OAuth done right

The other day, I observed someone asking in GoToSocial chat rooms whether a list of open sessions could be found somewhere. From the social experience, this is granting another client app access to your instance (timeline, DMs etc).

Those are authorised using the OAuth flow.

From a security point of view, it is recommended to have a short-lived initial token that grants the permission (if the person did) and hands over so called refresh tokens that extend the session. These can live longer because they’re easier to revoke.

It also makes sense to expose a list of running sessions with the option to terminate them.

Mastodon is apparently only serving the initial token with quasi infinitive lifetime according to one of the GtS developers. I haven’t confirmed myself yet.

Even if GtS is adapting the best practices, client apps will break because they are likely not prepared to handle the proper flow.

I wonder what could be done to get this right, given that there is an evergrowing list of ActivePub applications and everyone orients on Mastodon.

Whats right and whats wrong here? From your post I can deduct that things, as they are now, are wrong. So, whats that you would like to see improved? Be more specific if you can.

Your post looks like being written with SEO in mind only. Just marketing BS nothing more.

First: You could have put this friendlier. Why would I write „with SEO in mind”?

Point taken that I could have linked to a source. But those are easy to find.
For example, Auth0 has published

OAuth.com explains why the Best Practice is not popular with developers and what to do about it:

OWASP has even more tips:

I feel a long-written explanation would have missed the point: To think about how to implement OAuth proper instead of a fast solution.

I fail to see me being unfriendly here… seriously.

To make this post and this forum rank higher in search engines. Thats what SEO is for :slight_smile: