atproto oauth2 vs. createSession, scope problems: (transition:generic vs. com.atproto.access) #3211
Unanswered
reflectivist
asked this question in
Clarifications and "Why?"
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Summary:
When I authenticate via oauth2 on iPhone (via the blueSky page sheet that springs up ), I get an access token with "atproto transition:generic" scope. But passing that token to uploadBlob endpoint, bsky.social server says "Bad Token Scope".
However if I log in with user/password with createSession, access token I get has "com.atproto.access" scope and it allows me to upload a blob.
I haven't figured out how use oauth to create a token that actually works with the API although the token contents make sense.
------------------------ more details ----------------------
I have custom (non-library) code, an app, that gets authorization and fetches an access token (does the DPoP / PKCE / nonce, authorize stuff). When I decode the accessJwt, shows it has scope "atproto transition:generic".
Wwhen I access /xrpc/com.atproto.repo.uploadBlob with that token, I get error "Bad token scope".
If I access /xrpc/com.atproto.server.createSession endpoint from curl, and hardcode that access token into my code, in place of where I would have retrieved it via oauth2, it works fine for uploading a blob and creating a record. So my code post-authorization code is proven to work. The only difference is which mechanism I create the access token with. The createSession accessJwt token has a different scope from oaith2: "com.atproto.access"
I use a small python script to decode the access tokens returned by the server, and it dumps the KVPs with expected contents and they look like what’s expected for both tokens but the scope differs.
Unfortunately I can’t explicitly request com.atproto.access scope in the oauth config, alone or along with the "atproto transistion:generic" scopes, whereas I’m careful to keep client-metadata updated im parallel), because if I do I no longer can fetch an access token from the auth server via the app it doesn’t seem to reply or errs out. Oauth2 flow only respects "atproto and transition:generic" scopes.
I need to get uploadBlob to work with oauth based authentication, because I don't want to have my app handle user's login credentials directly if at all avoidable.
I'm making it an issue because I've been digging around all over the place in the documentation, API but there's not much that clarifies any of it and I've read that transition:generic is supposed to enable pretty comprehensive API access.
Beta Was this translation helpful? Give feedback.
All reactions