-
-
Notifications
You must be signed in to change notification settings - Fork 965
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document new OAuth changes for 4.3.0 #1445
base: main
Are you sure you want to change the base?
Document new OAuth changes for 4.3.0 #1445
Conversation
I have noticed that there is some churn here due to my editor using Prettier for markdown documents. We may want to consider adopting prettier for this repository. |
|
||
{{< hint style="warning" >}} | ||
Treat the `code` query parameter as if it were a password, you should ensure that it is not logged in request logs. | ||
{{< /hint >}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
- See [/api/v1/endorsements]({{< relref "methods/endorsements" >}}) for managing a user profile's featured accounts. | ||
- See [/api/v1/featured_tags]({{< relref "methods/featured_tags" >}}) for managing a user profile's featured hashtags. | ||
- See [/api/v1/preferences]({{< relref "methods/preferences" >}}) for reading user preferences. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is all accidental churn due to prettier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would potentially be useful here to run prettier in separate branch/PR, get that merged first, rebase this, etc.
92be172
to
9e25eff
Compare
Treat the `access_token` as if it were a password. We recommend you encrypt this value when storing in your cache, to prevent accidental credential exposure. | ||
{{< /hint >}} | ||
|
||
To use it in requests, add the HTTP header `Authorization: Bearer <access_token>` to any API call that requires OAuth (i.e., one that is not publicly accessible). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe slightly out of scope of this PR, but may be useful to a do a once-over for consistent usage of this placeholder value. You are using <access_token>
here (which makes complete sense to me). In an example below there's a place that uses "our_access_token_here" for example. Maybe there are more differences elsewhere. Would be nice for consistency to align them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think out of scope for now
Co-authored-by: Matt Jankowski <matt@jankowski.online>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
/.well-known/oauth-authorization-server
documentationredirect_uri
onApplication
and addition ofredirect_uris
client_id
,client_secret
,access_token
andcode
values that they should be treated as if they are password, and stored securely.read
scope forGET /api/v1/apps/verify_credentials
(this now just requires a valid access token)client_secret_expires_at
onApplication
, per Add client_secret_expires_at to OAuth Applications mastodon#30317Application
vsCredentialApplication
split, per Support multiple redirect_uris when creating OAuth 2.0 Applications mastodon#29192This branch is based on #1444