‪Doesn't have to be a top level domain, just a URL. Both ... • Aaron Parecki

Anders Pitman https://twitter.com/anderspitman • Jan 23
Ahhh that's what IndieAuth is. I was reading up on it, but didn't see any information about the spec on the website. I think my main hesitance towards it is the use of domains. I just don't see the average user buying their own domain. Emails seems more realistic for unique IDs.

‪Doesn't have to be a top level domain, just a URL. Both users and apps are identified by URLs. ‬

‪I do think there's value in just client IDs being URLs in some cases, demonstrated by the fact that Home Assistant picked out just that part of the spec for their OAuth API.‬

Portland, Oregon • 48°F

Wed, Jan 22, 2020 4:21pm -08:00

5 replies
Have you written a response to this? Let me know the URL:
- Anders Pitman twitter.com/anderspitman
  
  Hm true, and an important point. But there's nothing stopping users that care about that from using multiple email addresses, rather than waiting for companies to do it for them.
  
  Thu, Jan 23, 2020 12:42am +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  While that sounds nice in theory, the real world is more complicated. Apple's OAuth server is a great example. User IDs are scoped to the app to prevent cross correlation, and the app gets a proxy email instead of the user's real email. Users don't always want to be identified.
  
  Thu, Jan 23, 2020 12:33am +00:00 (via brid-gy.appspot.com)
- Anders Pitman twitter.com/anderspitman
  
  I'm imagining a world where email servers handle identity, and authorization servers handle delegation, after confirmation ownership over the email identity.
  
  Thu, Jan 23, 2020 12:30am +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  I was trying to say feel free to pick and choose and use just the client ID part. I think that'd be a huge benefit for OAuth as a whole for the exact kind of use case you're talking about.
  
  Thu, Jan 23, 2020 12:29am +00:00 (via brid-gy.appspot.com)
- Anders Pitman twitter.com/anderspitman
  
  Don't get me wrong, I think URLs for client IDs is a great idea, which I intend to use. I'm just less sold on URLs for user IDs. Everyone already has email addresses, and they also come with a relatively reliable protocol for contacting the owner.
  
  Thu, Jan 23, 2020 12:28am +00:00 (via brid-gy.appspot.com)

Posted in /replies using indigenous.abode.pub/ios