Can I just say, I really hate this is a problem, and I love the idea of trying to standardize something here. Because, as a user of many different services, where I have in the past given out access to, it's near impossible to know where and how to revoke access to some of those things.
One question I have here is, how do you envision connecting from the publishing of the *authorization_management_uri*, to it actually being used practically? On Mon, Nov 17, 2025 at 9:11 PM Emelia S. <emelia= [email protected]> wrote: > Hi all, > > I've recently encountered an issue with OAuth for decentralized social web > applications (e.g., those built on AT Protocol), > where the user may not be directly familiar with their Authorization > Servers' UI because they normally use apps to access > their accounts. > > For instance, many Bluesky users don't know how to access their > Authorization Server's management UI for managing > which clients have access to their account, as documented in > https://github.com/bluesky-social/social-app/issues/9403 > > This has lead many users on Bluesky to think that App Passwords > (effectively additional passwords for their account) > are more secure than OAuth, because the Bluesky client application cannot > provide a management UI for OAuth clients, > since it is not the authorization server. The authorization server is > instead bsky.social <http://bsky.social/> when people use bsky.app as the > client. > > I noticed that in the Authorization Server Metadata (RFC8414) there wasn't > particularly a relevant property besides maybe > homepage_uri (from OpenID Federation) through which to expose the > management UI. > > So I'd like to propose a `authorization_management_uri` property, and have > submitted an internet draft to enable discovery > of the management UI: > https://www.ietf.org/archive/id/draft-emelia-oauth-authorization-management-uri-00.html > > n.b., I know there's a typo in the security considerations section, I > caught it after publishing -00 and didn't want to publish a > new version just for changing one word. > > Yours, > Emelia Smith > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
