ActivityPub and OAuth2, strategies?


I am currently working on setting up an ActivityPub application and got a bit stumped as to how to best handle oauth2 authentication. The spec specifies that oauth2 is how you must handle Client ↔ Server communication, however I think it’s a bit too much work for me to implement my own OAuth2 server.

I am wondering, is it a good idea to use an existing oauth2 provider like Mastodon? But then wouldn’t each instance have their own client_id?

To give some context, I am working on a federated document sharing system, where you are supposed to be able to share, view and comment on people’s documents.

The spec specifies that oauth2 is how you must handle Client ↔ Server

Someone will correct me if I’m wrong, but I don’t think the AP specification requires OAuth2 for C2S. I see a few references to endpoints related to OAuth bearer tokens, but they are both preceded by a condition clause (if OAuth2 is used…).

ActivityPub Specification - Section B.1
Unfortunately at the time of standardization, there are no strongly agreed upon mechanisms for authentication.

Of course, it’s fine to use OAuth2 if that matches your requirements well. If you use Mastodon as an OAuth2 provider, doesn’t that require the users of your application to have a Mastodon account on the provider instance(s)? (I’m not an OAuth2 expert, so this isn’t a rhetorical question.)


that is correct. i think the expectation is to use some oauth service, which may or may not be integrated into the activitypub server. (think okta or auth0 or authelia or similar software)

The section links to this, where it says

ActivityPub clients authenticate against a server using OAuth 2.0 bearer tokens

So I just assumed that it was more or less settled that you should use ActivityPub. But it’s true that it’s still being decided on. I guess I can go with basic auth for now with JWT tokens.

It would require a mastodon account, which for my purposes is actually not too bad. But what I think wouldn’t work is that each instance probably has it’s own client_id, so I’d have to set up one oauth2 provider for each instance which is not feasible (kinda goes against the spirit of federation too).

One challenge with this is that the self-hosting experience becomes painful if you also have to set up auth0 along with the server. Auth0 can also get very expensive quickly. Maybe it’s possible to have some sort of open source server to load as a sidecar.