eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

225
active users

#oauth

2 posts2 participants0 posts today
Leanpub<p>New 📚 Release! MCP Servers with Oauth: A full introduction to MCP, from zero to deployment in one weekend by Zach Silveira <a href="https://mastodon.social/tags/books" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>books</span></a> <a href="https://mastodon.social/tags/ebooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ebooks</span></a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://mastodon.social/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technology</span></a></p><p>This book provides the fastest way to get up to speed using the latest Model Context Protocol authentication specification that was finalized in May 2025.</p><p>Find it on Leanpub!</p><p>Link: <a href="https://leanpub.com/creatingmcpserverswithoauth" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">leanpub.com/creatingmcpservers</span><span class="invisible">withoauth</span></a></p>
OpenStreetMap Ops Team<p>If you manage a web application that uses OpenStreetMap.org authentication or independently use the OpenStreetMap-website code, please see our recent security notice: <a href="https://operations.osmfoundation.org/2025/07/11/security-notice.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">operations.osmfoundation.org/2</span><span class="invisible">025/07/11/security-notice.html</span></a> <a href="https://en.osm.town/tags/OpenStreetMap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenStreetMap</span></a> <a href="https://en.osm.town/tags/OSM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OSM</span></a> <a href="https://en.osm.town/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://en.osm.town/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a></p>
Leanpub<p>New 📚 Release! MCP Servers with Oauth: A full introduction to MCP, from zero to deployment in one weekend by Zach Silveira <a href="https://mastodon.social/tags/books" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>books</span></a> <a href="https://mastodon.social/tags/ebooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ebooks</span></a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://mastodon.social/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technology</span></a></p><p>This book provides the fastest way to get up to speed using the latest Model Context Protocol authentication specification that was finalized in May 2025.</p><p>Find it on Leanpub!</p><p>Link: <a href="https://leanpub.com/creatingmcpserverswithoauth" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">leanpub.com/creatingmcpservers</span><span class="invisible">withoauth</span></a></p>
Leanpub<p>New 📚 Release! MCP Servers with Oauth: A full introduction to MCP, from zero to deployment in one weekend by Zach Silveira <a href="https://mastodon.social/tags/books" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>books</span></a> <a href="https://mastodon.social/tags/ebooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ebooks</span></a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://mastodon.social/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technology</span></a></p><p>This book provides the fastest way to get up to speed using the latest Model Context Protocol authentication specification that was finalized in May 2025.</p><p>Find it on Leanpub!</p><p>Link: <a href="https://leanpub.com/creatingmcpserverswithoauth" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">leanpub.com/creatingmcpservers</span><span class="invisible">withoauth</span></a></p>
Matthew Turland<p>Max Mitchell | I Read All Of Cloudflare's Claude-Generated Commits <a href="https://www.maxemitchell.com/writings/i-read-all-of-cloudflares-claude-generated-commits/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">maxemitchell.com/writings/i-re</span><span class="invisible">ad-all-of-cloudflares-claude-generated-commits/</span></a></p><p><a href="https://phpc.social/tags/Claude" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Claude</span></a> <a href="https://phpc.social/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> <a href="https://phpc.social/tags/LLM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LLM</span></a> <a href="https://phpc.social/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> <a href="https://phpc.social/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cloudflare</span></a></p>
Nicolas Borboën<p>"NOOOOOOOO!!!! You can't just use an LLM to write an auth library!"</p><p>"haha gpus go brrr"</p><p><a href="https://github.com/cloudflare/workers-oauth-provider/?tab=readme-ov-file#written-using-claude" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cloudflare/workers-</span><span class="invisible">oauth-provider/?tab=readme-ov-file#written-using-claude</span></a></p><p><a href="https://social.epfl.ch/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> <a href="https://social.epfl.ch/tags/CloudFlare" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudFlare</span></a> <a href="https://social.epfl.ch/tags/oAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oAuth</span></a> <a href="https://social.epfl.ch/tags/Claude" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Claude</span></a> <a href="https://social.epfl.ch/tags/GPUsGoBrrr" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPUsGoBrrr</span></a> <a href="https://social.epfl.ch/tags/LLM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LLM</span></a></p>
