WebAuthN in SASL

[mimi89999]

Hello,
Do you know if anybody is working on standardizing WebAuthN in SASL?

SASL is used in e-mail (IMAP, SMTP), XMPP and other internet protocols. It's possible to use OAuth2, but it only works with the biggest providers because it requires client developers to register their apps (https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.sys.mjs). That obviously doesn't scale over the internet because it would require every email client to be registered with every server.

There are some proposed solutions for that like using RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol or mauth (https://github.com/benbucksch/mauth-spec), but I believe that they come with their security drawbacks like the one I reported in benbucksch/mauth-spec#4

[timcappalli]

Passkeys don't replace OAuth 2.0. They're used together in most cases. A passkey is typically used to sign in to the Identity Provider, which then allows the user to authorize a client using the OAuth 2.0 framework. Then access tokens and refresh tokens are used by the client.