83°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 23
    Ahhh that's what IndieAuth is. I was reading up on it, but didn't see any information about the spec on the website. I think my main hesitance towards it is the use of domains. I just don't see the average user buying their own domain. Emails seems more realistic for unique IDs.
    Aaron Parecki
    ‪Doesn't have to be a top level domain, just a URL. Both users and apps are identified by URLs. ‬

    ‪I do think there's value in just client IDs being URLs in some cases, demonstrated by the fact that Home Assistant picked out just that part of the spec for their OAuth API.‬
    Portland, Oregon • 48°F
    Wed, Jan 22, 2020 4:21pm -08:00
    5 replies
    • Anders Pitman twitter.com/anderspitman
      Hm true, and an important point. But there's nothing stopping users that care about that from using multiple email addresses, rather than waiting for companies to do it for them.
      Thu, Jan 23, 2020 12:42am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      While that sounds nice in theory, the real world is more complicated. Apple's OAuth server is a great example. User IDs are scoped to the app to prevent cross correlation, and the app gets a proxy email instead of the user's real email. Users don't always want to be identified.
      Thu, Jan 23, 2020 12:33am +00:00 (via brid-gy.appspot.com)
    • Anders Pitman twitter.com/anderspitman
      I'm imagining a world where email servers handle identity, and authorization servers handle delegation, after confirmation ownership over the email identity.
      Thu, Jan 23, 2020 12:30am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      I was trying to say feel free to pick and choose and use just the client ID part. I think that'd be a huge benefit for OAuth as a whole for the exact kind of use case you're talking about.
      Thu, Jan 23, 2020 12:29am +00:00 (via brid-gy.appspot.com)
    • Anders Pitman twitter.com/anderspitman
      Don't get me wrong, I think URLs for client IDs is a great idea, which I intend to use. I'm just less sold on URLs for user IDs. Everyone already has email addresses, and they also come with a relatively reliable protocol for contacting the owner.
      Thu, Jan 23, 2020 12:28am +00:00 (via brid-gy.appspot.com)
Posted in /replies using indigenous.abode.pub/ios

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv