Episode #237 is now available featuring our final conversation with @vibronet. It can be heard at idacpodcast.com and in your podcast app. Vittorio will be missed, but not forgotten.

Today the OAuth step up authentication challenge protocol becomes RFC9470. rfc-editor.org/info/rfc9470 We now have an interoperable way for resource servers to tell clients when the authentication with which the current access token was obtained in insufficient and (crucially) allows the RS to express what requirements would be acceptable… and a way for clients to use that info to influence the next authentication ceremony with the authorization server. Both are obtained with ultrasimple primitives easily added to existing SDKs, achieving sophisticated runtime behaviors without the need for complex eventing systems. One unexpected benefit of this document is clarity we didn't know we needed. The discussion made clear that we all have different ideas and expectations about what step up authentication really means. The non normative sections of RFC9470 capture the salient point and outcomes of that discussion, hopefully facilitating communications and preempting common errors. On a personal note. This will be the last spec I drive from idea to RFC in my life, and I couldn't have had a better coauthor than @__b_c . From his world class competence to his encyclopedic knowledge of this space, but above all through his genuine desire for the best outcomes for everyone, Brian is just incredible and a joy to work with. Thank you for this wonderful last ride, dear friend.