New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify auth to reduce incomptable activitypub implementations #77

Closed
xray7224 opened this Issue Mar 17, 2016 · 4 comments

Comments

Projects
None yet
5 participants
@xray7224
Copy link
Collaborator

xray7224 commented Mar 17, 2016

Maybe we could just specify using Indieauth? Is this possible given the group has said auth is out of scope? This would help convergence

@xray7224

This comment has been minimized.

Copy link
Collaborator

xray7224 commented Mar 17, 2016

F2F Discussion: Normatively say one SHOULD a OAuth 2.0 bearer as authorization and MAY use OAuth 2.0 to get the bearer token leave as a non-normative (as a note) "one could use indieauth". Should define server to server authorization for federation.

@rpeinl

This comment has been minimized.

Copy link

rpeinl commented May 27, 2016

My experience with OAuth 2.0 is, that the tokens used for exchanging the claims are not standardized. Using only JSON Web Signature in addition to unstandardized tokens, as suggested in section 5.1.2 is not enough from my perspective. We should require at least JSON Web Tokens (which themselves rely on JSON Web Signature) or directly go for OpenID connect, which is more or less the successor of OAuth 2.0 and prescribes JSON Web Tokens as well.

@dmitrizagidulin

This comment has been minimized.

Copy link

dmitrizagidulin commented May 27, 2016

+1 to what @rpeinl said. We should at least mention OpenID Connect, if not strongly recommend it.

@cwebber

This comment has been minimized.

Copy link
Collaborator

cwebber commented Sep 12, 2016

We now have two possible routes for authentication: OAuth with JSON Web Signatures, and Linked Data Signatures. Neither of these are the "official" way of doing things, though they are both roughly discussed as a possibility.

I may have gotten some things wrong about using the Linked Data Signatures approach; I'm asking people more familiar with LDS to review. Likewise, if anyone who has more experience with OAuth and JWS has input, that could be better fleshed out.

I'm not confident that any authentication mechanism will become the "right way forward" soon. For now, I think this is okay.

I'm likely to refine this further as things go on, but I feel like the requirement of this ticket is fulfilled. Closing.

@cwebber cwebber closed this Sep 12, 2016

@sandhawke sandhawke referenced this issue Apr 16, 2017

Closed

ActivityPub support #1557

10 of 15 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment