search

WebThingsIO / gateway

WebThings Gateway - a self-hosted web application for monitoring and controlling a building over the web
http://webthings.io/gateway
Mozilla Public License 2.0
2.62k stars 339 forks source link

Consider supporting OAuth 2.0 Dynamic Client Registration #3144

Open benfrancis opened 3 months ago

benfrancis commented 3 months ago

Currently the gateway has to maintain a hard-coded list of client IDs to identify third party apps and services which can request access to a gateway via OAuth2. This means that if a new service wants to access gateways we have to manually issue a client ID, add it to this list, and push an update to all gateways.

The IndieAuth specification defines a mechanism which enables authorization servers (i.e. gateways in our case) to dynamically use resolveable URLs hosted by an OAuth2 client (third party apps and services) as verifiable client IDs, rather than having to manually issue them.

Note that IndieAuth is a Living Standard maintained by the IndieWeb community, not a standards body like the W3C or IETF, and was primarily used to obtain an OAuth 2.0 Bearer Tokens for use by [Micropub] clients, so may not be widely supported.

benfrancis commented 3 months ago

See also: RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol)