Okay, my analysis is complete! Here are the core changes to Ktistec required for Mastodon API compatibility:
- PKCE (Proof Key for Code Exchange) must be optional: Because Mastodon makes PKCE optional, clients don't support it, which means other servers can't require it. PKCE (and the
code_challengeparameter) ensures that an authorization code can only be exchanged by the client that initiated the OAuth request. - Support for the
client_credentialsgrant type: Theclient_credentialsgrant type is used to grant a client app-level access without requiring user authentication. Mastodon requires this for some of its "public" API endpoints. This necessitates a change to the database schema to allow anullaccount id in the client secrets table. - Addition of a
created_attimestamp property: Mastodon requires a non-standardcreated_atproperty in the body of the/oauth/tokenendpoint response instead of (in addition to) the standardexpires_inproperty. - Support for both form-encoded and JSON request bodies: This isn't a Mastodon requirement per se but popular clients clearly demand some latitude in what they send.
- WebFinger must accept requests with no
resourceparameter: This is honestly a bug on my part. - Mastodon-compatible endpoints: A boatload of them. Clients expect many endpoints and don't gracefully degrade if they're not present. Really I should just implement features like pinned posts and bookmarks...
The only thing here that gives me heartburn is that PKCE is not required.