Implementing IndieAuth for Datasette

IndieAuth is a spiritual successor to OpenID, developed and maintained by the IndieWeb community and based on OAuth 2. This weekend I attended IndieWebCamp East Coast and was inspired to …

simonwillison.net

Simon Willison · Nov 19, 2020 · 1:16 AM UTC

Simon Willison @simonw

19 Nov 2020

IndieAuth is essentially the spiritual successor to OpenID - it lets you use your own domain name to sign-in to services in a decentralized fashion Since Datasette actively encourages deploying brand new web applications to new URLs on a whim, it's a great fir for authentication

Blaine Cook · Nov 19, 2020 · 3:52 AM UTC

Blaine Cook @blaine

19 Nov 2020

😢 @aaronpk knows my stance on this well - domain-based auth is exclusionary and confusing to users. IndieAuth should just use email addresses, even if it's not doesn't use webfinger and just does s/@([^.*]\..*$/\1/ with the address.

Blaine Cook · Nov 19, 2020 · 3:54 AM UTC

Blaine Cook @blaine

19 Nov 2020

In the meantime, IndieAuth is, imho, a step backwards. OAuth/OIDC sign-in with login_hint works *great*; the lack of auto-/no-registration / a public key version is a real bummer, though.

Aaron Parecki · Nov 19, 2020 · 4:18 AM UTC

Aaron Parecki · Nov 19, 2020 · 4:18 AM UTC

Aaron Parecki @aaronpk

19 Nov 2020

Replying to @blaine @simonw

This one I’m really confused on, and we should probably chat about it to clear things up. IMO OIDC is more of a barrier here because the default is that clients need to register. With IndieAuth there is no expectation of client registration at all.

Nov 19, 2020 · 4:18 AM UTC

Blaine Cook · Nov 19, 2020 · 5:19 AM UTC

Blaine Cook @blaine

19 Nov 2020

Replying to @aaronpk @simonw

Yeah, client registration is a hold-over, and unnecessary for domain validation (same as letsencrypt). It's unfortunate OIDC didn't do a better job here. To be clear, I'm totally pro-IndieAuth, because the _protocol_ doesn't matter as long as it's secure. It's the UX / messaging.