ivoa-oauth: an SSO-next based approach to allowing non-browser-based VO clients to use OAuth 2.x/OIDC
Russ Allbery
eagle at eyrie.org
Fri Oct 11 06:39:56 CEST 2024
James Tocknell via grid <grid at ivoa.net> writes:
> By "dynamic client registration" I'm referring to RFC 7591 and OpenID
> Connect Dynamic Client Registration 1.0 (the former based on the
> latter), both of which allow for clients (not users!) to be registered
> without a browser (it is a simple POST endpoint).
Oh, okay, sorry, now I think I see. I'm sorry to have had such a hard
time understanding what you were getting at. Your goal is to be able to
use RFC 8628, which has provisions for authenticating a user where the
user has access to a web browser but the device does not. And in order to
use RFC 8628, the device has to be able to register as an OAuth 2 or
OpenID Connect client (which is not a client in the IVOA sense; it's sort
of a special type of relying party in this context), and that's where
you're invoking Dynamic Client Registration.
You said all of that in your original proposal and it's all very obviously
laid out now that I'm reading it with the right mindset, but for some
reason I got it all tangled up originally. I'm sorry for all the noise!
I got Device Authorization Grant and Dynamic Client Registration confused
and was talking about the former when you were talking about the latter.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the grid
mailing list