Hollo :hollo:<p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Hollo" target="_blank">#<span>Hollo</span></a> 0.6.0 is coming soon!</p><p>We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:</p><p><strong>Enhanced <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/OAuth" target="_blank">#<span>OAuth</span></a> <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/security" target="_blank">#<span>security</span></a></strong></p><ul> <li>RFC 8414 (OAuth metadata discovery)</li><li>RFC 7636 (<a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/PKCE" target="_blank">#<span>PKCE</span></a> support)</li><li>Improved authorization flows following RFC 9700 best practices</li> </ul><p><strong>New features</strong></p><ul> <li>Extended character limit (4K → 10K)</li><li>Code syntax highlighting</li><li>Customizable profile themes</li><li>EXIF metadata stripping for privacy</li> </ul><p><strong>Important notes for update</strong></p><ul> <li>Node.js 24+ required</li><li>Updated environment variables for asset storage</li><li>Stronger <code>SECRET_KEY</code> requirements (44+ chars)</li> </ul> <p>Special thanks to <a translate="no" class="h-card u-url mention" href="https://hachyderm.io/@thisismissem" rel="nofollow noopener" target="_blank">@<span>thisismissem</span></a> for the extensive OAuth improvements that help keep the <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fediverse" target="_blank">#<span>fediverse</span></a> secure and compatible! 🙏</p><p>Full changelog and upgrade guide coming with the release.</p><p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/ActivityPub" target="_blank">#<span>ActivityPub</span></a></p>
Neil Madden<p>Interesting open letter from the CISO at JP Morgan Chase, calling out insecure SaaS integrations, and specifically lots of implicit/explicit criticism of <a href="https://infosec.exchange/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a>: poorly secured and broadly scoped long-lived bearer tokens are not a great idea. Hopefully we’ll see PoP (with keys in a KMS) becoming more widespread for these kinds of integrations. </p><p>(The letter is undated 😤 but I assume it’s recent - via <span class="h-card" translate="no"><a href="https://infosec.exchange/@ladynerd" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ladynerd</span></a></span> on LinkedIn).</p><p><a href="https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">jpmorgan.com/technology/techno</span><span class="invisible">logy-blog/open-letter-to-our-suppliers</span></a></p>
The New Oil<p>Hackers abuse <a href="https://mastodon.thenewoil.org/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> 2.0 workflows to hijack <a href="https://mastodon.thenewoil.org/tags/Microsoft365" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft365</span></a> accounts</p><p><a href="https://www.bleepingcomputer.com/news/security/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.thenewoil.org/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a></p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/Phishers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishers</span></a> abuse <a href="https://mastodon.thenewoil.org/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> <a href="https://mastodon.thenewoil.org/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> to spoof Google in <a href="https://mastodon.thenewoil.org/tags/DKIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DKIM</span></a> replay attack</p><p><a href="https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Emelia 👸🏻<p>Mixing up Public and Private Keys in OpenID Connect deployments - Hanno's Blog:</p><p><a href="https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.hboeck.de/archives/909-Mi</span><span class="invisible">xing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html</span></a></p><p><a href="https://hachyderm.io/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://hachyderm.io/tags/openid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openid</span></a> <a href="https://hachyderm.io/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p>
