In the meantime, IndieAuth is, imho, a step backwards. OAuth/OIDC sign-in with login_hint works *great*; the lack of auto-/no-registration / a public key version is a real bummer, though.
This one I’m really confused on, and we should probably chat about it to clear things up. IMO OIDC is more of a barrier here because the default is that clients need to register. With IndieAuth there is no expectation of client registration at all.
Yeah, client registration is a hold-over, and unnecessary for domain validation (same as letsencrypt). It's unfortunate OIDC didn't do a better job here. To be clear, I'm totally pro-IndieAuth, because the _protocol_ doesn't matter as long as it's secure. It's the UX / messaging.