#Oauth

LeanpubNew 📚 Release! MCP Servers with Oauth: A full introduction to MCP, from zero to deployment in one weekend by Zach Silveira <a href="https://mastodon.social/tags/books" class="mention hashtag" rel="nofollow noopener" target="_blank">#books</a> <a href="https://mastodon.social/tags/ebooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#ebooks</a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a> <a href="https://mastodon.social/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#technology</a>This book provides the fastest way to get up to speed using the latest Model Context Protocol authentication specification that was finalized in May 2025.Find it on Leanpub!Link: <a href="https://leanpub.com/creatingmcpserverswithoauth" rel="nofollow noopener" translate="no" target="_blank">https://leanpub.com/creatingmcpserverswithoauth</a>

OpenStreetMap Ops TeamIf you manage a web application that uses OpenStreetMap.org authentication or independently use the OpenStreetMap-website code, please see our recent security notice: <a href="https://operations.osmfoundation.org/2025/07/11/security-notice.html" rel="nofollow noopener" translate="no" target="_blank">https://operations.osmfoundation.org/2025/07/11/security-notice.html</a> <a href="https://en.osm.town/tags/OpenStreetMap" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenStreetMap</a> <a href="https://en.osm.town/tags/OSM" class="mention hashtag" rel="nofollow noopener" target="_blank">#OSM</a> <a href="https://en.osm.town/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> <a href="https://en.osm.town/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a>

Matthew TurlandMax Mitchell | I Read All Of Cloudflare's Claude-Generated Commits <a href="https://www.maxemitchell.com/writings/i-read-all-of-cloudflares-claude-generated-commits/" rel="nofollow noopener" translate="no" target="_blank">https://www.maxemitchell.com/writings/i-read-all-of-cloudflares-claude-generated-commits/</a><a href="https://phpc.social/tags/Claude" class="mention hashtag" rel="nofollow noopener" target="_blank">#Claude</a> <a href="https://phpc.social/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://phpc.social/tags/LLM" class="mention hashtag" rel="nofollow noopener" target="_blank">#LLM</a> <a href="https://phpc.social/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a> <a href="https://phpc.social/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cloudflare</a>

Nicolas Borboën"NOOOOOOOO!!!! You can't just use an LLM to write an auth library!""haha gpus go brrr"<a href="https://github.com/cloudflare/workers-oauth-provider/?tab=readme-ov-file#written-using-claude" rel="nofollow noopener" translate="no" target="_blank">https://github.com/cloudflare/workers-oauth-provider/?tab=readme-ov-file#written-using-claude</a><a href="https://social.epfl.ch/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://social.epfl.ch/tags/CloudFlare" class="mention hashtag" rel="nofollow noopener" target="_blank">#CloudFlare</a> <a href="https://social.epfl.ch/tags/oAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oAuth</a> <a href="https://social.epfl.ch/tags/Claude" class="mention hashtag" rel="nofollow noopener" target="_blank">#Claude</a> <a href="https://social.epfl.ch/tags/GPUsGoBrrr" class="mention hashtag" rel="nofollow noopener" target="_blank">#GPUsGoBrrr</a> <a href="https://social.epfl.ch/tags/LLM" class="mention hashtag" rel="nofollow noopener" target="_blank">#LLM</a>

Hollo :hollo:<a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Hollo" target="_blank">#Hollo</a> 0.6.0 is coming soon!We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:Enhanced <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/OAuth" target="_blank">#OAuth</a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/security" target="_blank">#security</a><ul> <li>RFC 8414 (OAuth metadata discovery)</li><li>RFC 7636 (<a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/PKCE" target="_blank">#PKCE</a> support)</li><li>Improved authorization flows following RFC 9700 best practices</li> </ul>New features<ul> <li>Extended character limit (4K → 10K)</li><li>Code syntax highlighting</li><li>Customizable profile themes</li><li>EXIF metadata stripping for privacy</li> </ul>Important notes for update<ul> <li>Node.js 24+ required</li><li>Updated environment variables for asset storage</li><li>Stronger <code>SECRET_KEY</code> requirements (44+ chars)</li> </ul> Special thanks to <a translate="no" class="h-card u-url mention" href="https://hachyderm.io/@thisismissem" rel="nofollow noopener" target="_blank">@thisismissem</a> for the extensive OAuth improvements that help keep the <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fediverse" target="_blank">#fediverse</a> secure and compatible! 🙏Full changelog and upgrade guide coming with the release.<a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/ActivityPub" target="_blank">#ActivityPub</a>

