Hello everyone!
As you may or may not know, Funkwhale currently supports the out-of-band (OOB) flow for OAuth apps. This flow enables app developers to use a preset callback URI that displays a code in-browser when users authenticate an app.
The OOB flow presents a few security issues, and as such has already been deprecated by some providers such as Google. It's also been dropped from the Django OAuth Toolkit, which Funkwhale uses to power OAuth flows. We noted this in issue #1944 and have come to conclusion that we need to start looking at a deprecation path.
Currently, Funkwhale supports the Authorization Grant flow for authorizing applications. Developers can use a dummy OOB value (urn:ietf:wg:oauth:2.0:oob
) as the redirect_uri
for this flow. This is the feature we plan to deprecate. In order to do this, we have to come up with adequate alternatives to cover developer use-cases.
OAuth is a big specification containing many different flows. We have identified two in particular that we think would be useful for existing use-cases:
- OAuth 2.0 for Native Apps – useful for desktop and mobile applications
- Client Credentials grant – useful for granting access to headless applications
The Django OAuth toolkit already supports most OAuth flows. We need to update Funkwhale to support them and support developers during the transition process.
We've not started on this yet, but we are interested to hear any thoughts, suggestions, or concerns you might have about this proposal. In particular, we'd like to know what other OAuth flows would be useful to you while working with Funkwhale.