IndieAuth and RelMeAuth

[erlend-sh]

As part of Rauthy for fediverse logins, support for IndieAuth would further facilitate this. Mastodon is already close:

• Add support for IndieAuth authentication mastodon/mastodon#24066

Frankly I don't understand what remains in Mastodon to be IndieAuth-capable, since it already supports a form of the 'authenticate with own URL' flow that's emblematic of IndieAuth. Partially explained here:

there’s also been mention of IndieAuth which has a very similar flow to Mastodon but doesn’t require generating a disposable “client” connection up-front (and has a few other affordances to standardize how profile information is shared).

I also don't understand the difference between IndieAuth and RelMeAuth (web-sign-in) 😅 but the two seem closely related.

[sebadob]

I have never heard of both of them, but could this be an overlap with #133 ?

[erlend-sh]

Would this make IndieAuth more OIDC compatible? indieweb/indieauth#133

[sebadob]

It would not only make it "more compatible", it would make it just compatible (if there is nothing else I am missing currently) with Rauthy, because Rauthy already supports Solid OIDC and ephemeral clients, which is exactly what this is.
Only if they choose the proposal that points to the direct json object instead of needing to resolve some sub-path via a .well-known though.

[aaronpk]

That's a solid vote for that option, thanks!

[anderspitman]

Forgive me if I'm missing something, but indieweb/indieauth#133 alone would not make Rauthy compatible with IndieAuth, right? I believe it would still need to implement indieauth-metadata, and possibly a different format for user ID documents (not sure about this).

[erlend-sh]

The IndieAuth spec has been updated: indieweb/indieauth#133 (comment)

[erlend-sh]

IndieAuth combined with self-hostable OIDC by the likes of Rauthy solves the most critical shortcoming of the fediverse as it exists today, which is the lack of self-sovereign identity.

My fedi ID is currently hosted on https://writing.exchange/@erlend - a Mastodon instance. This is already a big improvement from letting Twitter (or Google, or GitHub) be the chief custodian of my digital identity, since they won't even let me move elsewhere if I'd like to do that. Mastodon makes that possible, thus giving me some genuine ownership over my contact list.

But I'm still beholden to an external server admin. Should writing.exchange go down, that's my fedi ID gone, along with all my followers (contact list). This has happened to several fediverse instances being run by hobbyists who for whatever reason (lost interest; finances; health; technical issues) stopped running their server, in some cases with no warning whatsoever.

Users on a fediverse server are also disempowered in more subtle ways:

• If an instance admin defederates from another instance in the fediverse, users won't be notified of any followers they had from that instance; they're just silently lost.
• A user can be banned, their account made inaccessible, unable to take their data elsewhere. Regardless of legitimate reasons for banning users, invalidating their default online persona is a kind of digital death sentence without opportunity for appeal. Very few offenses actually merit that kind of punishment.

Bluesky solves this in a web3 kind of way as a self-authenticating social protocol, based on a combination of DNS names and Decentralized Identifiers. However, some number of unknown unknowns remain in this space, and for now their solution depends on a centralized authority to function.

IndieAuth presents a middle road between the broken status quo and the ideal state we need to get to. It doesn't solve the subtle lock-in effects of a Mastodon instance on its own, but it realizes the essential first step of making netizens' identity independent from their impermanent choice of fediverse instance.

When signing up for an account on an instance like writing.exchange or mastodon.social, I should get to sign up with erlend.sh via IndieAuth.

[sebadob]

Support for Solid OIDC should (hopefully) be good with this: #133 (comment)

Regarding IndieAuth, I had another look at it. As I understand it, it would actually be obsolete, if you have your own Rauthy instance already, since Rauthy works as your own SSO provider and I don't see the value you would get from putting IndieAuth as man-in-the-middle. Am I missing something here?

[erlend-sh]

Am I missing something here?

Probably not, as long as some form of web sign-in is still possible. IndieAuth is just one specific implementation of that concept. But that general method of signing in with ones personal domain is essential for self-hosted OIDC to work as a form of SSO in spaces that are outside of your own control, e.g. a Mastodon instance.

[sebadob]

Okay, got it. I will have a look what would be needed to make this work with Rauthy directly.