Eugen is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Eugen @Gargron@mastodon.social
Follow

IndieAuth sounds interesting as a more generic way for federated applications to allow app registrations indieauth.spec.indieweb.org/

The question is how do we adapt this after our current, extremely similar but somewhat different system has been in production use for around 2 years

· Web · 10 · 13

Thoughts: The requirement of apps to have a publicly accessible website conforming to the IndieAuth API might be a limiting factor

On the other hand, globally unique identifiable apps is a huge benefit in terms of admins being able to restrict app access. I.e., currently every user can revoke app access to their account, but server admins cannot say "I don't want the cross-poster to work with my server" because there is no such thing as *the* cross-poster

@gargron isn't it great though

i mean the whole thing of registering apps has mostly been justified by commercial restrictions and a pain in the ass for developers and users

@CobaltVelvet Mastodon's approach doesn't even pretend to follow any standard in that area, because apps interact with the non-standard REST API anyway. Our approach is: POST to /api/v1/apps with some basic info, receive credentials back, save them in your app for standard OAuth 2.0 use.

Pushing forward some effort like IndieAuth might influence more websites to add ways of using such forms of authentication. Currently using Mastodon with many services is impossible because (1/2)

@CobaltVelvet the services like Zapier or IFTTT that have "bridges" expect APIs/OAuth to have a hardcoded endpoint URL. So advocating for "make it support IndieAuth" might go further than "make it support Mastodon" in terms of how many applications they'd start supporting in one swoop.

@CobaltVelvet WTF I have been responding to the wrong person this was meant for @h, but I guess it works as a reply to you too

@Gargron Well maybe it's them who need to adopt Mastodon's. Apart from the technical aspects I think we have another important question to make: Would IndieAuth drive decentralisation better? Or on the contrary, it would be harder to influence the direction towards decentralisation that these networks are taking?

@h @Gargron

From an infosec perspective, federated auth is a giant single point of failure. When the centralized back end goes down, everyone’s auth goes down. When the database leaks—as it eventually will—access to every site is compromised. In short, it increases risk.

From a personal perspective, IndieAuth (and OAuth) is precisely the kind of mess I came to the fediverse to get away from.

@Gargron The existing Mastodon API uses OAuth 2, right? Seems like you'd be able to add this on top and still also support the existing behavior without any changes. You'd get the benefit of auto discovery and global client IDs. Maybe we should chat about this at the next w3c call?

@macgirvin
you might like to take a look at the thread I'm replyn to