Hi all,
As discussed at IETF 118 during the "First-Party Apps" session, there was
some interest in genericizing the idea of starting an OAuth flow with a
POST request, which could be used by this draft and would look similar
to PAR. This would essentially define a common way to start an OAuth
authorization request with a client-initiated POST request, but would
enable further types of uses beyond the single request_uri response defined
by PAR.
The framework would define:
• request_type = {extension-defined}
• Sending the authorization request parameters in the request body (with
similar language as used by PAR
https://datatracker.ietf.org/doc/html/rfc9126#name-request)
• How to layer on client authentication, attestation, etc
• The response of the request would be defined by extensions
It would also establish a registry of request types, input parameters and
response body values.
We would then rewrite the First-Party Apps draft as an extension of this
framework.
Before I go to write this up, I wanted to check if anyone has other
concrete extensions they might want to define? If there is at least one,
then it's worth it to me, but if this first-party apps would be the only
one for the foreseeable future then I'd like to continue working on the
draft as is.
So please let me know if you have anything in mind that could leverage
client-initiated POST requests. Thanks!
---
Aaron Parecki
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
