I don't know anything about the protocol but if they support the same OAuth spec as ATProto and same user ID discovery it would work
October 15, 2025 at 6:36 PM
I don't know anything about the protocol but if they support the same OAuth spec as ATProto and same user ID discovery it would work
even with all the emoji? lol
October 12, 2025 at 10:47 PM
even with all the emoji? lol
The dots that Solid OIDC connected were to specifically use the RFC7591 vocabulary in a JSON doc at the client ID URL, whereas IndieAuth originally parsed the metadata from HTML, and OpenID Federation nests the metadata inside an "Entity Statement" JSON wrapper.
October 11, 2025 at 10:59 PM
The dots that Solid OIDC connected were to specifically use the RFC7591 vocabulary in a JSON doc at the client ID URL, whereas IndieAuth originally parsed the metadata from HTML, and OpenID Federation nests the metadata inside an "Entity Statement" JSON wrapper.
I mean it was a big mix of things really. Most recently the JSON document idea came from there, but "client IDs as URLs" has been part of IndieAuth since 2015 web.archive.org/web/20150315... and OpenID Federation since 2016 openid.net/specs/openid...
October 11, 2025 at 10:55 PM
I mean it was a big mix of things really. Most recently the JSON document idea came from there, but "client IDs as URLs" has been part of IndieAuth since 2015 web.archive.org/web/20150315... and OpenID Federation since 2016 openid.net/specs/openid...
Yeah I definitely went hard mode by writing everything from scratch (except the JWT signing). Partly because I wanted to see what it actually takes to implement a library, partly because I can't stand the current state of most language's package management 😅
October 11, 2025 at 9:05 PM
Yeah I definitely went hard mode by writing everything from scratch (except the JWT signing). Partly because I wanted to see what it actually takes to implement a library, partly because I can't stand the current state of most language's package management 😅
The folks at Stytch put together a really nice explainer website about it too! cimd.dev
CIMD - OAuth Client ID Metadata Documents
Learn about Client ID Metadata Documents (CIMD) - a new OAuth approach that lets clients identify themselves using URLs instead of preregistration. Presented by Stytch.
cimd.dev
October 11, 2025 at 4:27 PM
The folks at Stytch put together a really nice explainer website about it too! cimd.dev
This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want.
October 11, 2025 at 4:27 PM
This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want.
The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document!
October 11, 2025 at 4:27 PM
The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document!
The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API.
October 11, 2025 at 4:27 PM
The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API.
Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time.
October 11, 2025 at 4:27 PM
Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time.
Yes, I helped them with it. They also use the client-id-url technique that came from IndieAuth
October 2, 2025 at 2:14 PM
Yes, I helped them with it. They also use the client-id-url technique that came from IndieAuth
Thanks to everyone for your contributions and feedback so far!
And thanks to my co-authors Karl McGuinness and Brian Campbell!
And thanks to my co-authors Karl McGuinness and Brian Campbell!
September 20, 2025 at 2:20 PM
Thanks to everyone for your contributions and feedback so far!
And thanks to my co-authors Karl McGuinness and Brian Campbell!
And thanks to my co-authors Karl McGuinness and Brian Campbell!
While it will still be a while before it is an RFC, this is an important step in the standards process, as this is the first time the document is "official"! This signifies that the working group agrees that the problem is worth solving, and agrees on the general direction of the spec.
September 20, 2025 at 2:20 PM
While it will still be a while before it is an RFC, this is an important step in the standards process, as this is the first time the document is "official"! This signifies that the working group agrees that the problem is worth solving, and agrees on the general direction of the spec.
Here you go! datatracker.ietf.org/doc/draft-pa...
DPoP for the OAuth 2.0 Device Authorization Grant
The OAuth 2.0 Device Authorization Grant [RFC8628] is an authorization flow for devices with limited input capabilities. Demonstrating Proof of Possession (DPoP) [RFC9449] is a mechanism to sender-con...
datatracker.ietf.org
September 20, 2025 at 2:04 PM
Here you go! datatracker.ietf.org/doc/draft-pa...
The only way to get close to a real solution is using proximity solutions like WebAuthn does. There's an extensive discussion on this here: www.ietf.org/archive/id/d...
Cross-Device Flows: Security Best Current Practice
This document describes threats against cross-device flows
along with practical mitigations, protocol selection guidance,
and a summary of formal analysis results identified as relevant to
the securit...
www.ietf.org
September 19, 2025 at 3:47 PM
The only way to get close to a real solution is using proximity solutions like WebAuthn does. There's an extensive discussion on this here: www.ietf.org/archive/id/d...
DPoP should have added a section for the device code flow like this section about PAR. datatracker.ietf.org/doc/html/rfc...
The device code flow is similar to PAR: the initial request is backchannel to the AS. So the same considerations that apply to PAR here apply to the device code flow.
The device code flow is similar to PAR: the initial request is backchannel to the AS. So the same considerations that apply to PAR here apply to the device code flow.
RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks wit...
datatracker.ietf.org
September 19, 2025 at 3:44 PM
DPoP should have added a section for the device code flow like this section about PAR. datatracker.ietf.org/doc/html/rfc...
The device code flow is similar to PAR: the initial request is backchannel to the AS. So the same considerations that apply to PAR here apply to the device code flow.
The device code flow is similar to PAR: the initial request is backchannel to the AS. So the same considerations that apply to PAR here apply to the device code flow.
I agree DPoP binding should start with the initial request. But at the end of the day it doesn't make *that* much of a difference. The bigger risk with the device code flow is the phishing problem, which DPoP doesn't solve.
September 19, 2025 at 3:40 PM
I agree DPoP binding should start with the initial request. But at the end of the day it doesn't make *that* much of a difference. The bigger risk with the device code flow is the phishing problem, which DPoP doesn't solve.
Update: it worked! I only had to tap my phone and I got through TSA!
August 6, 2025 at 12:25 AM
Update: it worked! I only had to tap my phone and I got through TSA!
It has come to my attention that I have previously loaded my passport into my Android phone as an "ID pass" which should theoretically get me through TSA legitimately
August 5, 2025 at 8:12 PM
It has come to my attention that I have previously loaded my passport into my Android phone as an "ID pass" which should theoretically get me through TSA legitimately
It saves the tiniest bit of battery to enable it, and only works with the selected "express transit card" support.apple.com/guide/securi...
But it means you can tap without even unlocking the phone!
But it means you can tap without even unlocking the phone!
Express Cards with power reserve
If iOS isn’t running because iPhone needs to be charged, there may still be enough power in the battery to support Express Card transactions.
support.apple.com
August 5, 2025 at 2:16 PM
It saves the tiniest bit of battery to enable it, and only works with the selected "express transit card" support.apple.com/guide/securi...
But it means you can tap without even unlocking the phone!
But it means you can tap without even unlocking the phone!