IndieAuth sounds interesting as a more generic way for federated applications to allow app registrations https://indieauth.spec.indieweb.org/
The question is how do we adapt this after our current, extremely similar but somewhat different system has been in production use for around 2 years #mastodev
Thoughts: The requirement of apps to have a publicly accessible website conforming to the IndieAuth API might be a limiting factor
On the other hand, globally unique identifiable apps is a huge benefit in terms of admins being able to restrict app access. I.e., currently every user can revoke app access to their account, but server admins cannot say "I don't want the cross-poster to work with my server" because there is no such thing as *the* cross-poster
@CobaltVelvet Mastodon's approach doesn't even pretend to follow any standard in that area, because apps interact with the non-standard REST API anyway. Our approach is: POST to /api/v1/apps with some basic info, receive credentials back, save them in your app for standard OAuth 2.0 use.
Pushing forward some effort like IndieAuth might influence more websites to add ways of using such forms of authentication. Currently using Mastodon with many services is impossible because (1/2)
@CobaltVelvet the services like Zapier or IFTTT that have "bridges" expect APIs/OAuth to have a hardcoded endpoint URL. So advocating for "make it support IndieAuth" might go further than "make it support Mastodon" in terms of how many applications they'd start supporting in one swoop.
@Gargron Well maybe it's them who need to adopt Mastodon's. Apart from the technical aspects I think we have another important question to make: Would IndieAuth drive decentralisation better? Or on the contrary, it would be harder to influence the direction towards decentralisation that these networks are taking?
From an infosec perspective, federated auth is a giant single point of failure. When the centralized back end goes down, everyone’s auth goes down. When the database leaks—as it eventually will—access to every site is compromised. In short, it increases risk.
From a personal perspective, IndieAuth (and OAuth) is precisely the kind of mess I came to the fediverse to get away from.
you might like to take a look at the thread I'm replyn to