OAuth 2.0 for First-Party Applications Support

[g7ed6e]

Do you plan to support OAuth 2.0 for First-Party Applications ? Mobile applications that implement native passkeys authentication would get a great UX benefit from this.
Despite OAuth 2.0 for Native Apps is great to educate users to put their password only in the authorization server login UI, presenting the authorization server login UI no longer makes sense with passkeys due to their phishing resistant capability.

[RolandGuijt]

We have looked into this and are actively monitoring the spec. As soon as the draft gets more concrete this will be triaged by our dev team.

[brockallen]

One issue is that the spec is still not final, and there are signs that there might be some non-trivial changes coming soon. So we're waiting to see how that all works out before we put too much time that might end up being wasted effort.

[g7ed6e]

One issue is that the spec is still not final, and there are signs that there might be some non-trivial changes coming soon. So we're waiting to see how that all works out before we put too much time that might end up being wasted effort.

I'm in the process of providing such a feature (native passkey authentication + AT/RT/id_token for a mobile app) what would be your best bet to go to production before the spec land ? Can you point to the WIP spec work that would probably cause non trivial changes ?

[brockallen]

Can you point to the WIP spec work that would probably cause non trivial changes

Mainly the IETF meeting recordings. In short they're considering adding this to PAR (or rather making it a PAR extension), rather than its own separate endpoint. So it's a little up in the air given that I don't know which way they plan to go. For now it's since this is all first party, I think a separate endpoint is the best and most isolated approach.