Compatible Relying Parties

[erlend-sh]

Relying Parties is OIDC-speak for web apps.

Requirements.

• OIDC
  • PKCE – Proof Key for Code Exchange by OAuth Public Clients

We are testing for compatibility with the following RP apps:

IndieWeb

• Forgejo
• Linkding
• Miniflux
• OpenGist, pending Implement PKCE for OAuth2 thomiceli/opengist#227
• Linkblocks, pending feat: implement login with google sso (closes #46) raffomania/linkblocks#51
• https://github.com/neodb-social/neodb
• Shiori, pending OIDC support
• Mattermost
• Zulip
• Matrix (Conduit), pending OIDC support
• Memos

Fediverse

• Mastodon, Add support for PKCE Extension in OmniAuth OIDC mastodon/mastodon#31131
• ATproto, 🚧 OAuth2 - Authorization Server bluesky-social/atproto#2482
• Kitsune
• Use part of Solid-OIDC to login activitypods/activitypods#121
• Fedify (??)
• GoToSocial, pending [feature] Implement PKCE for oauth2 superseriousbusiness/gotosocial#2225
• Lemmy, SSO Support LemmyNet/lemmy#4881
• https://newsmast.org/

Alt-web

• https://kinopio.club/
• Supabase
• Glitch
• Val.town
• DEV.to
• GitLab
• Ghost
• https://www.are.na/
• https://neocities.org/
• Obsidian
• Wikipedia
• Proton
• Memos
• Tailscale
• Polar - https://github.com/polarsource/polar/issues/3728
• https://www.indiethinkers.com/
• https://getindie.wiki/

[zicklag]

Just tested Gotosocial. Needs PKCE support like OpenGist: superseriousbusiness/gotosocial#2225.

[ThisIsMissEm]

Do keep in mind that Mastodon does not implement OIDC for API access, but does for SSO; That is, Mastodon is always an OAuth 2 provider / authorization server, however it can be configured to do SSO via OIDC

That is to say, mastodon/mastodon#30329 is probably entirely unrelated to what you're doing here, which seems to be SSO.

[ThisIsMissEm]

So what you'd want for Mastodon SSO to support PKCE is the PKCE configuration options passed to config.omniauth :openid_connect, oidc_options in https://github.com/mastodon/mastodon/blob/e56fb9e4890435ef89b56ef5d1b9a8d0d46ab938/config/initializers/3_omniauth.rb — currently it does not include those options: https://github.com/omniauth/omniauth_openid_connect?tab=readme-ov-file#options-overview