Do we need to add client_id to ticket auth requests? #85

aaronpk · 2021-07-10T19:21:59Z

No description provided.

dshanske · 2021-07-10T19:23:36Z

I would think not as you are offering it to the site. Now, what we could do is add that to the ticket grant type to the token endpoint, so you could request that the ticket be issued and limited to a specific client.

Zegnat · 2021-07-10T19:31:14Z

My backend currently stores the discovered ticket_endpoint as the client_id on issued tokens. This value can be retrieved through token verification. (Maybe, unless I broke something there.)

This gives some of the same benefits as I would otherwise have from a client_id. E.g.: if a client goes rogue I can revoke all tokens ever issued to it, now if a ticket endpoint goes rogue I can do the same.

dshanske · 2023-10-22T15:49:34Z

I've tried to address this by adding the notation about the grant_type supporting client_id, so the ticket endpoint, when redeeming, can opt to limit it to a specific client_id at that point.

aaronpk added the ticketing extension Ticketing for IndieAuth extension label Jul 10, 2021

omz13 mentioned this issue Apr 4, 2022

ticketing + ac-obo #113

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Do we need to add client_id to ticket auth requests? #85

Do we need to add client_id to ticket auth requests? #85

aaronpk commented Jul 10, 2021

dshanske commented Jul 10, 2021

Zegnat commented Jul 10, 2021

dshanske commented Oct 22, 2023

Do we need to add client_id to ticket auth requests? #85

Do we need to add client_id to ticket auth requests? #85

Comments

aaronpk commented Jul 10, 2021

dshanske commented Jul 10, 2021

Zegnat commented Jul 10, 2021

dshanske commented Oct 22, 2023