indieauth icon indicating copy to clipboard operation
indieauth copied to clipboard

Published 20 hours ago verified publisher icon indieweb

Adopt Pushed Authorization Requests

Open aaronpk opened this issue 3 years ago • 5 comments

Pushed Authorization Requests is still an early OAuth 2.0 draft, but is a good candidate for IndieAuth as well as it provides better overall security.

Instead of first building a URL with the authorization request and redirecting the user's browser to that URL, the first step is to send a POST with the request details to the authorization endpoint, and then redirecting the user's browser to the authorization endpoint with an opaque string returned from the previous step.

aaronpk avatar Jul 23 '20 22:07 aaronpk

Removing this from the GitHub milestone for now while we focus on the current open issues we discussed at the popup.

aaronpk avatar Aug 08 '20 21:08 aaronpk

Leaving this issue open for future discussions.

  • Marginal benefit right now, unless more gets added to the authorization request (e.g. account numbers, identifying or personal information)
  • Premature to adopt any specific OAuth extension draft? ** Wait instead for https://oauth.xyz/?
  • If we do find that we may want to add things to thet authorization request that are "sensitive" then it's worth revisiting this

aaronpk avatar Aug 22 '20 18:08 aaronpk

I have partially implemented this as part of my new IndieAuth server

(Originally published at: https://www.jvt.me/mf2/2020/12/mlcei/)

jamietanna avatar Dec 09 '20 12:12 jamietanna

This is now an official spec, RFC9126

jamietanna avatar Nov 02 '21 11:11 jamietanna

Planning on adding this to sele.jalcine.dev in its major release. It'll make CLI apps and mobile apps quite easier to craft.

(Originally published at: https://jacky.wtf/2023/11/iQTR)

jalcine avatar Nov 27 '23 04:11 jalcine