Client registrations are not also not portable across AuthZ Servers. As a dev you need to reg the same app with every ecosystem and manage credentials often static. End users often have no assurance besides logo and name that they are authorizing the same app in every ecosystem.
1
1
Replying to @jankytweet
This is actually a very good description of the benefit of IndieAuth's use of URLs as client IDs. w3.org/TR/indieauth/#client-… Every app is identified by its URL, so you can build trust that way across providers.

Jan 9, 2020 · 2:03 PM UTC

1
Replying to @aaronpk
OIDC also supports a similar model for self issued providers openid.net/specs/openid-conn… as well as proposal for stateless identifier as JWT tools.ietf.org/html/draft-br…. I could see a remix of these ideas along with signed software statements. Still need trust.
1
SaaS platforms will still want to manage what apps are blessed to access their resources and have partner tiers and onboarding flows. Don’t see TOFU with dynamic reg being attractive to the platform owners.