Support OAuth permission-set Lexicon type and granular scopes #29

New issue

Closed

opened 2026-04-12 17:30:02 +00:00 by Grandiras · 0 comments

Grandiras commented

2026-04-12 17:30:02 +00:00

Owner

Summary

The AT Protocol is introducing an OAuth permission/scopes system using permission-set Lexicon definitions. ATProto.NET should support these granular permissions for proper OAuth authorization.

Spec Reference

The Permissions specification defines:

Permission types

repo - Access to repository record collections (create/read/update/delete)
rpc - Access to specific XRPC endpoints
blob - Blob upload permissions (with MIME type constraints)
account - Account management (email, password)
identity - Identity management (handle changes)
include - Include another permission set

Permission Set Lexicon type

{
  "type": "permission-set",
  "title": "...",
  "detail": "...",
  "permissions": [...]
}

What's needed

Permission-set parsing - Parse permission-set definitions from Lexicons
Scope string generation - Build OAuth scope strings from permission sets:
- include:app.bsky.authFullApp
- repo:app.bsky.feed.post?action=create
- rpc:app.bsky.video.uploadVideo
- blob?accept=image/*
Scope validation - Validate requested scopes against available permission sets
Update AtProtoScopes builder - Extend the existing scope builder to support permission-set references
Code generation support - Generate permission set constants from Lexicon definitions

Context

Permission sets are being actively rolled out (see proposal). Initial sets cover app.bsky.*, chat.bsky.*, and tools.ozone.* namespaces.

## Summary The AT Protocol is introducing an OAuth permission/scopes system using `permission-set` Lexicon definitions. ATProto.NET should support these granular permissions for proper OAuth authorization. ## Spec Reference The [Permissions specification](https://atproto.com/specs/permission) defines: ### Permission types - `repo` - Access to repository record collections (create/read/update/delete) - `rpc` - Access to specific XRPC endpoints - `blob` - Blob upload permissions (with MIME type constraints) - `account` - Account management (email, password) - `identity` - Identity management (handle changes) - `include` - Include another permission set ### Permission Set Lexicon type ```json { "type": "permission-set", "title": "...", "detail": "...", "permissions": [...] } ``` ## What's needed 1. **Permission-set parsing** - Parse permission-set definitions from Lexicons 2. **Scope string generation** - Build OAuth scope strings from permission sets: - `include:app.bsky.authFullApp` - `repo:app.bsky.feed.post?action=create` - `rpc:app.bsky.video.uploadVideo` - `blob?accept=image/*` 3. **Scope validation** - Validate requested scopes against available permission sets 4. **Update `AtProtoScopes` builder** - Extend the existing scope builder to support permission-set references 5. **Code generation support** - Generate permission set constants from Lexicon definitions ## Context Permission sets are being actively rolled out (see [proposal](https://github.com/bluesky-social/proposals/tree/main/0011-auth-scopes)). Initial sets cover `app.bsky.*`, `chat.bsky.*`, and `tools.ozone.*` namespaces.