Francis Augusto 🇳🇴/🇧🇷/:bahia:<p>A little rant about e-mail authentication: </p><p><a href="https://francisaugusto.com/2025/Email-quo-vadis-or-where-is-oidc-for-everyone/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">francisaugusto.com/2025/Email-</span><span class="invisible">quo-vadis-or-where-is-oidc-for-everyone/</span></a></p><p><span class="h-card" translate="no"><a href="https://io.mwl.io/@mwl" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mwl</span></a></span> I'd love your comment on this!</p><p><a href="https://mastodon.babb.no/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>email</span></a> <a href="https://mastodon.babb.no/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://mastodon.babb.no/tags/oauth2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth2</span></a> <a href="https://mastodon.babb.no/tags/thunderbird" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>thunderbird</span></a></p>
Jürgen ⁂ :gts:<p>Langsam wird es auf meiner <a href="https://servus.jyrgi.de/tags/gotosocial" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoToSocial</span></a> Instanz gemütlich :neocat_comfy:.<br><br>Ich habe gerade eine Sammlung von <a href="https://servus.jyrgi.de/tags/neocat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NeoCat</span></a> :neocat: Emojis hochgeladen. Das war gar nicht so einfach, da GTS solch einen Sammel-Upload von <a href="https://servus.jyrgi.de/tags/misskey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MissKey</span></a> Emoji Archiven noch nicht unterstützt. Man kann Emojis nur einzeln per API Aufruf hochladen.<br><br>Da ich aber ein bisschen <a href="https://servus.jyrgi.de/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a> kann, war das Problem relativ schnell behoben<br><br>**Ich habe zwei Scripte geschrieben:**<br><br>- Eines um mich per <a href="https://servus.jyrgi.de/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> zu authentifizieren um ein Bearer Token für die API Aufrufe zu erhalten.<br>- Ein weiteres, das die meta.json Datei von MissKey kompatiblem Emoji Archiven auswertet und dann alle Emojis im Archiv einzeln per API Aufruf hochlädt.<br><br>**Was habe ich gelernt:**<br><br>- Wie MissKey Emoji Archive aufgebaut sind.<br>- Wie man sich bei GTS per OAuth authentifiziert.<br>- Wie man Emojis aus MissKey Archiven per GTS API calls hochlädt.<br><br><a href="https://servus.jyrgi.de/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SelfHosting</span></a> <a href="https://servus.jyrgi.de/tags/gotosocial" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoToSocial</span></a> <a href="https://servus.jyrgi.de/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a> <a href="https://servus.jyrgi.de/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> <a href="https://servus.jyrgi.de/tags/customemojis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CustomEmojis</span></a></p>
Neil Madden<p>And now <span class="h-card" translate="no"><a href="https://infosec.exchange/@PhilippeDeRyck" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>PhilippeDeRyck</span></a></span> breaking <a href="https://infosec.exchange/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://infosec.exchange/tags/NDCSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NDCSecurity</span></a></p>
John Leonard<p>Vulnerability in Google’s OAuth System exposes millions to risk</p><p>Researchers warn that unused domains could grant unauthorised access to sensitive SaaS accounts</p><p><a href="https://www.computing.co.uk/news/2025/security/vulnerability-in-google-oauth-system-exposes-millions-to-risk" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">computing.co.uk/news/2025/secu</span><span class="invisible">rity/vulnerability-in-google-oauth-system-exposes-millions-to-risk</span></a></p><p><a href="https://mastodon.social/tags/google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>google</span></a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Aaron King<p>Anybody close their personal Gmail or Outlook, ie Google and Microsoft accounts? They are just spam and I have pretty good success with my private email domain so I'm just tired of all the spam and tracking if I don't use their services. I just need a replacement OAuth server and Authenticator app. <a href="https://fosstodon.org/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a> <a href="https://fosstodon.org/tags/otp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>otp</span></a> <a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://fosstodon.org/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>email</span></a></p>
Hackread.com<p>SquareX Researchers Expose <a href="https://mstdn.social/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> Attack on Chrome Extensions Days Before Major Breach</p><p>Read: <a href="https://hackread.com/squarex-researchers-expose-oauth-attack-on-chrome-extensions-days-before-major-breach/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackread.com/squarex-researche</span><span class="invisible">rs-expose-oauth-attack-on-chrome-extensions-days-before-major-breach/</span></a></p><p><a href="https://mstdn.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://mstdn.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://mstdn.social/tags/Chrome" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chrome</span></a> <a href="https://mstdn.social/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberAttack</span></a></p>
