Seemingly grant_type=password no longer supported for ver 4.4.0

[mike-enker]

Needs to change to grant_type=client_credentials.

There might be more issues with the release compatibility...

[mike-enker]

Looks like v4.4.0 no longer supports the basic authentication and posting order flow. One needs to create an application in the Web UI (Preferences/Development). The resulting Application will have the access token that one can use for
mastodon = Mastodon(api_base_url='https://mastodon.social/')
mastodon.access_token = 'hgfhgfhgfhgfhgfhgfh'

Then toot away!

[andypiper]

This is correct, we are moving away from allowing apps to provide a username and password on API calls in v4.4 and beyond. This is not as secure as the OAuth tokens.

[ThisIsMissEm]

You can also discover if this grant type is supported via the /.well-known/oauth-authorization-server endpoint on the server, see: https://docs.joinmastodon.org/methods/oauth/#authorization-server-metadata

It's been removed because it's been regarded as highly insecure for a long time and is actually completely removed in the upcoming OAuth 2.1 internet draft.

Whilst you could use client_credentials if you're doing anything on behalf of a user, you'll want the authorization_code setup, or, as mentioned above a static out-of-band provisioned personal access token for an OAuth Application

[halcy]

I believe we already fully support the OAuth flow as it is (with infinitely persistable token / no refresh). Not sure there is any need to try to support the client credential to client-only access token flow, but probably not - actions can already be performed on behalf of a client by just passing client_id and client_secret directly, and the entire "managing client IDs" part is kind of vestigial (since fully automated by necessity) for fedi servers anyways, what matters is getting the user access token.

TODOs here I think are adjusting docs to note deprecation of the u/pw flow, adjusting sample code where needed, and apologizing to downstream users for the breaking change.

[ThisIsMissEm]

There are some use-cases in the future that may exist for actual client_credentials grant type, but generally it's not the one you want for most mastodon APIs. You almost always want either a Personal Access Token (provisioned from the Development menu and tied to your specific account) or using authorization code grant flow for multiple user applications.

We may also in the future support Device Code Authorization Grant Flow for devices with limited input (e.g., IOT / TVs / Retrocomputers), but that's still being figured out since we can't implement straight away.