OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.

OAuth 2.1 is an in-progress effort to consolidate OAuth 2.0 and many common extensions under a new name.

RFC 7591 Dynamic Client Registration

https://oauth.net/2/dynamic-client-registration/

The OAuth 2.0 Dynamic Client Registration extension provides a mechanism for dynamically or programmatically registering clients. This spec was derived from the OpenID Connect Dynamic Client Registration spec and is still compatible with OpenID Connect servers.

https://datatracker.ietf.org/doc/html/rfc7591

This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.

RFC 9449: OAuth 2.0 Demonstrating Proof-of-Possession (DPoP)

https://oauth.net/2/dpop/

DPoP, or Demonstrating Proof of Possession, is an extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued. This is one of many attempts at improving the security of Bearer Tokens by requiring the application using the token to prove possession of the same private key that was used to obtain the token.

https://datatracker.ietf.org/doc/html/rfc9449

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.¶

oauth

• #push [[do]]

OAuth is an authentication standard which is widely used to grant permission to access websites and APIs without having to share a user’s password directly.

For the purposes of [[Moa]], OAuth is used by [[Mastodon]] (and Mastodon-compatible systems like [[Pleroma]]), [[Twitter]], and [[Instagram]]. Moa requests access to your accounts on those services on your behalf. OAuth tokens are stored in the Moa database, and you can revoke them at any time.

The OAuth 2.0 standard IETF RFC6749 replaced the 1.0 version in October 2012.

The oauth.net site has excellent background info, including the introduction and history page.

Resources

• Twitter OAuth FAQ
• Mastodon OAuth Docs
• Instagram API Endpoint - OAuth Access Token

oauth

Oauth is an authentication protocol used for [[web services]]. It was created as a way to get around basic HTTP authentication with a username and password.

Oauth roles

resource owner : entity capable of granting access to a protected resource

resource server : server hosting protected resource

client : application making request on behalf of resource owner

authorization server : server issuing tokens for client

Flow :ATTACH:

[[Screenshot from 2021-07-18 12-38-48.png]]

Links

• spec