Identerati Office Hours

The IETF OAuth Working Group has adopted the "Client ID Metadata Document" spec recently. What is it about? Don't miss IOH Episode 149.5 with Aaron Parecki, Director of Identity Standards at Okta 📅 Date: Thursday, Oct 30 ⏰ Time: at 3:45pm PST 🔔 Add to Calendar: https://lnkd.in/gNSQFX7V 📝 Episode notes: https://gluu.co/ioh-149.5 This Identerati Office Hours livestream is sponsored by Gluu and hosted by Mike Schwartz. More info on the livestream 🌐 Linkedin: https://gluu.co/ioh-home ▶️ YouTube: https://gluu.co/live 📖 Wiki Pages: https://gluu.co/ioh-wiki

Episode 149.5: OAuth Client ID Metadata Document Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time. The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API. The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document! This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want.

Episode 152: Citizen Identity: Lessons from Social Security Leland Dudek, former acting head of the Social Security Administration from February to May 2025, shares his perspective on one of the government’s most pressing challenges: citizen identity management. For decades, the SSA has been at the heart of America’s identity infrastructure, yet the systems the US relies on was built for another era. Where does the US government fall short? Outdated technology, fragmented processes, overreliance on the Social Security Number—-these gaps leave Americans vulnerable to fraud, inefficiency, and eroded trust. Most importantly, where does the SSA need to go next? How can the US build secure, interoperable digital credentials, harness innovation to improve payment integrity, and create an identity ecosystem that balances security, privacy, and access for every American.

PBAC, RBAC, and the Assurance Gradient A recent IDPro article raised an important distinction: Policy-Based Access Control (PBAC) isn’t technically an authorization model like RBAC or ABAC — it’s an architecture for managing policy logic. That’s true in theory. But in practice, from a governance, controls, and audit perspective, they’re all doing the same thing: delivering entitlement to access. We sit at a critical moment in the evolution of access control. As we universally move away from static access towards dynamic assignment, we must not lose the thought that that models differ, but accountability and assurance must not. PBAC changes the how, not the what or the why. https://lnkd.in/g5AySTNb

The IETF OAuth Working Group has adopted the "Client ID Metadata Document" spec recently. What is it about? Don't miss IOH Episode 149.5 with Aaron Parecki, Director of Identity Standards at Okta 📅 Date: Thursday, Oct 30 ⏰ Time: at 3:45pm PST 🔔 Add to Calendar: https://lnkd.in/gNSQFX7V 📝 Episode notes: https://gluu.co/ioh-149.5 This Identerati Office Hours livestream is sponsored by Gluu and hosted by Mike Schwartz. More info on the livestream 🌐 Linkedin: https://gluu.co/ioh-home ▶️ YouTube: https://gluu.co/live 📖 Wiki Pages: https://gluu.co/ioh-wiki

The IETF OAuth Working Group has adopted the Client ID Metadata Document specification! > This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration. Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time. The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API. The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document! This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want. Thanks to everyone for your contributions and feedback so far! And thanks to my co-author Emilia Smith for her work on the document!

👉 Zero trust isn't a future goal anymore. It's operational reality. Our latest blog breaks down what the shift from "zero trust as strategy" to "zero trust as execution" actually means for engineering leaders and architects. The conversation has moved beyond perimeter defense. Today's zero trust implementations require fine-grained authorization that scales across microservices, APIs, and distributed systems. Not just network segmentation. Traditional IAM and coarse-grained permissions can't keep up with modern application architectures. The gap between authentication (knowing who) and authorization (knowing what they can do) is where security breaks down at scale. If you're building or modernizing authorization systems, implementing zero trust beyond network controls, or struggling with permission management across distributed services, this write-up might be valuable. 🔗 Read the full blog: https://lnkd.in/dffBwEPW

We're ready to kick off the Agentic Internet Workshop tomorrow! Excited to co-design the Agentic Web! Honored to be doing this with Kaliya Young, Doc Searls , Phil Windley, and Heidi Nobantu Saul. They are the OGs of building open spaces where technology can grow and advance to the next stage. See you tomorrow!

Andor Kesselman presents at Internet Identity Workshop ... AI has captured popular imagination for a long time. Asimov wasn't even the first... and Martha Wells Murderbot Diaries won't be the last...