indieauth
indieauth copied to clipboard
indieweb
IndieAuth Specification
Per https://indieauth.spec.indieweb.org/#client-identifier: >Client identifier URLs MUST have either an https or http scheme But the spec does not discourage the latter, nor whether the server may reject the latter, and...
This is the result of a conversation @gRegorLove and I had at IWC SD 2023 today. In my implementation, I take the me property of the access token response and...
In [4.2.1](https://indieauth.spec.indieweb.org/#application-information) it is implicit that the `application` is a web application. This should be re-written to take into account that there are device-based applications too.
Amend the specification, per #127 discussion for an extension, to note that due to the fact the issuer URL MUST have the metadata header for discovery purposes.
Similar to Micropub, the specification should link to where proposed extensions to IndieAuth may be cited...such as supporting oauth2 extensions and the differences needed to implement them in an IndieAuth...
[Pushed Authorization Requests](https://oauth.net/2/pushed-authorization-requests/) is still an early OAuth 2.0 draft, but is a good candidate for IndieAuth as well as it provides better overall security. Instead of first building a...
[Section 4.2.2](https://indieauth.spec.indieweb.org/#redirect-url) says: >If a client wishes to use a redirect URL that has a different host than their client_id, or if the redirect URL uses a custom scheme (such...
add per [RFC8628](https://datatracker.ietf.org/doc/html/rfc8628)
In IndieAuth, [Access Token Verification](https://indieauth.spec.indieweb.org/#access-token-verification) is the alternative to Token Introspection. Both are meant as ways for resource servers that are not integrated with the token endpoint to be able...
