Support .well-known/oauth-authorization-server from RFC 8414

[saschanaz]

Pitch

Implement .well-known/oauth-authorization-server as a way to tell the clients about the OAuth server configuration e.g. about the URLs of endpoints. https://datatracker.ietf.org/doc/html/rfc8414

Motivation

A client software may want to support various other server software in addition to Mastodon, and in that case it's easier to have metadata endpoint for the server configuration so that it doesn't have to manage the hardcoded list of configurations for each.

[saschanaz]

Mastodon uses Doorkeeper and it's supported there: doorkeeper-gem/doorkeeper-openid_connect#152

(See also https://gitlab.com/gitlab-org/gitlab/-/issues/233956 which made that happen)

[ThisIsMissEm]

Specifically a reference implementation is at: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

But we wouldn't necessarily want to use doorkeeper-openid_connect, as Mastodon is only a OAuth 2.0 provider, not an OIDC provider.

[ThisIsMissEm]

I've offered to implement this in doorkeeper, but haven't received a reply: doorkeeper-gem/doorkeeper#1587

[ThisIsMissEm]

Okay, given that I've received no response from the Doorkeeper team in 2 months, and the sheer amount having this implemented would make it easier to develop API consuming applications that request the lowest scopes of data possible, I think the path forwards would be to just implement this API endpoint directly in the mastodon codebase, based on the code from this comment: #24099 (comment)

[ThisIsMissEm]

@saschanaz this can be closed as completed as of 4.3, since #29191 has landed for that release.

[saschanaz]

Nice, I can confirm it's supported now 👍