At the end of last month, a group got together to discuss some of the outstanding issues in IndieAuth. We had two similar sessions in 2020 and the specification is better for it(see Aaron Parecki’s
summary of changes), however, we left many issues on the table due time considerations.
The spec hasn’t been updated yet, but here are some notes on the new changes. We’re hoping to follow up at another session before the end of the year.
- Tokens having an expiration is now recommended, but not mandatory. This would mean the token endpoint would return the ‘expires_in’ parameter as part of the access token response, indicating the number of seconds till it expires.
- In order to support expiring tokens, the access token response may now return a refresh token. The token endpoint will support the grant_type refresh_token in order to utilize these tokens to get a fresh access token. Refresh Tokens are common in OAuth2 and there would be no changes from the existing specifications.
- Adoption of the OAuth2 Token Introspection Specification, with the token endpoint acting as the token introspection endpoint. At this time, that spec requires authentication to use the endpoint, whereas IndieAuth’s existing token verification interaction does not. This question is ongoing, as to whether we should specifically drop the auth requirement.