@aaronpk are you aware of any OAuth implementations using unregistered clients (RFC 6749 section 2.4) in the wild? It seems to me that requiring client registration discourages self hosting OAuth servers. For example, I'm working on a storage service where each user will 1/
1
have their own custom domain for their instance, hosting an auth server. If someone wants to develop an app to talk to my service, they would have to register it with the instance of every user, which is impossible. Am I missing something? 2/2
1
You're not wrong. You may want to give this a read, which addresses that exact problem: aaronparecki.com/2018/07/07/… We use this a lot for the case you're talking about, where app developers have no relationship with the OAuth service the app is talking to.

OAuth for the Open Web

aaronparecki.com
1
Ahhh that's what IndieAuth is. I was reading up on it, but didn't see any information about the spec on the website. I think my main hesitance towards it is the use of domains. I just don't see the average user buying their own domain. Emails seems more realistic for unique IDs.
1
Replying to @anderspitman
Doesn't have to be a top level domain, just a URL. Both users and apps are identified by URLs. I do think there's value in just client IDs being URLs in some cases, demonstrated by the fact that Home Assistant picked out just that part of the spec for their OAuth API.

Jan 23, 2020 · 12:21 AM UTC

2
Replying to @aaronpk
Don't get me wrong, I think URLs for client IDs is a great idea, which I intend to use. I'm just less sold on URLs for user IDs. Everyone already has email addresses, and they also come with a relatively reliable protocol for contacting the owner.
1
I was trying to say feel free to pick and choose and use just the client ID part. I think that'd be a huge benefit for OAuth as a whole for the exact kind of use case you're talking about.
1
Replying to @aaronpk
I'm imagining a world where email servers handle identity, and authorization servers handle delegation, after confirmation ownership over the email identity.
1
While that sounds nice in theory, the real world is more complicated. Apple's OAuth server is a great example. User IDs are scoped to the app to prevent cross correlation, and the app gets a proxy email instead of the user's real email. Users don't always want to be identified.
1
more replies