This is a little bit less backed than some of our other proposals, but we really wanted to get our thoughts out ahead of Atmosphere Conf so that we could have some of these discussions in person.
Whether you're going to the conference or not, would love to hear thoughts!
Whether you're going to the conference or not, would love to hear thoughts!
Comments
Basically OAuth in atproto is already hard because it's n-n Authorization Servers & clients. Auth scopes add another party into the mix: the Application designer who is defining authorization semantics. n-to-n-to-n!
not OIDC
some secret ³ thing
A very different design for sure though, with different tradeoffs.
Then you can apply the UCAN policies on HTTP parameters (path, arguments...).