A minimal reproduction of issues with the aud parameter within the app.bsky.authViewAll permission set
more README
+2
-2
+2
-2
README.md
+2
-2
README.md
···
1
1
# authViewAll aud inconsistency
2
2
3
-
Minimal reproduction of a Bluesky authorization-server bug where scope
3
+
Minimal reproduction of a bug where scope
4
4
enforcement for RPCs in the `app.bsky.authViewAll` permission set is
5
5
inconsistent: some RPCs are authorized against the service-fragmented aud
6
6
(`did:web:api.bsky.app#bsky_appview`), others against the bare aud
···
36
36
| `app.bsky.feed.getFeedGenerator` | FAIL | `Missing required scope "rpc:app.bsky.feed.getFeedGenerator?aud=did:web:api.bsky.app"` |
37
37
38
38
Every RPC in the list above is declared in the
39
-
[`app.bsky.authViewAll` permission set](https://lexicon.garden/lexicon/did:plc:4v4y5r3lwsbtmsxhile2ljac/app.bsky.authViewAll/llms.txt),
39
+
[`app.bsky.authViewAll` permission set](https://lexicon.garden/lexicon/did:plc:4v4y5r3lwsbtmsxhile2ljac/app.bsky.authViewAll),
40
40
which uses `inheritAud: true` — so all of them should be granted at the
41
41
aud we passed to `include:`. The agent also sends
42
42
`atproto-proxy: did:web:api.bsky.app#bsky_appview` on every call, so the