bicycle |
28 min
|
3.7 miles
|
bicycle |
@jhabdas I wouldn't.
Total tangent, but here goes...
For years I've been working on a protocol I call OAuth3 (but I'd like to come up with a better name). It's like a peer version of OIDC or a convenient version of IndieAuth.
However, there have been a number of roadblocks and challenges. Having something work peer-to-peer (decentralized) and be convenient, is neigh unto impossible (but it is possible).
The problem with all existing auth solutions is that they're in one of two camps: Proprietary/Centralized (OAuth2 implementations) or complicated for a non-technical user OpenID/IndieAuth.
The way I believe that peer authentication will succeed is by providing a solution that primarily executes on the client device (keypair authentication) but, by default, syncs the public keys to a shared server (with a centralized well-known server as the default), and uses a static page (or 3rd party app if on a phone) - no server APIs required to function - in essentially the way a browser plugin (or native Facebook/Google OAuth on phones) works to manage the exchanges.
Ultimately, browsers need to adopt such a protocol, but it most be open and compatible between browsers. The same is true for smart phones. Until then, the centralized server would serve as a "broker" to serve the user's preferences to other client-side apps.
Most importantly, people need to be able to login like they're used to. It must be easier than the current solutions, not more difficult (and how better to make it easier than by removing the most frustrating - and least secure - part of login: passwords).
/.well-known/peer-auth/index.json
?subject={email}
for the next step and save the user's choiceIf you're on one side of a chasm and you want to migrate a host of people to the other side, you need a bridge. Something like generic-auth.org (in the hypothetical scenario above) acts as that bridge. The migration would be complete when browsers and phones natively support open-protocol peer-based authentication that doesn't require 3rd party apps to bridge the gap anymore.
Until that time you have the problem of OpenID/IndieAuth if you go for the "Perfect" peer solution - it requires too much knowledge and effort to intentionally use it. My mom is unlikely to create a website and link it to her other accounts with HTML tags.
The truly "perfect" solution then is the solution that people who don't care about technology and who don't understand the risks with their current login and authentication setups will adopt out of convenience, and perhaps a sense of individuality or pride, but certainly not for being the most technically correct solution.
Peer-to-Peer can either be convenient for end-users or convenient to develop. It simply can't be both.
The saving grace is that if it's implemented in JavaScript and used in native apps through a web view, we only need a single implementation for the client-side and only 3 to 5 APIs for the server side (sync public keys, send email / push notifications, sync pairwise grants) - none of which require knowing anything about security or keypair signing and encryption - just opaque files, simple messages, and plain-old JSON.
You've basically described IndieAuth, but using .well-known
instead of a follow-your-nose approach.
Email addresses are URLs too. If you assume an http://
scheme for an email address, fetching http://aaron@parecki.com/
provides the server with aaron
as the username. Try it out:
curl -i http://aaron@parecki.com/
I made that site send an HTTP redirect to my actual website, so I can log in with my email address anywhere that uses IndieAuth right now.
Supporting two-factor auth, or passwordless auth is entirely up to the IndieAuth server, as it's not part of the federation spec. In fact, I already have passwordless login to my website using a push notification to my phone which works with every IndieAuth client already because the clients don't care how I authenticate to my website, just that I do authenticate.
As for your point about the bridge, anyone can create a generic IndieAuth provider that provides identities to anyone who wants one and doesn't care about owning their identity. They enter generic.co/user1
as their URL when they sign in. It's up to that service to make actually authenticating users as easy as possible, whether that's by emailing a one-time link, setting up a mobile app for push notifications, using a regular password, or whatever.
@aaronpk Perhaps I misunderstood and need to read carefully. Perusing https://indieauth.com/ what I got was "This is a reboot of OpenID that requires you to create a webpage and link to it".
Perhaps that's not at all related to "IndieAuth" that we're talking about here (I didn't read your article yet, but I will now).
Yeah sorry for the confusion. I've started the (very slow) process of shutting down indieauth.com
because I never should have launched a service with the same name as the spec. That site is not a good representation of the concepts behind IndieAuth.
Please do check out the blog post, it does a much better job of explaining the actual goals and motivations of the spec.
I looked through the DreamWidth source code to see if I could implement full-history syndication feeds for them, but they don't have things like querying for posts oldest-first, so it's more invasive than I feel like tackling right now.
Also it's in Perl which would be the fifth programming language I'd have worked on this stuff in over the last ~2 weeks, and the third one I've had to (re-)learn, and I'm getting kind of tired of switching languages this fast.