Terence Eden’s Blog<p><strong>Add a custom icon to Auth0's Custom Social integrations</strong></p><p><a href="https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">shkspr.mobi/blog/2024/12/add-a</span><span class="invisible">-custom-icon-to-auth0s-custom-social-integrations/</span></a></p><p>This is <em>so</em> fucking stupid.</p><p>There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.</p><p>And, to make matters worse, <a href="https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/oauth2" rel="nofollow noopener" target="_blank">their documentation contains an error</a>! They don't listen to community requests or take bug reports, so I'm blogging in the hope that this is useful to you.</p><p><strong>The Command</strong></p><pre><code>curl --request PATCH \-H 'Content-Type: application/json' \-H 'Accept: application/json' \-H 'Authorization: Bearer eyJhb...ZEQ' \ --url 'https://whatever.eu.auth0.com/api/v2/connections/con_qwerty123456' \ --data ' ... '</code></pre><p>You will also need to supply some JSON in the <code>data</code> parameter. I've formatted it to be easier to read than the garbage documentation. <em>All</em> of these fields are mandatory.</p><pre><code>{ "options": { "client_id": "your-app-id", "client_secret": "Shhhhhh!", "icon_url": "https://example.com/image.svg", "scripts": { "fetchUserProfile": "???" }, "authorizationURL": "https://example.com/oauth2/authorize", "tokenURL": "https://example.com/oauth2/token", "scope": "auth" }, "display_name": "Whatever"}</code></pre><p>OK, but how do you get all those values?</p><ul><li>Bearer token:<ul><li><a href="https://auth0.com/docs/secure/tokens/access-tokens/management-api-access-tokens" rel="nofollow noopener" target="_blank">Create a management token</a></li><li>The only scope it needs is <code>update:connections</code></li></ul></li><li>URl<ul><li>This is your normal Auth0 domain name.</li><li>The Connection ID at the end can be found in the dashboard of your social connection<br></li></ul></li><li>Client ID &amp; Secret<ul><li>You set these in the social connection's dashboard.</li></ul></li><li><code>icon_url</code><ul><li>Public link to an image. It can be an SVG.</li></ul></li><li><code>fetchUserProfile</code><ul><li>Whatever code you want to run. If you don't want any, you can't leave it blank. So type in a couple of characters.</li></ul></li><li><code>authorizationURL</code> and <code>tokenURL</code><ul><li>Wherever you want to redirect users to</li></ul></li><li><code>display_name</code><ul><li>What you want to show to the user</li></ul></li></ul><p>This is <em>such</em> a load of bollocks! Is it really that hard for the Okta team to put an input field with "type the URl of your logo"?</p><p><a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/auth0/" target="_blank">#Auth0</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/howto/" target="_blank">#HowTo</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/oauth/" target="_blank">#oauth</a></p>
Terence Eden<p>🆕 blog! “Add a custom icon to Auth0's Custom Social integrations”</p><p>This is so fucking stupid.</p><p>There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.</p><p>And, to make matters…</p><p>👀 Read more: <a href="https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">shkspr.mobi/blog/2024/12/add-a</span><span class="invisible">-custom-icon-to-auth0s-custom-social-integrations/</span></a><br>⸻<br><a href="https://mastodon.social/tags/Auth0" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Auth0</span></a> <a href="https://mastodon.social/tags/HowTo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HowTo</span></a> <a href="https://mastodon.social/tags/oauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oauth</span></a></p>
Terence Eden’s Blog<p><strong>Creating a generic "Log-in with Mastodon" service</strong></p><p><a href="https://shkspr.mobi/blog/2024/12/creating-a-generic-log-in-with-mastodon-service/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">shkspr.mobi/blog/2024/12/creat</span><span class="invisible">ing-a-generic-log-in-with-mastodon-service/</span></a></p><p>Let's say you have a website - <code>your_website.tld</code> - and you want people to log in to it using their Mastodon account.</p><p>For a traditional social-media site like Twitter or Facebook, you would create an OAuth app on the service that you want. But there are <em>hundreds</em> of Mastodon servers. So you need to create a new app for each one. That sounds hard, but it isn't. Well… not <em>too</em> hard.</p><p>Here's some <a href="https://infosec.press/jerry/how-to-user-mastodons-built-on-oauth-provider-as-the-authentication-provider" rel="nofollow noopener" target="_blank">code adapted from Infosec.press</a>. It's all written using cURL on the command line - so you should be able to adapt it to your preferred programming language.