Do we need to add client_id to ticket auth requests?

indieweb / indieauth

IndieAuth.net website code and IndieAuth Specification

52 stars 7 forks source link

Do we need to add client_id to ticket auth requests? #85

Open aaronpk opened 3 years ago

dshanske commented 3 years ago

I would think not as you are offering it to the site. Now, what we could do is add that to the ticket grant type to the token endpoint, so you could request that the ticket be issued and limited to a specific client.

Zegnat commented 3 years ago

My backend currently stores the discovered ticket_endpoint as the client_id on issued tokens. This value can be retrieved through token verification. (Maybe, unless I broke something there.)

This gives some of the same benefits as I would otherwise have from a client_id. E.g.: if a client goes rogue I can revoke all tokens ever issued to it, now if a ticket endpoint goes rogue I can do the same.

dshanske commented 8 months ago

I've tried to address this by adding the notation about the grant_type supporting client_id, so the ticket endpoint, when redeeming, can opt to limit it to a specific client_id at that point.