Neil MaddenInteresting open letter from the CISO at JP Morgan Chase, calling out insecure SaaS integrations, and specifically lots of implicit/explicit criticism of <a href="https://infosec.exchange/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a>: poorly secured and broadly scoped long-lived bearer tokens are not a great idea. Hopefully we’ll see PoP (with keys in a KMS) becoming more widespread for these kinds of integrations. (The letter is undated 😤 but I assume it’s recent - via <a href="https://infosec.exchange/@ladynerd" class="u-url mention" rel="nofollow noopener" target="_blank">@ladynerd</a> on LinkedIn).<a href="https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers" rel="nofollow noopener" translate="no" target="_blank">https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers</a>

The New OilHackers abuse <a href="https://mastodon.thenewoil.org/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a> 2.0 workflows to hijack <a href="https://mastodon.thenewoil.org/tags/Microsoft365" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft365</a> accounts<a href="https://www.bleepingcomputer.com/news/security/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.thenewoil.org/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Phishers" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishers</a> abuse <a href="https://mastodon.thenewoil.org/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> <a href="https://mastodon.thenewoil.org/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a> to spoof Google in <a href="https://mastodon.thenewoil.org/tags/DKIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#DKIM</a> replay attack<a href="https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a>

Emelia 👸🏻Mixing up Public and Private Keys in OpenID Connect deployments - Hanno's Blog:<a href="https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html" rel="nofollow noopener" translate="no" target="_blank">https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html</a><a href="https://hachyderm.io/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a> <a href="https://hachyderm.io/tags/openid" class="mention hashtag" rel="nofollow noopener" target="_blank">#openid</a> <a href="https://hachyderm.io/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a>

Francis Augusto 🇳🇴/🇧🇷/:bahia:A little rant about e-mail authentication: <a href="https://francisaugusto.com/2025/Email-quo-vadis-or-where-is-oidc-for-everyone/" rel="nofollow noopener" translate="no" target="_blank">https://francisaugusto.com/2025/Email-quo-vadis-or-where-is-oidc-for-everyone/</a><a href="https://io.mwl.io/@mwl" class="u-url mention" rel="nofollow noopener" target="_blank">@mwl</a> I'd love your comment on this!<a href="https://mastodon.babb.no/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#email</a> <a href="https://mastodon.babb.no/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a> <a href="https://mastodon.babb.no/tags/oauth2" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth2</a> <a href="https://mastodon.babb.no/tags/thunderbird" class="mention hashtag" rel="nofollow noopener" target="_blank">#thunderbird</a>

