Aaron’s very cool business cards which give you an idea of all the stuff he’s into
Aaron is one of the cofounders of the IndieWeb movement, and in general an expert at authorization and identity related standards, being one of the IETF Editors of the OAuth spec.
Aaron Parecki @aaronpk
- Making OAuth simple at @oktadev
- http://oauth.wtf
- IETF Editor
- Cofounder of #indieweb
- http://youtube.com/aaronpk
- aaronparecki.com
We’re going to talk about IndieAuth, IndieLogin, and likely some of Aaron’s many other open source projects.
Resources
IndieAuth https://indieauth.net/
IndieAuth is a decentralized identity protocol built on top of OAuth 2.0.
This allows individual websites like someone’s WordPress, Mastodon, or Gitea server to become its own identity provider, and can be used to sign in to other instances. Both users and applications are identified by URLs, avoiding the need for getting API keys or making new accounts.
Read more about how IndieAuth solves OAuth for the open web.
IndieLogin https://indielogin.com/
IndieLogin.com makes it easy to add web sign-in to your applications.
If you’d like to let your users log in with their own domain name as their identity, you can use IndieLogin.com to handle the details of that for you.
IndieLogin.com supports IndieAuth, so users with supported websites will be able to sign in using their own website’s login. Otherwise, IndieLogin.com will check for links to Twitter, GitHub, an email address or PGP key, and will ask the user to authenticate that way. Regardless of how the user authenticates, the identity provided to the application will always be the user’s primary website.
Join us Thursday, May 14, 2020 5:00 PM
Zoom link: https://zoom.us/j/116710002 (visit our Discord chat for password).
Rough Notes
IndieLogin - delegating
Mastodon
Signature mechanism
IndieAuth is the layer before that
Help Mastodon help clients
Authentication
Authorization
Let something else create / access – AuthZ
You need to login to stuff – AuthN
IndieAuth makes some decisions that makes interoperability easier
Mastodon built an OAuth server, doesn’t interoperate with anyone elses
Would love to see mastodon to make some minor modifications to turn it into an IndieAuth compatible – micropublish
Login is super important
Will logging in have any other side effects?
Blaine: Mailinator should implement the same throw away email pattern for logins
Sign in with Apple
OAuth / OpenID Connect (OIDC) – don’t mention it anywhere
If you go look at how it works, it’s very very close to OIDC
OAuth has no user identifier, OIDC does
However, Apple made some decisions, only works in an Apple context
So many libraries don’t work
OpenID Foundation – wrote up a page on the differences between Apple and OIDC, including security problems
Apple did some iterations and fixes
Pretty sure that Apple execs needed sign in with Apple, engineers looked at other protocols, lets model it off of that
Made some security decisions, look more strict, but don’t have an affect, and don’t solve problems – more picky
More apps - Photo editor app that can post to my website
I want the app to be an authoring interface – without the app having to own the data AND having that app share the data elsewhere on the Internet – to my website
I don’t want the app authors to implement 5 different silo APIs
Meetable
An open source event server with lots of IndieWeb features built in, and easily self-hostable with Deploy to Heroku.
Three instances: