@naturzukunft @julian @thisismissem oh, are you going to use Keycloak's built in user database, or are you going to use an adapter to fetch user data from your own database?

@evan @julian @thisismissem which user data to do what ?

@naturzukunft @julian @thisismissem oh, sorry. By default, KeyCloak stores all the user data (name, avatar, description, so on) in its own internal PostgreSQL database, and you get an API to ask about and manage users.

The alternative is to add a custom UserStorageProvider class to access your own user storage and map your data to KeyCloak's schema. Applications that already have a user database often do this.

@naturzukunft @julian @thisismissem oh, are you going to use Keycloak's built in user database, or are you going to use an adapter to fetch user data from your own database?

@evan @naturzukunft @julian in the wild it's very uncommon to replace Keycloak's user database with something else; most commonly user migrations are performed, having been involved in several such projects.

@evan @julian @thisismissem There is a mapping in the resource server between PreferredUsername and an actor. This is a hack; I had to extend it because Mastodon uses the username as a unique identifier. Without Mastodon support, it would be a mapping between IssuerUserId and Actor. The data for the mapping comes from the JWT token.

But that's beside the point.

@evan @julian @thisismissem There is a mapping in the resource server between PreferredUsername and an actor. This is a hack; I had to extend it because Mastodon uses the username as a unique identifier. Without Mastodon support, it would be a mapping between IssuerUserId and Actor. The data for the mapping comes from the JWT token.

But that's beside the point.

@naturzukunft @julian @thisismissem I think your point was that any configuration that requires adding plugins or adapters for KeyCloak is a bad architecture, and you're committed to using KC entirely off-the-shelf.

@evan @naturzukunft @julian as Client ID Metadata Documents move through the standards process, I would assume keycloak will adopt them and Client ID Prefixes.

@evan @naturzukunft @julian as Client ID Metadata Documents move through the standards process, I would assume keycloak will adopt them and Client ID Prefixes.

@evan @naturzukunft @julian but keycloak being able to understand wtf a json-ld document of type Service or Application is? Incredibly unlikely, especially when the contents within isn't even remotely aligned with the IANA registry for Dynamic Client Registration Metadata values.

@naturzukunft @evan @julian we have a userinfo endpoint now in mastodon that gives you a unique subject (sub) claim: https://docs.joinmastodon.org/methods/oauth/#userinfo

This is all discoverable via standards that exist in OAuth (with a touch of OIDC language)

@thisismissem @naturzukunft @julian but they don't work right now, out of the box? I think that doesn't meet his requirements then.

@thisismissem @naturzukunft @julian hey, that brings up a great point. Does Mastodon support clients using OAuth for accessing the read-only parts of the API (reading an actor, reading an outbox, reading a note)? I've done it with no authentication and with HTTP Signatures but I don't know if you can use OAuth. That would be a huge step in the right direction.

@evan @naturzukunft @julian not for AP, because we're don't support anything related to C2S. We could add OAuth support there theoretically, but it's not a priority right now.

@thisismissem @naturzukunft @julian right, but the ActivityPub API is not just about posting activities to the `outbox`. It also includes reading all the actors, collections and objects in the Activity Streams 2.0 format.

Anyways, I might look into it and make an issue and PR. If it worked properly, you could do a decent read-only application with the ActivityPub API, without making any commitment to the client-to-server part of the spec. That'd be a nice step forward for the API.

@evan @naturzukunft @julian talk to the team first. Doing changes here is not simple.

cc @MastodonEngineering

@julian @naturzukunft FEP/d8c2 is poorly designed and the comments on socialhub show this. It's not how OAuth is meant to work.

We should be using Authorization Server Metadata + Rich Authorization Requests for any OAuth implementation for an ActivityPub API.

Scopes would ultimately be pretty minimal, e.g., profile, offline_access (both OIDC), and maybe like manage:keys for updating signing keys; the rest should probably be RARs.

For discovery, if the Actor object advertises an authentication method of OAuth or OIDC, the look for the authorization server URL, discover all OAuth specifics from there.

For clients, you could do dynamic client registration, but it has drawbacks, so I'd recommend Client ID Metadata Documents.

@julian @benpate @evan I think FEP-3b86 only really allows for actions that the home server already knows how to carry out; the advantage of FEP-d8c2 is that it allows clients to add functionality of their own; see eg Evan's checkin app, which can post geo-tagged activities even via a server which doesn't natively support them.