Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt Pushed Authorization Requests #40

Open
aaronpk opened this issue Jul 23, 2020 · 5 comments
Open

Adopt Pushed Authorization Requests #40

aaronpk opened this issue Jul 23, 2020 · 5 comments
Labels
revisit later

Comments

@aaronpk
Copy link
Member

aaronpk commented Jul 23, 2020

Pushed Authorization Requests is still an early OAuth 2.0 draft, but is a good candidate for IndieAuth as well as it provides better overall security.

Instead of first building a URL with the authorization request and redirecting the user's browser to that URL, the first step is to send a POST with the request details to the authorization endpoint, and then redirecting the user's browser to the authorization endpoint with an opaque string returned from the previous step.
@aaronpk aaronpk added this to the IndieAuth 1.1 milestone Jul 23, 2020
@jamietanna jamietanna mentioned this issue Jul 26, 2020
Closed
@aaronpk
Copy link
Member Author

aaronpk commented Aug 8, 2020

Removing this from the GitHub milestone for now while we focus on the current open issues we discussed at the popup.
@aaronpk aaronpk removed this from the IndieAuth.next milestone Aug 8, 2020
@aaronpk aaronpk added this to the IndieAuth.next milestone Aug 22, 2020
@aaronpk
Copy link
Member Author

aaronpk commented Aug 22, 2020

Leaving this issue open for future discussions.

  • Marginal benefit right now, unless more gets added to the authorization request (e.g. account numbers, identifying or personal information)
  • Premature to adopt any specific OAuth extension draft?
    ** Wait instead for https://oauth.xyz/?
  • If we do find that we may want to add things to thet authorization request that are "sensitive" then it's worth revisiting this
@aaronpk aaronpk removed this from the IndieAuth.next milestone Aug 22, 2020
@jamietanna
Copy link
Contributor

I have partially implemented this as part of my new IndieAuth server

(Originally published at: https://www.jvt.me/mf2/2020/12/mlcei/)
@jamietanna
Copy link
Contributor

This is now an official spec, RFC9126
@jalcine
Copy link

jalcine commented Nov 27, 2023

Planning on adding this to sele.jalcine.dev in its major release. It'll make CLI apps and mobile apps quite easier to craft.

(Originally published at: https://jacky.wtf/2023/11/iQTR)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
revisit later
3 participants
@aaronpk @jalcine @jamietanna