Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Clarify auth to reduce incomptable activitypub implementations #77
referenced this issue
May 27, 2016
My experience with OAuth 2.0 is, that the tokens used for exchanging the claims are not standardized. Using only JSON Web Signature in addition to unstandardized tokens, as suggested in section 5.1.2 is not enough from my perspective. We should require at least JSON Web Tokens (which themselves rely on JSON Web Signature) or directly go for OpenID connect, which is more or less the successor of OAuth 2.0 and prescribes JSON Web Tokens as well.
We now have two possible routes for authentication: OAuth with JSON Web Signatures, and Linked Data Signatures. Neither of these are the "official" way of doing things, though they are both roughly discussed as a possibility.
I may have gotten some things wrong about using the Linked Data Signatures approach; I'm asking people more familiar with LDS to review. Likewise, if anyone who has more experience with OAuth and JWS has input, that could be better fleshed out.
I'm not confident that any authentication mechanism will become the "right way forward" soon. For now, I think this is okay.
I'm likely to refine this further as things go on, but I feel like the requirement of this ticket is fulfilled. Closing.