Jürgen ⁂ :gts:Langsam wird es auf meiner <a href="https://servus.jyrgi.de/tags/gotosocial" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoToSocial</a> Instanz gemütlich :neocat_comfy:. Ich habe gerade eine Sammlung von <a href="https://servus.jyrgi.de/tags/neocat" class="mention hashtag" rel="nofollow noopener" target="_blank">#NeoCat</a> :neocat: Emojis hochgeladen. Das war gar nicht so einfach, da GTS solch einen Sammel-Upload von <a href="https://servus.jyrgi.de/tags/misskey" class="mention hashtag" rel="nofollow noopener" target="_blank">#MissKey</a> Emoji Archiven noch nicht unterstützt. Man kann Emojis nur einzeln per API Aufruf hochladen. Da ich aber ein bisschen <a href="https://servus.jyrgi.de/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#Python</a> kann, war das Problem relativ schnell behoben **Ich habe zwei Scripte geschrieben:** - Eines um mich per <a href="https://servus.jyrgi.de/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a> zu authentifizieren um ein Bearer Token für die API Aufrufe zu erhalten. - Ein weiteres, das die meta.json Datei von MissKey kompatiblem Emoji Archiven auswertet und dann alle Emojis im Archiv einzeln per API Aufruf hochlädt. **Was habe ich gelernt:** - Wie MissKey Emoji Archive aufgebaut sind. - Wie man sich bei GTS per OAuth authentifiziert. - Wie man Emojis aus MissKey Archiven per GTS API calls hochlädt. <a href="https://servus.jyrgi.de/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#SelfHosting</a> <a href="https://servus.jyrgi.de/tags/gotosocial" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoToSocial</a> <a href="https://servus.jyrgi.de/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#Python</a> <a href="https://servus.jyrgi.de/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a> <a href="https://servus.jyrgi.de/tags/customemojis" class="mention hashtag" rel="nofollow noopener" target="_blank">#CustomEmojis</a>

Neil MaddenAnd now <a href="https://infosec.exchange/@PhilippeDeRyck" class="u-url mention" rel="nofollow noopener" target="_blank">@PhilippeDeRyck</a> breaking <a href="https://infosec.exchange/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a> <a href="https://infosec.exchange/tags/NDCSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#NDCSecurity</a>

John LeonardVulnerability in Google’s OAuth System exposes millions to riskResearchers warn that unused domains could grant unauthorised access to sensitive SaaS accounts<a href="https://www.computing.co.uk/news/2025/security/vulnerability-in-google-oauth-system-exposes-millions-to-risk" rel="nofollow noopener" translate="no" target="_blank">https://www.computing.co.uk/news/2025/security/vulnerability-in-google-oauth-system-exposes-millions-to-risk</a><a href="https://mastodon.social/tags/google" class="mention hashtag" rel="nofollow noopener" target="_blank">#google</a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a> <a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a>

Aaron KingAnybody close their personal Gmail or Outlook, ie Google and Microsoft accounts? They are just spam and I have pretty good success with my private email domain so I'm just tired of all the spam and tracking if I don't use their services. I just need a replacement OAuth server and Authenticator app. <a href="https://fosstodon.org/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a> <a href="https://fosstodon.org/tags/otp" class="mention hashtag" rel="nofollow noopener" target="_blank">#otp</a> <a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://fosstodon.org/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#email</a>

Hackread.comSquareX Researchers Expose <a href="https://mstdn.social/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#OAuth</a> Attack on Chrome Extensions Days Before Major BreachRead: <a href="https://hackread.com/squarex-researchers-expose-oauth-attack-on-chrome-extensions-days-before-major-breach/" rel="nofollow noopener" translate="no" target="_blank">https://hackread.com/squarex-researchers-expose-oauth-attack-on-chrome-extensions-days-before-major-breach/</a><a href="https://mstdn.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://mstdn.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://mstdn.social/tags/Chrome" class="mention hashtag" rel="nofollow noopener" target="_blank">#Chrome</a> <a href="https://mstdn.social/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberAttack</a>

