Skip to content

OAuth scopes break existing PDSes Oauth for existing Mobile/Desktop Apps #4132

New issue
New issue
Open
Open
OAuth scopes break existing PDSes Oauth for existing Mobile/Desktop Apps#4132
Labels
bugSomething isn't working
@mcprostar205

Description

@mcprostar205
mcprostar205
opened on Aug 25, 2025

Describe the bug

Discovered an issue supporting older PDSes on mobile and web apps with client-metadata.json files. Basically, older PDSes fail authentication when one of the newer scopes, eg. "identity:*", is specified BUT the App does not request the scope specifically.

Error: "invalid_client_metadata"
Error_description: "Unsupported scope "identity:*"

To Reproduce

Steps to reproduce the behavior:

  1. Update client-metadata.json scope parameter to include a new Oauth scope, eg identity:*
  2. Use an account/handle on an older PDS predating new scopes that only request scopes for atproto transition:generic transition:email
  3. Observe PDS authentication failure :
Error: "invalid_client_metadata"
Error_description: "Unsupported scope "identity:*"

Expected behavior

Since scopes are requested by the Mobile/Desktop App during the authentication flow (PAR scope parameter), the scopes in the client-metadata.json should be suggestions not hard failures. Hard failure should only happen when Mobile/Destop App trying to request an invalid scope.

For backward compatibility, PDSes shouldn't care about the newer scopes in the client-metadata.json until an App requests an unsupported scope. This is a big issue for existing deployed Apps that will require updates their Apps AND for their end-users to install the updated App to continue functioning -- not a great scenario. Understandably, nothing probably can be done about the older PDS code base now, BUT it would be great for PDSes of the future to not introduce breaking changes to existing deployed App like the new scopes in client-metadata.json.

A decentralized platform comes with the responsibility and challenge to ensure older and newer versions of software continue to function without end-users needing to update. Imaging if an Apache web server prevented end-user's browsers from functioning. We can't expect that the general end-user population will update their Apps.

Details

  • Operating system: n/a
  • Node version: n/a

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions