so, a few things. Despite "federation" in the name, OIDC ... • Aaron Parecki

53°F

Emelia 👸🏻 https://hachyderm.io/@thisismissem • Sep 17
@evan so currently all the different fediverse services that implement OAuth implement different bits of specs & don't support discovery of authorization server metadata; additionally, they rarely support PKCE. Dynamic Client Registration is supported, but OIDC Federation would likely be better.
The scopes you define look like they could conflict with existing implementations, and are also not discoverable by the client.

so, a few things. Despite "federation" in the name, OIDC Federation is really not the right thing for this. It's more for a closed ecosystem of independent servers, but is explicitly not made to be open for anyone to join a federation. That's why there are trust anchors and things.

If current implementations don't support PKCE, they really should, because it's only a matter of time before someone takes advantage of the hole that not doing PKCE leaves open for public clients.

Dallas, Texas, USA • 93°F

Tue, Sep 19, 2023 3:39pm -05:00

1 like
- Emelia 👸🏻
Have you written a response to this? Let me know the URL:

Posted in /replies using quill.p3k.io