Clarify how `oauthTokenEndpoint` and `oauthAuthorizationEndpoint` are supposed to be used

[jernst]

I note that those implementations whose actor files we collect at https://fedidevs.org/reference/actor/ also specify a oauthRegistrationEndpoint value, which is not mentioned in the AP spec.

[ThisIsMissEm]

Have opened a PR to add documentation for this property: https://github.com/w3c/activitypub/pull/417

However, I would really, really, really encourage server implementers to implement the OAuth 2.0 Authorization Server Metadata RFC, instead of relying on these, since this RFC is a standardised discovery mechanism for OAuth 2.0 server information.

There is an open ticket for implementing RFC 8414 in Mastodon: https://github.com/mastodon/mastodon/issues/24099 (there's also related implementation tickets in that thread)

[ThisIsMissEm]

Akkoma adds this: https://docs.akkoma.dev/stable/development/ap_extensions/

[evanp]

So, I don't believe the oauthRegistrationEndpoint term is part of the AS2 context nor in the document, so I don't think this is a case for a PR.

I think this is a great test case for the Extensions Policy -- it seems like a natural addition that we could merge smoothly into the main context.

I think the next step for this is to create a FEP.

[evanp]

Another option is to create a FEP for encouraging the use of RFC 8414.

[ThisIsMissEm]

I believe all the oauth endpoints should be removed from the spec, given RFC 8414

[evanp]

https://codeberg.org/fediverse/fep/src/branch/main/fep/d8c2/fep-d8c2.md also has a flow without registration -- the ID is just an URL of an Application document and no client secret.