Doesn't this depend on the IDP to hand you a client_id before hand?
1
Yes, that would always be the case for these types of use cases.
1
So, even if a RP wanted to accept an IDP dynamically (e.g. without a prior agreement, i.e. without a client_id) it wouldn't be able to, right?
1
There are discovery mechanisms but they're not widely used for this use case.
1
Is there any existing mechanism (even if not widely deployed) that would allow a user to use an IDP with an RP dynamically (i.e. without a pre arrangement between the RP and the IDP)?
3
1
Dynamic Client Registration, but afaik no major provider supports this because they *want* RPs to have a pre-established relationship. We built IndieAuth to avoid the need for any client registration and it works great for that use case: aaronparecki.com/2018/07/07/…
1
2
Will read more carefully tomorrow.
1
2
Ok, I did look into this more carefully and I remember running into this earlier. How does this relate to OIDC? Is it fair to characterize it as an alternative to it that operates on the same level/layer (e.g. both are extensions to oauth?)?
2
There are definitely some similarities since they are both adding an identity layer on top of OAuth. IndieAuth is a much smaller surface area tho and does less stuff. Some more details here: indieweb.org/How_is_IndieAut…
1
1
"Because these URLs rely on the public web and DNS, they are guaranteed to be globally unique." -- ugh, is this a feature or a bug? I feel like this isn't going to age well :(
1
Do you mean when there's a viable replacement for DNS? We can cross that bridge when we come to it.

Oct 8, 2021 · 4:24 AM UTC

1
No, in the sense are these designed such that two different RPs get the same global identifier for the same user?
1
1
Oh yeah, that's intentional. It'd be interesting to explore what it could look like otherwise tho.
2
2