DSP Running Meeting 15/07/2025

Purpose

Review and discuss the current draft of the AuthVO specification, with a focus on OAuth2 / OIDC integration, error handling, client registration, and related open issues raised in Pull Request #10.

https://github.com/ivoa-std/AuthVO/

https://github.com/ivoa-std/AuthVO/pull/10

Notes

https://docs.google.com/document/d/1lDGWb5drs8tgndl8X8PMGrk9Rb4H3oM8aW_NTehu_0I/

Agenda

Overview of Current AuthVO Draft

• Brief recap of the AuthVO draft status (by Mark Taylor)

• Motivation for including OAuth2/OIDC (by Jesus Salgado)

OAuth2 / OIDC Design in AuthVO

• Presentation of proposed mechanisms for:

  • Discovery URLs vs Issuer URLs

  • Use of ivoa_bearer challenge

  • Single vs separate schemes for OAuth2 and OIDC (ivoa_oauth vs ivoa_oidc)

• Discussion:

  • Are separate schemes clearer?

  • Interoperability concerns with generic OAuth libraries

  • Simplification opportunities

Error Reporting Mechanisms

• Discussion of error signaling:

  • Removing X-VO-Auth-Error

  • Embedding error and error_description in WWW-Authenticate header

  • Standard OAuth2 error vocabulary (RFC 6750)

Client Registration: Pre-registered vs Dynamic

• Challenges with dynamic client registration (RFC 7591)

• Pros and cons of maintaining a VO-wide list of pre-registered clients

• Possible examples of pre-registered VO client IDs

Device Flow and Authorisation Code Flow

• Clarify:

  • Client IDs for VO tools (TOPCAT/STILTS, pyVO, astroquery, etc.)

  • Discovery metadata required for each flow

Implementation Prototyping and Next Steps

• Desire for prototype implementations:

  • Which services or tools can implement OAuth2 first?

  • Interoperability testing plan

• Timeline for stabilizing AuthVO draft