Implementing IndieAuth for Datasette

IndieAuth is a spiritual successor to OpenID, developed and maintained by the IndieWeb community and based on OAuth 2. This weekend I attended IndieWebCamp East Coast and was inspired to …

simonwillison.net

Simon Willison · Nov 19, 2020 · 1:16 AM UTC

Simon Willison @simonw

19 Nov 2020

IndieAuth is essentially the spiritual successor to OpenID - it lets you use your own domain name to sign-in to services in a decentralized fashion Since Datasette actively encourages deploying brand new web applications to new URLs on a whim, it's a great fir for authentication

Blaine Cook · Nov 19, 2020 · 3:52 AM UTC

Blaine Cook @blaine

19 Nov 2020

😢 @aaronpk knows my stance on this well - domain-based auth is exclusionary and confusing to users. IndieAuth should just use email addresses, even if it's not doesn't use webfinger and just does s/@([^.*]\..*$/\1/ with the address.

Aaron Parecki · Nov 19, 2020 · 4:28 AM UTC

Aaron Parecki · Nov 19, 2020 · 4:28 AM UTC

Aaron Parecki @aaronpk

19 Nov 2020

Replying to @blaine @simonw

Email addresses *are* domain-based auth. I think you’re conflating two different parts of the system. In IndieAuth, the canonical user identifier doesn’t have to be the thing the user enters in a login prompt. This is also true for almost every other authentication system.

Nov 19, 2020 · 4:28 AM UTC

Blaine Cook · Nov 19, 2020 · 5:20 AM UTC

Blaine Cook @blaine

19 Nov 2020

Replying to @aaronpk @simonw

(sorry, catching up ;-) ) I guess my position is that if I could have one thing written on my tombstone on top of a hill made of words, both would say: "The Canonical User Identifier Should Always Be The Thing The User Enters In A Login Prompt" 😂