Authorization Code Verification Request is malformed

sknebel / AutoAuth

AutoAuth is a WIP extension for IndieAuth without the user being present

13 stars 0 forks source link

Authorization Code Verification Request is malformed #20

Closed fluffy-critter closed 5 years ago

fluffy-critter commented 5 years ago

At this point in the spec: https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md#authorization-code-verification-request

There seem to be two errors, relative to what IndieAuth providers expect:

callback_url should be redirect_uri
client_id is required

This is at least the case on all of the IndieAuth endpoints I've tried against (namely SelfAuth and commentpara.de).

sknebel commented 5 years ago

This needs to verify the data included in the Token request. there is no redirect_url due to the lack of a a browser in the flow for which this would be appropriate, so no redirect_uri can be checked here.

Client ID could be added if there's good reasons to do so, but I'm not sure it's needed.

fluffy-critter commented 5 years ago

Does this require the addition of callback_url to IndieAuth authorization endpoints, then? I was under the impression that this specification was intended to work with the existing IndieAuth infrastructure.

fluffy-critter commented 5 years ago

For reference, I use SelfAuth as my auth_endpoint, with its source at https://github.com/Inklings-io/selfauth/blob/master/index.php and here's the token_endpoint built into Publ: https://github.com/PlaidWeb/Publ/blob/f1baa08baa2e1bc7cf771b35ec457fc3784f7aea/publ/tokens.py#L22

fluffy-critter commented 5 years ago

Resolved via discussion, tl;dr form starts at https://chat.indieweb.org/dev/2019-10-30#t1572457299643200 - will continue discussion in #18