Is there any existing mechanism (even if not widely deployed) that would allow a user to use an IDP with an RP dynamically (i.e. without a pre arrangement between the RP and the IDP)?
3
1
Dynamic Client Registration, but afaik no major provider supports this because they *want* RPs to have a pre-established relationship.
We built IndieAuth to avoid the need for any client registration and it works great for that use case: aaronparecki.com/2018/07/07/…
1
2
Ok, I did look into this more carefully and I remember running into this earlier.
How does this relate to OIDC? Is it fair to characterize it as an alternative to it that operates on the same level/layer (e.g. both are extensions to oauth?)?
2
There are definitely some similarities since they are both adding an identity layer on top of OAuth. IndieAuth is a much smaller surface area tho and does less stuff. Some more details here: indieweb.org/How_is_IndieAut…
1
1
"Because these URLs rely on the public web and DNS, they are guaranteed to be globally unique." -- ugh, is this a feature or a bug? I feel like this isn't going to age well :(
1
Do you mean when there's a viable replacement for DNS? We can cross that bridge when we come to it.
1
No, in the sense are these designed such that two different RPs get the same global identifier for the same user?
1
1
Oh yeah, that's intentional. It'd be interesting to explore what it could look like otherwise tho.
2
2
LMK if you run into a good formulation.
FWIW email may be a good analogy and source of inspiration. In browser land, SHA256(user + RP)@idp.example does the trick.
2
Relying on sha256 as the end of the story seems like a thing that also won't age well. It's only a matter of time until we see sha256 the way we see md5 today.
Oct 8, 2021 · 4:44 AM UTC
1