OAuth2 setup¶

The basic setup for ONI OAuth2 is using the following assumptions.

The login itself requires just the password configured when the actor was created.

For the client authorization, the credentials are composed of:

• client id: is the URL of the host itself.
• client secret: is the same password as above.

The OAuth2 endpoints can be loaded from the Actor object from it’s endpoints property, and are on that instance’s host following paths:

• AuthorizationEndpoint: /oauth/authorize
• TokenEndpoint: /oauth/token

The client needs to send the redirect URL as one of:

• org.oni.app://oauth2redirect - hardcoded return URL for the Flutter mobile app
• http://localhost:3000 - hardcoded return URL for BOX helper
• urn:ietf:wg:oauth:2.0:oob:auto - the Google Out of Band (obsoleted) URN

Using a third party OAuth2 client¶

Previously we’ve shown the default settings for OAuth2 authorization.

If you want to extend it to a third party client that is unable to use one of the predefined return URLs, the only non-configurable part is the return URL, which requires to recompile ONI with the following change:

# https://man.sr.ht/~mariusor/go-activitypub/oni/index.md#compiling-the-application
# In the compilation step of the link above change the build command to:
$ go build -ldflags '-s -w -extldflags "-static" -X oni.ExtraRedirectURL=https://example.com/oauthReturnUrl' \
-trimpath -a -o ./bin/oni ./cmd/oni/main.go

Supported OAuth2 flows¶

The supported OAuth2 flows are:

• authorization_code
• client_credentials.

Additionally there are no scopes defined, the implication being that the clients will have full access to the account.