earlier replies
Replying to @blaine @aaronpk
Has anyone tried an authentication mechanism based on some kind of DNS TXT record where you look up the user's auth provider based on a DNS record attached to their email domain?
1
1
That was literally where we started 12+ years ago. ;-) DNS is kind of hard to implement for most, and is actually less secure than HTTPS, hence webfinger discovery as this mechanism (webfinger led to .well-known being standardised, which is what letsencrypt & others use).
3
I haven't tracked closely, but DNSSEC is still not widely deployed, right?
1
I mean, I think that's not true? dnssec-analyzer.verisignlabs…
Somewhere around 60% of the users I support use gmail, so any approach is going to need to be supported by Google. Their OAuth implementation is pretty seamless these days for sign-in.
My goal is to enable secure, simple federated identity. Authentication is a core bit of functionality in that regard. Obviously supporting non-corporate identities is critical, but forcing everyone to be 'indie' is a mistake, I think.
1
1
Replying to @blaine @ozaed @simonw
nobody said "force". my goal is to *enable* indie identities, something that is pretty much completely glossed over by the current OIDC ecosystem.

Nov 19, 2020 · 6:17 AM UTC

1
Replying to @aaronpk @ozaed @simonw
I don't agree that it's completely glossed over - there is a registration protocol, it's just not widely implemented. The intent could be better stated, for sure, but I think IA's emphasis is too far the other way. My ideal is something in-between IndieAuth and OIDC, I think! 😊
1
take a look at my activitypub conference talk, starting at 11:50, I address the UX aspect of it here: aaronparecki.com/2020/09/22/… also happy to set up a time to chat about this instead! I think we have a lot of similar goals!

ActivityPub and OAuth 2.1

aaronparecki.com
1