Terence Eden’s BlogAdd a custom icon to Auth0's Custom Social integrations<a href="https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/" rel="nofollow noopener" translate="no" target="_blank">https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/</a>This is so fucking stupid.There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.And, to make matters worse, <a href="https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/oauth2" rel="nofollow noopener" target="_blank">their documentation contains an error</a>! They don't listen to community requests or take bug reports, so I'm blogging in the hope that this is useful to you.The Command<pre><code>curl --request PATCH \-H 'Content-Type: application/json' \-H 'Accept: application/json' \-H 'Authorization: Bearer eyJhb...ZEQ' \ --url 'https://whatever.eu.auth0.com/api/v2/connections/con_qwerty123456' \ --data ' ... '</code></pre>You will also need to supply some JSON in the <code>data</code> parameter. I've formatted it to be easier to read than the garbage documentation. All of these fields are mandatory.<pre><code>{ "options": { "client_id": "your-app-id", "client_secret": "Shhhhhh!", "icon_url": "https://example.com/image.svg", "scripts": { "fetchUserProfile": "???" }, "authorizationURL": "https://example.com/oauth2/authorize", "tokenURL": "https://example.com/oauth2/token", "scope": "auth" }, "display_name": "Whatever"}</code></pre>OK, but how do you get all those values?<ul><li>Bearer token:<ul><li><a href="https://auth0.com/docs/secure/tokens/access-tokens/management-api-access-tokens" rel="nofollow noopener" target="_blank">Create a management token</a></li><li>The only scope it needs is <code>update:connections</code></li></ul></li><li>URl<ul><li>This is your normal Auth0 domain name.</li><li>The Connection ID at the end can be found in the dashboard of your social connection </li></ul></li><li>Client ID & Secret<ul><li>You set these in the social connection's dashboard.</li></ul></li><li><code>icon_url</code><ul><li>Public link to an image. It can be an SVG.</li></ul></li><li><code>fetchUserProfile</code><ul><li>Whatever code you want to run. If you don't want any, you can't leave it blank. So type in a couple of characters.</li></ul></li><li><code>authorizationURL</code> and <code>tokenURL</code><ul><li>Wherever you want to redirect users to</li></ul></li><li><code>display_name</code><ul><li>What you want to show to the user</li></ul></li></ul>This is such a load of bollocks! Is it really that hard for the Okta team to put an input field with "type the URl of your logo"?<a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/auth0/" target="_blank">#Auth0</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/howto/" target="_blank">#HowTo</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/oauth/" target="_blank">#oauth</a>

Terence Eden🆕 blog! “Add a custom icon to Auth0's Custom Social integrations”This is so fucking stupid.There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.And, to make matters…👀 Read more: <a href="https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/" rel="nofollow noopener" translate="no" target="_blank">https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/</a> ⸻ <a href="https://mastodon.social/tags/Auth0" class="mention hashtag" rel="nofollow noopener" target="_blank">#Auth0</a> <a href="https://mastodon.social/tags/HowTo" class="mention hashtag" rel="nofollow noopener" target="_blank">#HowTo</a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#oauth</a>

