marius @mariusor@metalhead.club
Public

I realized that I dislike the OAuth Client ID Metadata document that's supposed to supersede the Dynamic OAuth Client Registration mechanism:

datatracker.ietf.org/doc/draft

The first complain is that it seems to address only online clients - ie, to be able to determine an attempt at OAuth authorization has a valid client, its ID needs to be a document that's addressable on the web and returns valid metadata.

So offline clients are left to invent some static web metadata storage for themselves, which frankly is not feasible.

1/2

Logo of the IETF

OAuth Client ID Metadata Document

This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration. This is through the usage of a URL as a client_id in an OAuth flow, where the URL refers to a document containing the necessary client metadata, enabling the authorization server to fetch the metadata about the client as needed.

datatracker.ietf.org · IETF Datatracker

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://metalhead.club/users/mariusor/statuses/115762964340000125 on your instance and quote it. (Note that quoting is not supported in Mastodon.)