2021/Pop-ups/IndieAuth2

From IndieWeb
Jump to: navigation, search


IndieAuth 2 2021 is an IndieWebCamp Pop-ups 2021 session and the 2nd IndieAuth session of 2021..

Summary

At the end of the last IndieAuth protocol session, there was a discussion of following up in a few weeks to finish what we could not. This popup IndieWebCamp session will continue the discussion to iterate and evolve the IndieAuth protocol.

Details

Followup from the previous session

Possible Topics

  • Make IndieAuth token introspection endpoint credentialed, so it is clear that this should only be used by Resource Servers. While there was a consensus on adopting the token introspection endpoint request and response, we did not conclude on authentication.
    • Authentication is likely to be required, but in practice, requires further investigation (see below)
      • Aaron Parecki would like this to be some sort of dynamic client registration / "enrollment" that happens automagically when i.e. setting up a relationship with Aperture
      • Discussion as to whether i.e. Aperture / other shared platforms could lead to needing some out-of-band authentication sharing - follow-up investigation required
      •   Jamie Tanna notes that, while integrating his IndieAuth server with OAuth2 clients, he found that the token_endpoint (not the token introspect endpoint, as mentioned on the call) may require `client_id` to be retrieved from `Authorization: Basic ...`, depending on how they work
      •   Jamie Tanna has implemented this, and integrated this using the Spring Security and rack-oauth2 OAuth2 clients, and allows for using empty authentication (which could then be HTTP Basic Auth)
  • Client Information Discovery improvements.
  • Discuss whether IndieAuth adopt resource indicators(https://github.com/indieweb/indieauth/issues/82) as a notation, and note any specific considerations for IndieAuth. Even though Ticket Auth prompted this, this is not specifically a Ticket Auth issue.
  • Introduce OAuth Server Metadata https://github.com/indieweb/indieauth/issues/43