Terence Eden’s BlogCreating a generic "Log-in with Mastodon" service<a href="https://shkspr.mobi/blog/2024/12/creating-a-generic-log-in-with-mastodon-service/" rel="nofollow noopener" translate="no" target="_blank">https://shkspr.mobi/blog/2024/12/creating-a-generic-log-in-with-mastodon-service/</a>Let's say you have a website - <code>your_website.tld</code> - and you want people to log in to it using their Mastodon account.For a traditional social-media site like Twitter or Facebook, you would create an OAuth app on the service that you want. But there are hundreds of Mastodon servers. So you need to create a new app for each one. That sounds hard, but it isn't. Well… not too hard.Here's some <a href="https://infosec.press/jerry/how-to-user-mastodons-built-on-oauth-provider-as-the-authentication-provider" rel="nofollow noopener" target="_blank">code adapted from Infosec.press</a>. It's all written using cURL on the command line - so you should be able to adapt it to your preferred programming language.Register an app on the user's Mastodon instanceLet's assume the user has given you the name of their Mastodon server - <code>example.social</code>You then send a request for an app to be created on <code>example.social</code> with your website's details. All it requests is the ability to read a user's details, nothing else.<pre><code>curl -X POST \ -F "client_name=Login to your_website.tld" \ -F "redirect_uris=https://your_website.tld/oauth/mastodon?server=example.social&" \ -F "scopes=read:accounts" \ -F "website=https://your_website.tld" \ -A "user-agent/0.1" https://example.social/api/v1/apps</code></pre>You can set the User Agent to be anything suitable. Some servers won't work if it is omitted.If the request was successful, <code>example.social</code> will send you this JSON in response:<pre><code>{ "id": "12345", "name": "Login to your_website.tld", "website": "https://your_website.tld", "scopes": [ "read:accounts" ], "redirect_uris": [ "https://your_website.tld/oauth/mastodon?server=example.social&" ], "vapid_key": "qwertyuiop-asdfghjkl-zxcvbnm", "redirect_uri": "https://your_website.tld/oauth/mastodon?server=example.social&", "client_id": "qw_asdfghjkl_zxcvbnm", "client_secret": "qwertyuiop1234567890"}</code></pre>Save the server's address, the <code>client_id</code>, and the <code>client_secret</code>. You will need all three later.The user logs in to their Mastodon instanceYou need to redirect the user to their server so they can log in. You need to construct a Mastodon URl using the data you received back. Don't forget to URl encode the <code>redirect_uri</code>.For example, redirect the user to:<pre><code>https://example.social/oauth/authorize?client_id=qw_asdfghjkl_zxcvbnm&scope=read:accounts&redirect_uri=https://your_website.tld/oauth/mastodon%3Fserver=example.social%26&response_type=code</code></pre>When the user visits that URl they can then log in. If they're successful, they'll be redirected back to your server using your specified redirect URI:<pre><code>https://your_website.tld/oauth/mastodon?server=example.social&code=qazwsxedcrfvtgbyhnujm</code></pre>Get a Bearer tokenYour website has received a GET request with the user's server name and an authorisation code. As per <a href="https://docs.joinmastodon.org/client/authorized/#token" rel="nofollow noopener" target="_blank">the Mastodon documentation</a>, your app uses that code to request a Bearer token:<pre><code>curl -X POST \ -F "client_id=qw_asdfghjkl_zxcvbnm" \ -F "client_secret=qwertyuiop1234567890" \ -F "redirect_uri=https://your_website.tld/oauth/mastodon?server=example.social&" \ -F "grant_type=authorization_code" \ -F "code=qazwsxedcrfvtgbyhnujm" \ -F "scope=read:accounts" \ -A "user-agent/0.1" https://example.social/oauth/token</code></pre>If that's worked, the user's server will return a Bearer token like this:<pre><code>{ "access_token": "abcdefg_123456", "token_type": "Bearer", "scope": "read:accounts", "created_at": 1732916685}</code></pre>Get the user's detailsFinally(!) you can use that token to verify the user's credentials with the server:<pre><code>curl \ -H "Authorization: Bearer abcdefg_123456" \ -A "user-agent/0.1" https://example.social/api/v1/accounts/verify_credentials</code></pre>If that works, you'll get back all the user's details. Something like this:<pre><code>{ "id": "7112", "username": "Edent", "acct": "Edent", "display_name": "Terence Eden", "url": "https://mastodon.social/@Edent", "avatar": "https://files.mastodon.social/accounts/avatars/000/007/112/original/37df032a5951b96c.jpg",...}</code></pre>Putting it all together<ol><li>User providers their Mastodon instance's domain name</li><li>Your service looks up the domain name in its database<ul><li>If there are no results, request to create a new app on the Mastodon instance and save the returned <code>client_id</code> and <code>client_secret</code></li></ul></li><li>Redirect the User to their Mastodon instance, using a URl which contains the <code>client_id</code> & callback URl</li><li>User logs in to their Mastodon instance</li><li>The User's Mastodon instance redirects the User to your service's callback URl which includes an the instance's domain name and User's authorisation code</li><li>Your service reads the User's domain name and authorisation code</li><li>Your service exchanges those details for a Bearer token</li><li>Your service uses the Bearer token to get the User's account details</li></ol>Next steps?This basic code works. For my next trick, can I integrate it into Auth0?<a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/auth0/" target="_blank">#Auth0</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/mastodonapi/" target="_blank">#MastodonAPI</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/oauth/" target="_blank">#oauth</a>

Recent searches

Search options

Administered by:

Server stats: