Simon Willison’s Weblog

Subscribe
Atom feed for rfc

10 items tagged “rfc”

2024

Grant Negotiation and Authorization Protocol (GNAP) (via) RFC 9635 was published a few days ago. GNAP is effectively OAuth 3 - it's a newly standardized design for a protocol for delegating authorization so an application can access data on your behalf.

The most interesting difference between GNAP and OAuth 2 is that GNAP no longer requires clients to be registered in advance. With OAuth the client_id and client_secret need to be configured for each application, which means applications need to register with their targets - creating a new application on GitHub or Twitter before implementing the authorization flow, for example.

With GNAP that's no longer necessary. The protocol allows a client to provide a key as part of the first request to the server which is then used in later stages of the interaction.

GNAP has been brewing for a long time. The IETF working group was chartered in 2020, and two of the example implementations (gnap-client-js and oauth-xyz-nodejs) last saw commits more than four years ago.

# 14th October 2024, 5:22 am / rfc, oauth, security

2022

RFC 7807: Problem Details for HTTP APIs (via) This RFC has been brewing for quite a while, and is currently in last call (ends 2022-11-03). I’m designing the JSON error messages for Datasette at the moment so this could not be more relevant for me.

# 1st November 2022, 3:15 am / standards, http, rfc, json, errors, mark-nottingham

2018

How to Read an RFC. An extremely useful guide to reading RFCs by Mark Nottingham. I didn’t know most of the stuff in here.

# 6th August 2018, 10:38 pm / rfc, mark-nottingham

2010

RFC5785: Defining Well-Known Uniform Resource Identifiers (via) Sounds like a very good idea to me: defining a common prefix of /.well-known/ for well-known URLs (common metadata like robots.txt) and establishing a registry for all such files. OAuth, OpenID and other decentralised identity systems can all benefit from this.

# 11th April 2010, 7:32 pm / rfc, urls, wellknownurls, openid, oauth, robots-txt

2007

I think it is well established that HTTP Authentication needs a major kick in the ass and OpenID and OAuth may get us most of the way there. However, until I see RFC#s attached to both I'm hardly going to consider them to be complete. I propose the creation of an IETF WG on Identity and Authentication. The WG would be chartered to produce two RFCs covering each of the two areas. OpenID and OAuth could be used to seed the WG effort.

James Snell

# 18th November 2007, 12:15 am / http, james-snell, openid, rfc, oauth, ietf, standards, standardisation

2006

Proposed RFC for application/json (via) Douglas Crockford is putting JSON through the IETF.

# 1st August 2006, 9:29 pm / json, ietf, douglas-crockford, rfc

2005

Fighting RFCs with RFCs

Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.

[... 353 words]

2004

RFC 1925: The Twelve Networking Truths. “This memo documents the fundamental truths of networking for the Internet community.”

# 20th November 2004, 9:26 pm / rfc

RFC 3229: Delta encoding in HTTP (via) A solution to the RSS bandwidth problem?

# 13th September 2004, 11:09 pm / rfc, http, rss