erlend_shWorking to Decentralize FedCM
poVoqSounds good, but this FedCM seems to be basically a reinvention of Oauth2/OIDC. Even if it brings some minor improvements (credentials storage in the browser or so?), it seems dead on arrival given that there doesn’t seem to be a strong dissatisfaction with how OIDC works. Or am I missing something?
What you’re missing is that OIDC is innately centralized and FedCM, in particular thanks to this work, isn’t.
This is all building on or complementing the same underlying OAuth standards, like the CIMD spec that Emelia originally intended for adoption into Mastodon/ActivityPub to set the stage for decentralized OAuth, but it was never brought in. The AT protocol on the other hand adopted it into their decentralized oauth-atproto standard, which is on track to become a protocol-agnostic oauth-dweb standard.
Anyone who cares about decentralized software should be dissatisfied with how OIDC works. If you wanna use your primary fediverse account to log into other fedi apps, this work is for you.
OAuth Client ID Metadata Document
This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration. This is through the usage of a URL as a client_id in an OAuth flow, where the URL refers to a document containing the necessary client metadata, enabling the authorization server to fetch the metadata about the client as needed.
OIDC is innately centralized
Huh, that’s not my understanding. I was there when it first came out, and the whole point was to allow you to use any URI of your choice as an authenticator. Let’s see what the first line of Wikipedia has to say:
OpenID is an open standard and decentralized authentication protocol
Huh. 🤔
See what CIMD solves for. “Innately centralized” was probably a poor choice of words, but OIDC not a good fit for an open social web with decentralized identities and a plethora of small identity providers that cannot be known upfront.
Forgejo has a feature (that people usually disable) where you can bring your own openid connect url and use it to auth. So if I have my own OIDC provider I am self hosting, I can just use that to log in.
Most people only use it for google and microsoft and whatnot but it’s very possible. I don’t realkly see what FedCM offers that OIDC doesn’t or can’t, or why we shouldn’t be adding features to the existing and popular OIDC instead.
This requires manually enabling every additional provider. This doesn’t work if some individuals or smaller collectives wanna run their own identity providers, numbering in the thousands.
This requires manually enabling every additional provider.
No, it doesn’t. The docs are confusing on this, but forgejo has two methods to enable oauth/oidc. One is to manually enable them, but there is a second, where people bring their own oauth link.
The docs contain 3 things related to oauth:
- Oauth provider forgejo acts as oauth for someone else
- Ouath client — This is the one where you manually enable providers
- But then there is a third config. Openid. This lets users bring their own openid/oauth link and sign in with that. No manual configuration required on the side of the forgejo server per client.
You might be confusing the old OpenID with OIDC (short for Open ID Connect), which is based on Oauth2, an entirely different technology.
OpenID was definitely more decentralized compared to how OIDC is commonly used these days, but OIDC has various little know options to do similar things.