DSPRunning072025 < IVOA

IVOA Web>WebPreferences>DSPRunning072025 (2025-07-14, JesusSalgado) (raw view)

---+ DSP Running Meeting 15/07/2025
---++ Purpose

Review and discuss the current draft of the AuthVO specification, with a focus on OAuth2 / OIDC integration, error handling, client registration, and related open issues raised in Pull Request #10.

https://github.com/ivoa-std/AuthVO/

https://github.com/ivoa-std/AuthVO/pull/10
---++ Notes

https://docs.google.com/document/d/1lDGWb5drs8tgndl8X8PMGrk9Rb4H3oM8aW_NTehu_0I/
---++ Agenda

*Overview of Current AuthVO Draft*
   * <p>Brief recap of the AuthVO draft status (by *Mark Taylor*)</p>
   * <p>Motivation for including OAuth2/OIDC (by *Jesus Salgado*)</p>
---+++ *OAuth2 / OIDC Design in AuthVO*
   * <p>Presentation of proposed mechanisms for:</p>
      * <p>Discovery URLs vs Issuer URLs</p>
      * <p>Use of ivoa_bearer challenge</p>
      * <p>Single vs separate schemes for OAuth2 and OIDC (ivoa_oauth vs ivoa_oidc)</p>
   * <p>Discussion:</p>
      * <p>Are separate schemes clearer?</p>
      * <p>Interoperability concerns with generic OAuth libraries</p>
      * <p>Simplification opportunities</p>
---+++ *Error Reporting Mechanisms*
   * <p>Discussion of error signaling:</p>
      * <p>Removing X-VO-Auth-Error</p>
      * <p>Embedding error and error_description in WWW-Authenticate header</p>
      * <p>Standard OAuth2 error vocabulary (RFC 6750)</p>
*Decision: Should we align strictly to OAuth error reporting?*
---+++ *Client Registration: Pre-registered vs Dynamic*
   * <p>Challenges with dynamic client registration (RFC 7591)</p>
   * <p>Pros and cons of maintaining a VO-wide list of pre-registered clients</p>
   * <p>Possible examples of pre-registered VO client IDs</p>
---+++ *Device Flow and Authorisation Code Flow*
   * <p>Clarify:</p>
      * <p>Client IDs for VO tools (TOPCAT/STILTS, pyVO, astroquery, etc.)</p>
      * <p>Discovery metadata required for each flow</p>
---+++ *Implementation Prototyping and Next Steps*
   * <p>Desire for prototype implementations:</p>
      * <p>Which services or tools can implement OAuth2 first?</p>
      * <p>Interoperability testing plan</p>
   * <p>Timeline for stabilizing AuthVO draft</p>

Topic revision: r1 - 2025-07-14 - JesusSalgado

IVOA

Log in or Register

IVOA.net
Wiki Home
WebChanges
WebTopicList
WebStatistics

Twiki Meta & Help
IVOA
Know
Main
Sandbox
TWiki

TWiki intro
TWiki tutorial
User registration
Notify me

Working Groups

Interest Groups

Time Domain

Committees

Stds&Procs

www.ivoa.net
Documents
Events
Members
XML Schema