@aaronpk I've seen that, but haven't yet fully looked at it.. it always looked so... financial related?
@aaronpk I've seen that, but haven't yet fully looked at it.. it always looked so... financial related?
@aaronpk that's perhaps fair, though I think OIDC smooths out a lot of OAuth 2.0's rough edges
I started a FEP to define an #OAuth 2.0 profile for the #ActivityPub API (โc2sโ):
https://codeberg.org/fediverse/fep/pulls/162
Iโd appreciate any feedback or support. Iโve begun implementing this profile, and I think itโs testing out pretty well.
@evan no, I mean, I don't see why it'd make sense to define a custom profile of OAuth 2.0 when OIDC exists and we could just use it?
What does defining a custom profile really give us? Our authentication needs can't be that unique, can they?
@evan so currently all the different fediverse services that implement OAuth implement different bits of specs & don't support discovery of authorization server metadata; additionally, they rarely support PKCE. Dynamic Client Registration is supported, but OIDC Federation would likely be better.
The scopes you define look like they could conflict with existing implementations, and are also not discoverable by the client.