Interesting! Question: another thing I struggle with here is that it seems that an RP needs to register out of band with an IDP before they can accept users from that IDP. Contrary to email, where any email provider goes in a username/password form. Is that also solved?

It honestly very much depends on how the RP builds their backend. Generally speaking, RPs that let you disconnect or connect a federated provider on the fly, have a well structured IAM backend / database.

Doesn't this depend on the IDP to hand you a client_id before hand?

Yes, that would always be the case for these types of use cases.

So, even if a RP wanted to accept an IDP dynamically (e.g. without a prior agreement, i.e. without a client_id) it wouldn't be able to, right?

There are discovery mechanisms but they're not widely used for this use case.

Is there any existing mechanism (even if not widely deployed) that would allow a user to use an IDP with an RP dynamically (i.e. without a pre arrangement between the RP and the IDP)?

Dynamic Client Registration, but afaik no major provider supports this because they *want* RPs to have a pre-established relationship. We built IndieAuth to avoid the need for any client registration and it works great for that use case: aaronparecki.com/2018/07/07/…

Will read more carefully tomorrow.

Ok, I did look into this more carefully and I remember running into this earlier. How does this relate to OIDC? Is it fair to characterize it as an alternative to it that operates on the same level/layer (e.g. both are extensions to oauth?)?