cwebber
commented
7 years ago Good call! Doing so now.
Closed PaulJeong14 closed 7 years ago
cwebber
commented
7 years ago Good call! Doing so now.
autogestion
commented
5 years ago Why OAuth is recommended way to authorize? Not IndieAuth or JWT This reference just multiplies sadness, like here andstatus/andstatus#499
cjslep
commented
5 years ago JWT is a token format. It's not an authorization protocol. The OAuth Bearer Token specification lets you use whatever bearer format deemed necessary, so JWT can be used with OAuth.
OAuth is an authorization protocol that supports delegation. As I understand, IndieAuth wanted stronger authentication guarantees on top of OAuth's authorization ones.
From what I know when ActivityPub was blessed, there wasn't a consensus on authentication and authorization. Since a lot of people build authn and authz protocols on top of OAuth (including IndieAuth), I think the group opted to be less restrictive ("let the community decide") than last-minute-dictatorial ("everyone must buy into IndieAuth").
(This is secondhand knowledge based on my discussions w/ the SocialCG members.)
ActivityPub mentioned OAuth 2.0 in the 4.1 Actor objects section. So, I suggest to add [RFC6750] mark to the sentence and to add references to the F.References section like below:
oauthClientAuthorize If OAuth 2.0 bearer tokens[RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a browser-authenticated user may obtain a new access token.
[RFC6749] D. Hardt, Ed.. IETF. The OAuth 2.0 Authorization Framework. October 2012. Proposed Standard. URL: https://tools.ietf.org/html/rfc6749
[RFC6750] M. Jones; D. Hardt. IETF. The OAuth 2.0 Authorization Framework: Bearer Token Usage. October 2012. Proposed Standard. URL: https://tools.ietf.org/html/rfc6750