@matthieu.bsky.team
Back-end engineer at Bluesky
Yep
14.07.2025 18:37 — 👍 3 🔁 0 💬 1 📌 0This is actually a "feature". Since PDS can host HTML Blobs (and thus JS), I wanted to prevent XSS attacks. I think we could reasonably make this configurable though, and allowlist some uris (checked against the referer)
14.07.2025 16:40 — 👍 10 🔁 0 💬 1 📌 0We just relaxed restrictions around redirect uris 😜
07.07.2025 11:32 — 👍 1 🔁 0 💬 0 📌 0
Here is an example implementation. See main.tsx to build a client ID for local dev. Then use
client=await BrowerOAuthClient.load({clientId,allowHttp:true})
Then client.init() if that does not return a value use .restore()
I wish atproto 's reference implementation was built using hapijs !
17.06.2025 16:30 — 👍 2 🔁 0 💬 1 📌 0I guess that's what OAuth 2.1 is for
17.06.2025 12:05 — 👍 3 🔁 0 💬 1 📌 0Two types of OAuth client are supported by atproto: "public" and "confidential"
This new article digs in to the security trade-offs and safety mechanisms at play, and how they impact different app architectures: TMBs, BFFs, SPAs, etc
Thank YOU!
10.06.2025 15:29 — 👍 6 🔁 0 💬 1 📌 0Yep, exactly
05.06.2025 16:46 — 👍 2 🔁 0 💬 0 📌 0Large scale apps wouldn't want to bind every single sessions to a single value (nonce) as this could cause a lot of un-happy users when that value changes. The recommendation is to maintain multiple keys (e.g. one per version of the app) so that only problematic sessions can be revoked.
05.06.2025 15:03 — 👍 3 🔁 0 💬 0 📌 0Yep, a client could totally do that! But you can still have more than 1. The app could request the backend "please use this kid to sign the attestation". and that "kid" can be determined in many different ways (time based, version based, etc.)
05.06.2025 15:01 — 👍 3 🔁 0 💬 1 📌 0We are currently working on making ATProto OAuth easier on devs. This proposal is one of steps we are taking to make it happen. Stay tuned...
05.06.2025 08:30 — 👍 20 🔁 0 💬 4 📌 0Here is why: If an app/spa gets compromised (XSS, supply chain attack, ...), confidential clients can revoke the private key that was used to authenticate compromised version of the app, effectively stopping the attack (assuming the "bug" was also fixed). Public clients have no such mechanism.
05.06.2025 08:22 — 👍 8 🔁 0 💬 2 📌 0Yeah you'd probably hit the file size limit for the client metadata document pretty fast if you don't cleanup "old" uris.
28.04.2025 10:05 — 👍 4 🔁 0 💬 0 📌 0If there is more than one redirect_uris in the client metadata, the client has to provide the one it wants the AS to use during PAR.
28.04.2025 10:03 — 👍 3 🔁 0 💬 0 📌 0Hey @tom.sherman.is, assuming that we'd lift the "same origin" constraint on redirect_uris, would that be enough to allow Vercel preview apps to work ? How would you make sure that the redirect_uris from the (now single) client metadata document contains all the preview apps ?
28.04.2025 08:30 — 👍 3 🔁 0 💬 1 📌 0We deliberately chose to add strong constraints to our initial spec so that they could be relaxed without breaking compatibility. The redirect_uris's "same origin" restriction is a good example of constraint we'd be willing to lift, based on feedback like this one.
28.04.2025 08:16 — 👍 6 🔁 0 💬 1 📌 0👻
24.04.2025 16:00 — 👍 3 🔁 0 💬 0 📌 0🔥
24.04.2025 15:59 — 👍 2 🔁 0 💬 0 📌 0🥳
24.04.2025 15:59 — 👍 0 🔁 0 💬 0 📌 0💙
24.04.2025 15:59 — 👍 0 🔁 0 💬 0 📌 0It would be awesome if starter packs were automatically created from specific @smokesignal.events ! Like, I'm going to the AHOY! conference next week and I'd love to have an easy way to follow everyone else going.
17.04.2025 10:08 — 👍 25 🔁 1 💬 3 📌 0Excited for the @ahoy.eu conf of next week.
16.04.2025 13:51 — 👍 33 🔁 9 💬 1 📌 0A way you can avoid this, if you are developing a client, is to rely on client authentication. This should give you 30 days of refresh token validity in place of 2.
16.04.2025 13:07 — 👍 4 🔁 0 💬 2 📌 0We are following OAuth 2.1 here:
> The authorization server MUST consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of tokens issued to such clients, (e.g., limiting the lifetime of refresh tokens).
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse. Ibi
01.04.2025 13:00 — 👍 24 🔁 1 💬 4 📌 0plcfs 🫣
01.04.2025 08:29 — 👍 27 🔁 0 💬 0 📌 1
zuck wearing a shirt that says "aut zuck aut nihil"
jay graber, bluesky ceo, wearing a shirt that says "mundus sine caesaribus"
10.03.2025 18:09 — 👍 10333 🔁 1712 💬 155 📌 543It's weird to me the they focus all that energy into new features while Zed is still missing some features that are absolutely needed needed for its adoption...
14.02.2025 08:04 — 👍 7 🔁 0 💬 1 📌 0
🚀 Just released a new version of our TypeScript SDK for Bluesky!
This update brings important improvements to the typings of our data model, making integration smoother and more reliable. Learn a thing or two about Bluesky’s API and the AT Protocol in the blog article we wrote for the occasion.
