anderspitman
commented
3 months ago Whoops wrong repo sorry. I opened an issue over on https://github.com/indieweb/indieauth/issues/135
Closed anderspitman closed 3 months ago
anderspitman
commented
3 months ago Whoops wrong repo sorry. I opened an issue over on https://github.com/indieweb/indieauth/issues/135
I'm looking to implement IndieAuth in obligator (which powers LastLogin), with an eye towards contributing a patch to Rauthy as well. This would give people a couple more options for hosting their own IndieAuth server.
I have a couple questions:
It looks like
rel=authorization_endpointandrel=token_endpointare deprecated. I'm concerned this forces an additional round trip for fetching the AS metadata, which can cause a significant performance hit, especially for users on native clients with slower internet or low-powered devices. Is there a way to avoid this?The spec currently recommends that clients provide client information to the AS, including client name and logo. Does trusting this information not open users up to significant security issues? For example, if gooogle.com hosts client data with name "Google" and the actual Google logo, users will be pretty likely to trust the login. If we're supporting logins without requiring client registration (which is a killer feature of IndieAuth IMO), isn't the only information we can trust enough to present to the user the client domain itself? Not fetching the client metadata also saves another round trip. It looks like this is already possible since most of the wording in this sections is SHOULDs, and that the AS can choose to simply verify the redirect_uri is on the same domain as the client_id and forego fetching the client data, correct?