earlier replies
Replying to @apenwarr @skarra @davidcrawshaw @bradfitz @rstropek @schlagfell @Tailscale
Sounds like time to write a new minimal standard with conformance criteria/test suites :D
1
My original OpenID was nice. 🤷‍♂️😜
2
14
I thought that at the time! But what stopped it? I know oauth1 had some crazy crypto-in-javascript nonsense that held it back, but that wasn't in openid. I'm not clear what happened there... or whether it's reversible :)
2
Brad, Didn't it have URLs as IDs or something? That part felt weird even at that time (vague memories...)
2
Yes, it used URLs instead of email addresses. It was ahead of its time. (Nowadays non-nerds people are more likely to identity with or share their Facebook or Instagram or Twitter or GitHub handle than an email) Relying Parties balked at not having an email address to spam with.
2
6
Have you considered using IndieAuth (indieauth.spec.indieweb.org) which does the same now? I’ve implemented it on my personal site (github.com/shurcooL/home/iss…) and I’m very happy with it. Especially during GitHub outages.

add support for signing in via IndieAuth · Issue #34 · shurcooL/home

Currently, it is possibly to sign in to home only via GitHub. While this has worked well and provides a simple user experience, it has some downsides: requires having a GitHub account doesn't w...

github.com
2
1
Here's some background on why this solves the particular problem you're talking about in this thread: aaronparecki.com/2018/07/07/…

OAuth for the Open Web

aaronparecki.com
1
4
Neat! Seems to still have the URL pasting problem though. How is that UX different from openid, which users didn’t like?
2
1
That problem can only be solved by browsers. Right now, most of the time the browser autocompletes my URL because I've entered it enough, so I'm not actually typing it out. With any amount of thought, browsers could automate that just like credit card payment forms.
1
1
If login were automated like credit card forms, it would fail about 50% of the time and need me to enter a page full of unnecessary personal information by hand. That’s not a good model. Why not let me enter an email address instead? That has a domain in it.
3
Replying to @apenwarr @dmitshur @bradfitz @skarra @evntdrvn @davidcrawshaw @rstropek @schlagfell @Tailscale
Why is entering an email address less work than entering a URL? What I'm saying is browsers could have an "account chooser" UI to save a URL and enter it in the login field.

Apr 10, 2020 · 3:39 PM UTC

2
Replying to @aaronpk @dmitshur @bradfitz @skarra @evntdrvn @davidcrawshaw @rstropek @schlagfell @Tailscale
That creates a chicken-and-egg problem: browsers won't adopt it unless it's popular. It won't be popular unless browsers adopt it. Chicken-and-egg problems create usually-insurmountable barriers to adoption.
1
That hasn't been true for years. Browser vendors are pushing new features that they want or think will be helpful. Here are some examples: github.com/WebKit/explainers See also all the Twitter threads of people getting angry that Chrome implements something before it's standardized.

GitHub - WebKit/explainers: Explainers from WebKit contributors

Explainers from WebKit contributors. Contribute to WebKit/explainers development by creating an account on GitHub.

github.com
1
more replies
Replying to @aaronpk @apenwarr @bradfitz @davidcrawshaw @Tailscale
And we're about to have to integrate login into browsers to make anti-tracking efforts like ITP actually work. I don't know exactly what that'll look like (or what URL to point you to yet...) but please keep your eyes open and help make sure we don't screw it up.
1
1
I'll definitely keep my eye out for this! It'd be great if you could post something to the OAuth or OIDC mailing lists when you have a proposal too. oauth.net/about/community/
1