As described in Authentication & Authorization C2S
OAuth 2.0 bearer tokens should be used to access a server with a ActivityPub(AP) Client.
"To discover the correct endpoint for authorization, clients should use OAuth-Server-Metadata on the host part from the actor’s ID URI."
I assume that OAuth-Server-Metadata means OAuth 2.0 Authorization Server Metadata (rfc8414).
Client IDs may be acquired using OAuth 2.0 Dynamic Client Registration Protocol (rfc7591).
In my setup, I use Keycloak as IdentityProvider. The server metadata concerning Oauth2 are already provided by Keycloak. https://server/auth/realms/realm/.well-known/openid-configuration
The question is how does the client get the information ? It cannot know which Identity Provider i use!
A possibility is that the AP server provide an endpoint like
And get then the info about the issuer:
I am curious to hear your opinions
I think it’s pretty clear to me from the wiki document you linked that for an actor with a URI of
https://example.com/users/foo, the metadata endpoint would live at
https://example.com/.well-known/oauth-authorization-server. So you would need to create a redirect or similar from that URL to whatever URL is provided by your identity server.
However, note that the wiki page you linked was just a working draft and never received a full implementation or specifications work. The ActivityPub spec has only this to say on the matter:
endpoints mapping MAY include the following properties:
If OAuth 2.0 bearer tokens [RFC6749] [RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a browser-authenticated user may obtain a new authorization grant.
If OAuth 2.0 bearer tokens [RFC6749] [RFC6750] are being used for authenticating client to server interactions, this endpoint specifies a URI at which a client may acquire an access token.
Dynamic client registration still poses a bit of a puzzle though…