IndieAuth is essentially the spiritual successor to OpenID - it lets you use your own domain name to sign-in to services in a decentralized fashion Since Datasette actively encourages deploying brand new web applications to new URLs on a whim, it's a great fir for authentication

😢 @aaronpk knows my stance on this well - domain-based auth is exclusionary and confusing to users. IndieAuth should just use email addresses, even if it's not doesn't use webfinger and just does s/@([^.*]\..*$/\1/ with the address.

In the meantime, IndieAuth is, imho, a step backwards. OAuth/OIDC sign-in with login_hint works *great*; the lack of auto-/no-registration / a public key version is a real bummer, though.

(specs exist, but no-one uses it; I really wish IndieAuth was something we could realistically add support for on e.g. Conde sites, but the "you must register your own domain" aspect makes it virtually impossible)

I'm intrigued by the IndieAuth thing where you can input a domain but your final identifier is a page specific to you on that domain - seems like it could help avoid users having to register their own domain or remember their full URL

so it turns out this works. I can type in “aaron@parecki.com” in an indieauth prompt and it works. because that is a URL.

I thought that was valid with RelMeAuth but not IndieAuth - how can I get that working as an IndieAuth client?

I’ll admit it’s a bit of a “hack”. The trick is “aaron@parecki.com” is a URL because if you assume the http scheme then you get http://aaron@parecki.com which is a username but no password with HTTP basic auth. The server can switch what it returns based on that username.

As a client developer you have to: 1) follow the spec by assuming “http” if no scheme is entered, and 2) allow the user-entered URL to contain a username component.

Thanks, filed an issue github.com/simonw/datasette-…