From d56cc669369ba2800ef0fd7875e844302c7d4521 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Tue, 28 Jun 2022 20:07:32 +0100
Subject: [PATCH] Authentication

---
 specification/activitypub.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/specification/activitypub.md b/specification/activitypub.md
index 96e4e2fbd..ef16350bd 100644
--- a/specification/activitypub.md
+++ b/specification/activitypub.md
@@ -1140,14 +1140,15 @@ To support multiple languages, `Note` and `Article` objects can include `content
 }
 ```
 
-
 ## B. Security Considerations
 *This section is non-normative.*
 
 ### B.1 Authentication and Authorization
 ActivityPub uses authentication for two purposes; first, to authenticate clients to servers, and secondly in federated implementations to authenticate servers to each other.
 
-Unfortunately at the time of standardization, there are no strongly agreed upon mechanisms for authentication. Some possible directions for authentication are laid out [in the Social Web Community Group Authentication and Authorization best practices report](https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization).
+In most implementations authentication from client to server happens via [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749), although other methods MAY be used.
+
+Also see the [Social Web Community Group Authentication and Authorization best practices report](https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization).
 
 ### B.2 Verification
 Servers should not trust client submitted content, and federated servers also should not trust content received from a server other than the content's origin without some form of verification.