deep dive into the oauth RFCs this morning ☕
Discussion
Loading...
I found and filed a bug in Pleroma Dynamic Client Registration code
Hacked away at C2S authorization in Fedbox with @mariusor 💪
and just discovered @evan lovely oauth decision tree diagram
https://github.com/swicg/activitypub-api/issues/1#issuecomment-3708524521
@django the part I'm not sure of is the protected resource metadata. I think that's what you use to use SaaS authorization like Okta or Auth0, or if you use a separate server like Keycloak. So, it doesn't assume that the API server is the authorization server.
@evan I see what you mean, I hadn’t considered a fedi server using a saas for auth.
@evan there doesn't seem to be anything in rfc8414 that prevents a redirect to a different auth server.
I suppose the response could also be hardcoded remote urls for `registration_endpoint`, `authorization_endpoint` and `token_endpoint`
ditto for the actor.endpoints
@evan it seems like the `issuer` field of rfc8414 and the `iss` field of rfc9207 are for this type of use-case
I found and filed a bug in Pleroma Dynamic Client Registration code