Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scope rejected for API (oauth2 vs. createSession) Scopes: transition:generic vs. com.atproto.access #3212

Open
reflectivist opened this issue Dec 9, 2024 Discussed in #3211 · 0 comments
Open

scope rejected for API (oauth2 vs. createSession) Scopes: transition:generic vs. com.atproto.access #3212

reflectivist opened this issue Dec 9, 2024 Discussed in #3211 · 0 comments

Comments

@reflectivist
Copy link

reflectivist commented Dec 9, 2024
edited
Loading

When I authenticate via oauth2 on iPhone (via the blueSky page sheet that springs up ), I get an access token with "atproto transition:generic" scope. But passing that token to uploadBlob endpoint, bsky.social server says "Bad Token Scope".

However if I log in with user/password with createSession, access token I get has "com.atproto.access" scope and it allows me to upload a blob.

I haven't figured out how use oauth to create a token that actually works with the API although the token contents make sense.

------------------------ more details ----------------------
I have custom (non-library) code, an app, that gets authorization and fetches an access token (does the DPoP / PKCE / nonce, authorize stuff). When I decode the accessJwt, shows it has scope "atproto transition:generic".
Wwhen I access /xrpc/com.atproto.repo.uploadBlob with that token, I get error "Bad token scope".

If I access /xrpc/com.atproto.server.createSession endpoint from curl, and hardcode that access token into my code, in place of where I would have retrieved it via oauth2, it works fine for uploading a blob and creating a record. So my code post-authorization code is proven to work. The only difference is which mechanism I create the access token with. The createSession accessJwt token has a different scope from oaith2: "com.atproto.access"

I use a small python script to decode the access tokens returned by the server, and it dumps the KVPs with expected contents and they look like what’s expected for both tokens but the scope differs.

Unfortunately I can’t explicitly request com.atproto.access scope in the oauth config, alone or along with the "atproto transistion:generic" scopes, whereas I’m careful to keep client-metadata updated im parallel), because if I do I no longer can fetch an access token from the auth server via the app it doesn’t seem to reply or errs out. Oauth2 flow only respects "atproto and transition:generic" scopes.

I need to get uploadBlob to work with oauth based authentication, because I don't want to have my app handle user's login credentials directly if at all avoidable.

I'm making it an issue because I've been digging around all over the place in the documentation, API but there's not much that clarifies any of it and I've read that transition:generic is supposed to enable pretty comprehensive API access.
@reflectivist reflectivist changed the title atproto oauth2 vs. createSession, scope problems: (transition:generic vs. com.atproto.access) scope rejected for API (oauth2 vs. createSession) Scopes: transition:generic vs. com.atproto.access Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reflectivist