My vote goes to the alternative and in my opinion cleaner approach , "always specify a full service did in the aud field", I guess the serious (read actively maintained) atproto services and clients will implement this. Changes are needed either way
When the bsky app starts using OAuth it will be redirected to bsky.social ( or the IDP of your'e PDS provider) to login. So if you have a session active it will be reused when you login with another app using OAuth
I run into it frequently, will be fixed when the bluesky app OAuth2 support lands
On a Rpi with 500GB ssd at home
Backfill duration was +/- 26h
Mine is 138GB right now
Sounds familiar for atproto people arstechnica.com/security/202...
What does ๐พ mean in this list ?
It was needed because not every request from the social app had an atproto-proxy header I guess, I removed them from my PDS implementation on jan 9 and everything still works.
This is indeed like @threddyrex.org mentioned the exception you need to implement ( until private data lands i guess)
Requests allowed by the permissions (scopes) a user consented during the code flow see atproto.com/specs/permis...
I guess you have unlimited plc replica disk space to your'e disposal.
every PDS implementation should implement service proxying and implement a subset of com.atproto.* natively
The client communicating with an PDS determines which appview it want's to use for the services (RPC's) it needs, in the case of the bluesky social app it's blueskies appview, blacksky / eurosky and other atproto clients will use a different value for the atproto-proxy header.
with an added bearer token see docs.bsky.app/docs/advance...
If an xrpc request ( other then com.atproto.* ) is comming in check if it has an atproto-proxy header, if it hasn't return 400 if it has check the value (did) and resolve it e.g did:web:api.bsky.app#bsky_appview resolves to a service endpoint api.bsky.app proxy the request to that endpoint ..
you need to proxy every request with an atproto-proxy header see atproto.com/specs/xrpc#s...
If you want to build a bluesky appview yes, a PDS doesn't need to implement them they are proxied to the appview with service authentication, the PDS signs a token which the appview accepts.
Have a look @hailey.at 's PDS (cocoon) for the endpoints she implemented github.com/haileyok/coc... and a subset of this will also work if you skip things like repo portability
A functional PDS doesn't need to implement all endpoints a subset of com.atproto.* will do, the rest is proxied to an appview. If you want to build your'e own bluesky compatible appview that's something else.
Its there now I see, so i guess some delay in processing
Confidential clients are not supported by you're pds( auth method private_key_jwt not supported)
Tried some things and it seems to work up to the password screen, problem with the bluesky/blacksky (and probably other) clients is that they use bluesky's resolve handle endpoint and that return a HTTP 400 with the handle pds.sgo.to ...
I have a branch with the blacksky OAuth changes applied to the unchanged bsky social-app github.com/wdantuma/soc...
You need to request a crawl ( needed every time you're PDS has been offline for a wile ):
curl -v --location 'https://bsky.network/xrpc/com.atproto.sync.requestCrawl' \
--header 'Content-Type: application/json' \
--data '{
"hostname": "pds.sgo.to"
}'
You could prevent this i think by salting the record for every consumer ( based on their public key ) when hydrating the record.
Love the concept,once developed a platform which used the same concept ( called provides and consumes ) inspired by unix pipes. Biggest hurdle then was the resulting UI/UX people didn't really understand. Would love to see something similar succeed now.
FedCM is not a replacement for OAuth, it is just a way to skip the need to enter you're handle and login again ( supported by the browser), the rest is just the usual OAuth flow, consent is also still needed.
This was the post created here bsky.app/profile/will...
So who builds the blacksky bluesky bridge ?
