are complex, security-sensitive, and central to the design of almost every client in the ecosystem. We want to clarify and temper expectations around when specific functionality will be available. This is a flexible/living roadmap for how roll-out will go.
Developer Preview Phase
UPDATE: September 25th blog post announcing this phase
In this phase, early-adopter client developers can start using OAuth as an alternative to App Passwords. More sophisticated use-cases (eg, granular access scopes and additional 2FA methods) may not be available yet, and support in client SDKs will probably be work-in-progress. We roughly expect to enter this phase in late summer 2024.
Transition Phase
In this phase, support for client developers should be solid, and most apps will be encouraged and expected to migrate to OAuth. We don't want to be too disruptive and expect major work from small teams and volunteer/hobbyist devs in the ecosystem, so this phase will last at least a few months.
We roughly expect to be in this phase in autumn 2024.
End State
This is the goal we are working towards.
We roughly hope to get to this point some time in 2025.
Open Questions
Account Management Lexicons:: the PDS web interface is expected to become the primary interface for managing things like handles, account deactivation/deletion, updating email, signup, account migration, etc. While these will remain "in-protocol" behaviors and actions, it isn't clear if the current
com.atproto
Lexicons supporting them should be required, optional, or even part of atproto itself at all. This is an "end state" question.Alternative Auth Mechanisms: the flavor of OAuth used with atproto will require some form of publicly available client metadata. This is reasonable for most client apps, but would be friction for simple demo scripts and basic bots. We hope to have an simple alternative mechanism similar to "developer API tokens" on other platforms, where developers can generate secret tokens via the PDS web interface and pass them to CLI scripts and bots for persistent auth with limited scopes. Not yet clear if this will be an evolution of app-passwords or a new concept, and if this will be an optional or required part of the protocol, or something left up to PDS implementations to decide on. This is probably a "transition phase" question.
Service Auth: atproto uses a separate flavor of authentication between servers and services, and OAuth will not directly impact this. It is possible that this aspect of auth in atproto will also evolve in the future.
Beta Was this translation helpful? Give feedback.
All reactions