As described in Authentication & Authorization C2S
OAuth 2.0 bearer tokens should be used to access a server with a ActivityPub(AP) Client.
"To discover the correct endpoint for authorization, clients should use OAuth-Server-Metadata on the host part from the actor’s ID URI."
I assume that OAuth-Server-Metadata means OAuth 2.0 Authorization Server Metadata (rfc8414).
Client IDs may be acquired using OAuth 2.0 Dynamic Client Registration Protocol (rfc7591).
In my setup, I use Keycloak as IdentityProvider. The server metadata concerning Oauth2 are already provided by Keycloak. https://server/auth/realms/realm/.well-known/openid-configuration
Respone:
{
"issuer": "https://login.example.com/auth/realms/LOA",
...
...
"registration_endpoint": "https://login.example.com/auth/realms/LOA/clients-registrations/openid-connect",
...
...
}
The question is how does the client get the information ? It cannot know which Identity Provider i use!
A possibility is that the AP server provide an endpoint like
https://activitypub.example.com/.well-known/activityPub
And get then the info about the issuer:
{
"issuer":"https://login.example.com/auth/realms/LOA"
}
I am curious to hear your opinions
I think it’s pretty clear to me from the wiki document you linked that for an actor with a URI of https://example.com/users/foo
, the metadata endpoint would live at https://example.com/.well-known/oauth-authorization-server
. So you would need to create a redirect or similar from that URL to whatever URL is provided by your identity server.
However, note that the wiki page you linked was just a working draft and never received a full implementation or specifications work. The ActivityPub spec has only this to say on the matter:
The endpoints
mapping MAY include the following properties:
oauthAuthorizationEndpoint
If OAuth 2.0 bearer tokens [RFC6749] [RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a browser-authenticated user may obtain a new authorization grant.
oauthTokenEndpoint
If OAuth 2.0 bearer tokens [RFC6749] [RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a client may acquire an access token.
Dynamic client registration still poses a bit of a puzzle though…