Apparently I missed the introduction of the 4.4mm TRRRS audio jack 10 years ago and just now discovered it. What a cool idea.
"I'll just check my critical thinking and nuke it in the microwave" has to be my favorite quote from this Business Insider video on Trader Joe's white-labeled food
Oh crap I just realized the "it" he was referring to was probably the food, not his critical thinking.
Me looking at my todo list on a Sunday night after having done at least a couple things today, yet somehow it looks more like a list of what I did *not* do today.
oh no, due to a series of misclicks, I just accidentally archived the most recent 100 emails in my inbox.
if nothing else, reviewing my "all mail" folder is doing a good job of making me question how important emails in my inbox actually are.
The new MCP spec just dropped! 🎉
There's too many new things to get into everything, but there are two big changes I am most excited about 👀
📝 Client ID Metadata Documents (CIMD) - a simpler way to manage client registrations, clients describe themselves with a URL they control
🔐 Enterprise-Managed Authorization extension (aka Cross App Access) - eliminate the OAuth redirect and get tokens for an MCP server by requesting them from the enterprise IdP
Read more about what these mean for you in my full post
👉
aaronparecki.com/2025/11/25/1...
Client Registration and Enterprise Management in the November 2025 MCP Authorization Spec
The new MCP authorization spec is here! Today marks the one-year anniversary of the Model Context Protocol, and with it, the launch of the new 2025-11-25 specification.
I’ve been helping out with the ...
I just finished adding BlueSky support to
IndieLogin.com! Now you can log in to websites like
indieweb.org with your BlueSky handle!
Adding Support for BlueSky to IndieLogin.com
Today I just launched support for BlueSky as a new authentication option in IndieLogin.com!
The IETF OAuth Working Group has adopted the Client ID Metadata Document specification!
> This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration.
Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time.
The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API.
-
View full thread
The folks at Stytch put together a really nice explainer website about it too!
cimd.dev
CIMD - OAuth Client ID Metadata Documents
Learn about Client ID Metadata Documents (CIMD) - a new OAuth approach that lets clients identify themselves using URLs instead of preregistration. Presented by Stytch.
The IETF OAuth Working Group has adopted the Identity Assertion Authorization Grant specification!
datatracker.ietf.org/doc/draft-ie...
This is the basis of Cross App Access (XAA), providing IT admins better visibility and control by configuring the app-to-app connections in their enterprise IdP.
Identity Assertion Authorization Grant
This specification provides a mechanism for an application to use an identity assertion to obtain an access token for a third-party API by coordinating through a common enterprise identity provider us...
While it will still be a while before it is an RFC, this is an important step in the standards process, as this is the first time the document is "official"! This signifies that the working group agrees that the problem is worth solving, and agrees on the general direction of the spec.
Thanks to everyone for your contributions and feedback so far!
And thanks to my co-authors Karl McGuinness and Brian Campbell!
Inspired by a question from
@thisismissem.social, I wrote up a document describing how to apply DPoP (RFC9449) to the OAuth Device Flow (RFC8628).
datatracker.ietf.org/doc/draft-pa...DPoP for the OAuth 2.0 Device Authorization Grant
The OAuth 2.0 Device Authorization Grant [RFC8628] is an authorization flow for devices with limited input capabilities. Demonstrating Proof of Possession (DPoP) [RFC9449] is a mechanism to sender-con...
Well that's the last time I take my ID out of my wallet to go through airport security. I made the mistake of putting it into my pocket instead of back in my wallet and it seems to have fallen out somewhere between PDX and SFO 🫠
At least I have CLEAR right now so I should be able to get home without an ID.
Maybe some day Oregon will get on the mDL bandwagon and I won't need to rely on this silly piece of plastic anymore
-
View full thread
Update: it worked! I only had to tap my phone and I got through TSA!
I just got FreePBX up and running and connected to a WiFi phone and my doorbell and video intercom system! I have two way calling between every device, I can even connect analog phones!
What shenanigans should I rig up next? I'm thinking maybe an old payphone at the street, or maybe an old 1920s style phone for the speakeasy...
The latest version of the MCP spec is now officially 2025-06-18! Congrats to everyone in the MCP community involved in making this happen!
Key updates to the authorization section 👇
⚙️ MCP Servers are no longer responsible for issuing access tokens or handling user authentication
🛡️ A dedicated Authorization Server separate from the MCP Server handles user authentication and issuing access tokens
🔍 RFC9728 Protected Resource Metadata enables the MCP client to dynamically discover the MCP Server's authorization server
👉 RFC8707 Resource Indicators are required as a security measure
Thanks to everyone who contributed to the many discussions to update the authorization part of the spec to be more compatible with existing OAuth systems!
