Scott M. StolzJun 27, 2025
There is some confusion over a specific paragraph in the OpenWebAuth spec. Some are interpreting it to mean that OWA does not authenticate a specific user, but simply says someone on the home instance logged in, but we don't know which one, therefore it is impossible to tell which user is authenticated.

That is obviously not how Hubzilla works since Hubzilla knows which user authenticated, but that is how people are interpreting this paragraph in the FEP.  

Does anyone know what this paragraph is supposed to mean?

When the OpenWebAuth flow succeeds, the owt= query parameter will identify the user who is logged in to the home instance. This will be a user from the domain in the original zid= parameter, but may not be the exact same user.
#^https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/fep-61cf.md#3-target-instance-provides-a-token
fep/fep/61cf/fep-61cf.md at main

fep - Fediverse Enhancement Proposals

Codeberg.org
Show threadScott M. StolzJun 27, 2025
Speaking of which, if OWA does not send profile information, such as display name and avatar, maybe it should. Because we can't assume that other platforms will use the same protocols for communication. Will an ActivityPub only platform be able to get the display name and avatar and profile of a Zot only user, for example?

How would such a situation be handled?
Show threadScott M. StolzJun 27, 2025
@Scott M. Stolz
Speaking of which, if OWA does not send profile information, such as display name and avatar, maybe it should. Because we can't assume that other platforms will use the same protocols for communication.
Maybe we can provide a way of including the display name and avatar of the authenticated user as part of the OWA authentication process. Make it optional, and state that as a fallback, you would use other methods to get this information (and provide a list of the fallback methods). That way the protocol remains backwards compatible, while providing additional information for those who want to utilize it.
Show threadFenTiger
@Scott M. Stolz Stepping back a little - I have a half-formed list of things that I would suggest changing about OWA, but I haven't yet got around to writing it up.

My plan was for FEP-61cf to document OWA as it exists today, and then follow it up at some point with a discussion of potential changes, possibly leading to a subsequent FEP on "OpenWebAuth 2.0" further down the line, leaving FEP-61cf as a more historical document.

Does this sound like a sensible approach to you?
Jun 27, 2025 at 8:33pmWeb
Show threadScott M. StolzJun 27, 2025
@FenTiger It sounds like a sensible approach to me, but @Mario Vavti and @Mike Macgirvin 🖥️ would be the ones implementing it, so it depends on what they think.
Show threadScott M. StolzJun 27, 2025
@FenTiger It sounds like a sensible approach to me, but @Mario Vavti and @Mike Macgirvin 🖥️ would be the ones implementing it, so it depends on what they think.
Show threadScott M. StolzJun 27, 2025
@FenTiger It sounds like a sensible approach to me, but @Mario Vavti and @Mike Macgirvin 🖥️ would be the ones implementing it, so it depends on what they think.