Consider using OAuth Server Metadata #43
Comments
|
If the new version of IndieAuth is not backwards compatible, I would vote for a major change of the version number and call it 2.0 (https://semver.org/). |
|
Is this expected to be similar to OpenID Connect Discovery? What sort of properties are we thinking would be provided? I would guess:
But is there anything specific we'd want for IndieAuth? Maybe something like whether we support #40? |
|
I don't know enough yet to comment on whether this is needed, but if it is, what about simply |
|
Technically once you add all the OAuth 2.0 extensions on top, OAuth 2.0 isn't even backwards compatible with itself. But in any case, the name isn't super relevant to this discussion. The extension point from OAuth is RFC8414. The two main ones needed are
|
|
Removing this from the GitHub milestone for now while we focus on the current open issues we discussed at the popup. |
|
We should revisit this once we have a backwards-incompatible change we want to make to IndieAuth such as #40 |
|
My IndieAuth server now supports this at {
"authorization_endpoint": "https://indieauth.jvt.me/authorize",
"code_challenge_methods_supported": [
"S256"
],
"grant_types_supported": [
"refresh_token",
"authorization_code"
],
"introspection_endpoint": "https://indieauth.jvt.me/token_info",
"issuer": "https://indieauth.jvt.me",
"response_modes_supported": [
"query"
],
"response_types_supported": [
"code"
],
"scopes_supported": [
"read",
"profile",
"update",
"mute",
"media",
"follow",
"delete",
"notify",
"channels",
"draft",
"undelete",
"create",
"block"
],
"token_endpoint": "https://indieauth.jvt.me/token"
}My profile URL shares: |
|
Note that in #17 we shouldn't use underscores in HTTP headers.
|
|
@jamietanna Can you clarify what "response_modes_supported" means in your example? I am thinking of implementing this but was not sure what other values someone could state. |
|
@capjamesg sorry for the late reply, the For IndieAuth, it's always Just thought I'd add the metadata for it |
|
Thank you for the clarification @jamietanna. |
|
Closing, as this is now adopted by #102. |
Currently IndieAuth clients discover two pieces of information from the user's profile page, the authorization endpoint and token endpoint. As we continue to expand IndieAuth into new use cases (such as automated indieauth between two machines acting on behalf of users), we may need to include additional information to clients.
If IndieAuth 1.1 is not backwards compatible with IndieAuth, (such as if PAR is a requirement), clients will need to know which version is supported in order to know how to behave, and that means either adding another link tag or changing the names of the rel values.
There is an OAuth extension which talks about how to communicate information about an OAuth server to clients by publishing a JSON document at the metadata URL for the server.
We could instead have the IndieAuth client look for just one value in the HTML, the metadata endpoint, and have the client fetch everything else from there. While this does add an HTTP request in the initial setup compared to the current state, it may end up being preferable longer term. (PAR ends up adding a request in the setup too anyway.)
A straw proposal for how this could work is:
<link rel="indieauth_metadata" href="https://indieauth.example.com/metadata.json">(the filename does not need to be standardized since it's discoverable from this link)authorization_endpointandtoken_endpointThe text was updated successfully, but these errors were encountered: