2021/Pop-ups/IndieAuth

 IndieAuth 2021  was an IndieWebCamp Pop-ups 2021 session held 2021-08-28.


 * Video:

Summary
It's been a year since the last IndieAuth protocol session. This popup IndieWebCamp session will focus on discussions to iterate and evolve the IndieAuth protocol.

Details

 * facilitators:
 * Date: 2021-08-28
 * Time: 11:00 Pacific
 * event: https://events.indieweb.org/2021/08/indieauth-popup-session-8gwaJpICmh79
 * hashtag: #indieauth
 * Notes archived from: https://etherpad.indieweb.org/2021-08-indieauth-popup

Possible Topics

 * Client Information Discovery improvements.
 * Should this solely rely on Microformats? https://github.com/indieweb/indieauth/issues/23
 * What should be displayed if no app info discovered? https://github.com/indieweb/indieauth/issues/64. #23 suggests other fields that might be relevant, such as the icon and name from the page.
 * Discuss whether IndieAuth adopt resource indicators(https://github.com/indieweb/indieauth/issues/82) as a notation, and note any specific considerations for IndieAuth. Even though Ticket Auth prompted this, this is not specifically a Ticket Auth issue.
 * Should Ticket Auth, as an IndieAuth extension, be discussed at this event? If so...
 * Proposal to support the optional extension action=ticket to a token endpoint related to Ticket Auth. https://github.com/indieweb/indieauth/issues/87
 * Introduce OAuth Server Metadata https://github.com/indieweb/indieauth/issues/43

Discussed

 * Adding editorial notations to the spec regarding token lifetime, expiration and refresh tokens, to reference the OAuth2 specifications on this, and any specific considerations for IndieAuth. https://github.com/indieweb/indieauth/issues/81
 * Deprecate / remove the IndieAuth token verify endpoint, requiring IndieAuth servers to align with RFC7662 for OAuth2 Token Introspection
 * Make IndieAuth token verify endpoint credentialed, so it is clear that this should only be used by Resource Servers
 * Clarification on issuing tokens with only profile scopes. https://github.com/indieweb/indieauth/issues/62
 * Allow clients to always exchange authorization codes at the token endpoint https://github.com/indieweb/indieauth/issues/58