Authentication / Authorization (Oauth2)

naturzukunft · January 17, 2022, 1:30pm

As described in Authentication & Authorization C2S

OAuth 2.0 bearer tokens should be used to access a server with a ActivityPub(AP) Client.

"To discover the correct endpoint for authorization, clients should use OAuth-Server-Metadata on the host part from the actor’s ID URI."

I assume that OAuth-Server-Metadata means OAuth 2.0 Authorization Server Metadata (rfc8414).

Client IDs may be acquired using OAuth 2.0 Dynamic Client Registration Protocol (rfc7591).

naturzukunft · January 17, 2022, 1:40pm

In my setup, I use Keycloak as IdentityProvider. The server metadata concerning Oauth2 are already provided by Keycloak. https://server/auth/realms/realm/.well-known/openid-configuration

Respone:


{
	"issuer": "https://login.example.com/auth/realms/LOA",
	...
	...
	"registration_endpoint": "https://login.example.com/auth/realms/LOA/clients-registrations/openid-connect",
	...
	...
}

The question is how does the client get the information ? It cannot know which Identity Provider i use!
A possibility is that the AP server provide an endpoint like

https://activitypub.example.com/.well-known/activityPub

And get then the info about the issuer:

{
	"issuer":"https://login.example.com/auth/realms/LOA"
}

I am curious to hear your opinions

nightpool · January 17, 2022, 3:16pm

I think it’s pretty clear to me from the wiki document you linked that for an actor with a URI of https://example.com/users/foo, the metadata endpoint would live at https://example.com/.well-known/oauth-authorization-server. So you would need to create a redirect or similar from that URL to whatever URL is provided by your identity server.

However, note that the wiki page you linked was just a working draft and never received a full implementation or specifications work. The ActivityPub spec has only this to say on the matter:

The endpoints mapping MAY include the following properties:

oauthAuthorizationEndpoint
If OAuth 2.0 bearer tokens [RFC6749] [RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a browser-authenticated user may obtain a new authorization grant.

oauthTokenEndpoint
If OAuth 2.0 bearer tokens [RFC6749] [RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a client may acquire an access token.

Dynamic client registration still poses a bit of a puzzle though…