I'm setting up a temporary laptop for my next trip and it's shocking how much faster the cross-device passkey flow is compared to looking up and hand typing my long 1Password passwords
Oh crazy, I didn't realize that. Yeah they should really add that.
Sorry why wouldn't they be able to do client authentication with CIMDs? There's a description of how to do that in the spec.
Inspired by some #indieweb folks creating /caw pages on their websites, I made one of my own! Here you can listen to the most recent crow recorded from my house:
aaronparecki.com/caw/
Apparently I missed the introduction of the 4.4mm TRRRS audio jack 10 years ago and just now discovered it. What a cool idea.
I'd be happy to talk, what we need right now is to demonstrate that the people who run websites you'd be logging in to also want to improve their UX with FedCM. Feel free to send people my way
Oh crap I just realized the "it" he was referring to was probably the food, not his critical thinking.
"I'll just check my critical thinking and nuke it in the microwave" has to be my favorite quote from this Business Insider video on Trader Joe's white-labeled food
Me looking at my todo list on a Sunday night after having done at least a couple things today, yet somehow it looks more like a list of what I did *not* do today.
oh no, due to a series of misclicks, I just accidentally archived the most recent 100 emails in my inbox.
if nothing else, reviewing my "all mail" folder is doing a good job of making me question how important emails in my inbox actually are.
Not that this is a 1:1 replacement, but it is one of the reasons I built Meetable.org, so communities can create their own calendars on their own domains.
๐ Enterprise-Managed Authorization extension (aka Cross App Access) - eliminate the OAuth redirect and get tokens for an MCP server by requesting them from the enterprise IdP
Read more about what these mean for you in my full post
๐ aaronparecki.com/2025/11/25/1...
The new MCP spec just dropped! ๐
There's too many new things to get into everything, but there are two big changes I am most excited about ๐
๐ Client ID Metadata Documents (CIMD) - a simpler way to manage client registrations, clients describe themselves with a URL they control
I don't know anything about the protocol but if they support the same OAuth spec as ATProto and same user ID discovery it would work
even with all the emoji? lol
๐๐
The dots that Solid OIDC connected were to specifically use the RFC7591 vocabulary in a JSON doc at the client ID URL, whereas IndieAuth originally parsed the metadata from HTML, and OpenID Federation nests the metadata inside an "Entity Statement" JSON wrapper.
I mean it was a big mix of things really. Most recently the JSON document idea came from there, but "client IDs as URLs" has been part of IndieAuth since 2015 web.archive.org/web/20150315... and OpenID Federation since 2016 openid.net/specs/openid...
Yeah I definitely went hard mode by writing everything from scratch (except the JWT signing). Partly because I wanted to see what it actually takes to implement a library, partly because I can't stand the current state of most language's package management ๐
I just finished adding BlueSky support to IndieLogin.com! Now you can log in to websites like indieweb.org with your BlueSky handle!
The folks at Stytch put together a really nice explainer website about it too! cimd.dev
This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want.
The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document!
The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API.
Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time.
The IETF OAuth Working Group has adopted the Client ID Metadata Document specification!
> This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration.
Yes, I helped them with it. They also use the client-id-url technique that came from IndieAuth
Thanks to everyone for your contributions and feedback so far!
And thanks to my co-authors Karl McGuinness and Brian Campbell!
While it will still be a while before it is an RFC, this is an important step in the standards process, as this is the first time the document is "official"! This signifies that the working group agrees that the problem is worth solving, and agrees on the general direction of the spec.
The IETF OAuth Working Group has adopted the Identity Assertion Authorization Grant specification!
datatracker.ietf.org/doc/draft-ie...
This is the basis of Cross App Access (XAA), providing IT admins better visibility and control by configuring the app-to-app connections in their enterprise IdP.