</p><p><strong>Register an app on the user's Mastodon instance</strong></p><p>Let's assume the user has given you the name of their Mastodon server - <code>example.social</code></p><p>You then send a request for an app to be created on <code>example.social</code> with your website's details. All it requests is the ability to read a user's details, nothing else.</p><pre><code>curl -X POST \ -F "client_name=Login to your_website.tld" \ -F "redirect_uris=https://your_website.tld/oauth/mastodon?server=example.social&amp;" \ -F "scopes=read:accounts" \ -F "website=https://your_website.tld" \ -A "user-agent/0.1" https://example.social/api/v1/apps</code></pre><p>You can set the User Agent to be anything suitable. Some servers won't work if it is omitted.</p><p>If the request was successful, <code>example.social</code> will send you this JSON in response:</p><pre><code>{ "id": "12345", "name": "Login to your_website.tld", "website": "https://your_website.tld", "scopes": [ "read:accounts" ], "redirect_uris": [ "https://your_website.tld/oauth/mastodon?server=example.social&amp;" ], "vapid_key": "qwertyuiop-asdfghjkl-zxcvbnm", "redirect_uri": "https://your_website.tld/oauth/mastodon?server=example.social&amp;", "client_id": "qw_asdfghjkl_zxcvbnm", "client_secret": "qwertyuiop1234567890"}</code></pre><p>Save the server's address, the <code>client_id</code>, and the <code>client_secret</code>. You will need all three later.</p><p><strong>The user logs in to their Mastodon instance</strong></p><p>You need to redirect the user to their server so they can log in. You need to construct a Mastodon URl using the data you received back. Don't forget to URl encode the <code>redirect_uri</code>.</p><p>For example, redirect the user to:</p><pre><code>https://example.social/oauth/authorize?client_id=qw_asdfghjkl_zxcvbnm&amp;scope=read:accounts&amp;redirect_uri=https://your_website.tld/oauth/mastodon%3Fserver=example.social%26&amp;response_type=code</code></pre><p>When the user visits that URl they can then log in. If they're successful, they'll be redirected back to your server using your specified redirect URI:</p><pre><code>https://your_website.tld/oauth/mastodon?server=example.social&amp;code=qazwsxedcrfvtgbyhnujm</code></pre><p><strong>Get a Bearer token</strong></p><p>Your website has received a GET request with the user's server name and an authorisation code. As per <a href="https://docs.joinmastodon.org/client/authorized/#token" rel="nofollow noopener" target="_blank">the Mastodon documentation</a>, your app uses that code to request a Bearer token:</p><pre><code>curl -X POST \ -F "client_id=qw_asdfghjkl_zxcvbnm" \ -F "client_secret=qwertyuiop1234567890" \ -F "redirect_uri=https://your_website.tld/oauth/mastodon?server=example.social&amp;" \ -F "grant_type=authorization_code" \ -F "code=qazwsxedcrfvtgbyhnujm" \ -F "scope=read:accounts" \ -A "user-agent/0.1" https://example.social/oauth/token</code></pre><p>If that's worked, the user's server will return a Bearer token like this:</p><pre><code>{ "access_token": "abcdefg_123456", "token_type": "Bearer", "scope": "read:accounts", "created_at": 1732916685}</code></pre><p><strong>Get the user's details</strong></p><p>Finally(!) you can use that token to verify the user's credentials with the server:</p><pre><code>curl \ -H "Authorization: Bearer abcdefg_123456" \ -A "user-agent/0.1" https://example.social/api/v1/accounts/verify_credentials</code></pre><p>If that works, you'll get back all the user's details. Something like this:</p><pre><code>{ "id": "7112", "username": "Edent", "acct": "Edent", "display_name": "Terence Eden", "url": "https://mastodon.social/@Edent", "avatar": "https://files.mastodon.social/accounts/avatars/000/007/112/original/37df032a5951b96c.jpg",...}</code></pre><p><strong>Putting it all together</strong></p><ol><li>User providers their Mastodon instance's domain name</li><li>Your service looks up the domain name in its database<ul><li>If there are no results, request to create a new app on the Mastodon instance and save the returned <code>client_id</code> and <code>client_secret</code></li></ul></li><li>Redirect the User to their Mastodon instance, using a URl which contains the <code>client_id</code> &amp; callback URl</li><li>User logs in to their Mastodon instance</li><li>The User's Mastodon instance redirects the User to your service's callback URl which includes an the instance's domain name and User's authorisation code</li><li>Your service reads the User's domain name and authorisation code</li><li>Your service exchanges those details for a Bearer token</li><li>Your service uses the Bearer token to get the User's account details</li></ol><p><strong>Next steps?</strong></p><p>This basic code works. For my next trick, can I integrate it into Auth0?</p><p><a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/auth0/" target="_blank">#Auth0</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/mastodonapi/" target="_blank">#MastodonAPI</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://shkspr.mobi/blog/tag/oauth/" target="_blank">#oauth</a></p>