Login
Login

Home Login

Issue:OAuth scope

Priority 1 Created 2023-02-09 Resolved 2023-02-12

The scope of full read access is too wide only to verify that the user is legitimate.
It prompts for read only access to "everything" which is rather disturbing and frustratingly not clarified. Does that mean DMs?
Why is read access on everything needed for authorization (for public accounts)?
You should be able to do that with just "read:accounts" scope

You don't really need to create a full instance for that. You basically almost just need to put up a static webfinger response and handle POST's with the follow and unfollow requests. Alternatively you could "just" have people follow a specific account on any Mastodon instance and use the API to get the followers of that account.

Would it be better to use something like "toot at @-search-engine to opt-in" (and "toot 'stop' to opt-out again")? This could easily be a private toot, too, not to spam one's followers.

Could you get consent via a non-listed public toot?

I love the principle of opt-in search, but I don't want to have to research the intricacies of OAuth to know if it's safe or if I'm creating a permission backdoor that, if exposed thru a vuln in your software, could expose my private data. I generally hate & don't use OAuth for this reason: its (Google's) intentional muddling of authentication (proof of identity) with authorization (for third parties to access your account as you).

Well, I figured you were using OAuth to confirm consent. Something lighter, like a follow of a special account, could also indicate consent, as @anildash described here: https://anildash.com/2023/01/16/a-fedi

2023-02-10 Limiting scope to read:accounts seems to be a bug in Mastodon. See https://github.com/mastodon/documentation/issues/1098

2023-02-10 The warning comes from your #Mastodon instance and is poorly worded. It should enumerate exactly what it is requesting but that is not how the Mastodon devs wrote it. Take it up with them.
The full list of API read scopes is documented here. It really needs better explanation: docs.joinmastodon.org/api/oaut…
Having said all that, I agree with @todb. All you need is `read:statuses` permission. Dial it back.

2023-02-11 On a poll with 34% votes, 24% wanted to keep OAuth, 45% follow a bot, 32% a magic word.

2023-02-11 Another attempt to be hosted as a bot was not successful. On many places the conditions do not allow this.

2023-02-12 Magic word method installed. Fixed.