I've been enjoying modern machine-to-machine flows. Trading trusted URLs for client ids is a really secure model. Especially if you go the extra mile with role based machine auth to cloud key stores. You can do the entire thing without a single secret string. I'd much rather prove I can control a URL than ensure a piece of information never leaks out.

▲

mooreds 18 hours ago | parent [-]

Are you talking about CIMD?

	▲	bob1029 16 hours ago \| parent [-]
		Not specifically but it's the same idea. CIMD is perhaps one step too far for the cases I've worked with. We seem to prefer an out-of-band process for establishing trust. Two CTOs exchanging FQDNs at lunch is a fairly robust model.