Hi all, I've recently encountered an issue with OAuth for decentralized social web applications (e.g., those built on AT Protocol), where the user may not be directly familiar with their Authorization Servers' UI because they normally use apps to access their accounts.
For instance, many Bluesky users don't know how to access their Authorization Server's management UI for managing which clients have access to their account, as documented in https://github.com/bluesky-social/social-app/issues/9403 This has lead many users on Bluesky to think that App Passwords (effectively additional passwords for their account) are more secure than OAuth, because the Bluesky client application cannot provide a management UI for OAuth clients, since it is not the authorization server. The authorization server is instead bsky.social <http://bsky.social/> when people use bsky.app as the client. I noticed that in the Authorization Server Metadata (RFC8414) there wasn't particularly a relevant property besides maybe homepage_uri (from OpenID Federation) through which to expose the management UI. So I'd like to propose a `authorization_management_uri` property, and have submitted an internet draft to enable discovery of the management UI: https://www.ietf.org/archive/id/draft-emelia-oauth-authorization-management-uri-00.html n.b., I know there's a typo in the security considerations section, I caught it after publishing -00 and didn't want to publish a new version just for changing one word. Yours, Emelia Smith _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
