Indie social sign-in could go mainstream
Back in June I wrote about an exciting confluence of digital auth tech:
Social sign-in for indies
The focal point of Weird Netizens was the convergence of OIDC, Rauthy and FedCM as open identity technologies. I've dabbled in online activism for a long time and never before have I experienced these kinds of ripple effects.
February: A contributor to the development of FedCM raises awareness about a potential fork in the road for the FedCM spec, which would make it yet another Big Tech exclusive if the wider internet community did not engage. The call to action is amplified by another activist a week later.
March: One of the FedCM spec authors invites indie developers to demonstrate the viability FedCM as a completely provider-agnostic technology. If no one answers the call, the spec writers may consider the indie use case void.
April: After a month of silence we designate a Weird collaborator to begin work on FedCM. This kicks off a flurry of activity that to this day shows no sign of stopping.
May: Experimental FedCM support has landed in Rauthy, obligator, Solid and IndieAuth!
As a cherry on top, this meeting of identity-savvy minds has led to a pending update in the IndieAuth spec which makes it compatible with OIDC, and by extension Rauthy.
For anyone unfamiliar with IndieAuth and FedCM, simply put they are different types of web sign-in, which is the ability to sign in to websites using your personal web address, without having to use your e-mail address.
IndieAuth
IndieAuth is a federated login protocol for Web sign-in, enabling users to use their own domain to sign in to other sites and services. IndieAuth can be used to implement OAuth2 login.
Federated Credential Management
FedCM is a Web Platform (browser) API that allows users to login to websites with their federated accounts in a privacy preserving manner.
While there’s some overlap, they mostly solve two different, mutually complementary problems, and can be used in tandem.
Three months after my post in June, we’re in great shape:
- The IndieAuth specification has been updated for greater OAuth/OIDC compatibility.
- The FedCM specification is now an official W3C First Public Working Draft.
- All Chrome-based browsers support FedCM.
- Independent identity providers like Weird and LastLogin can be used for real-world testing.
In short, it is now easier than ever to log into web applications using your own website as an identity provider. Or at least, it would be, if only your favorite web apps supported these agency-enhancing technologies.
The folks at Google still feel like we need more evidence of RP/client (auth-speak for web app) interest:
We are still actively pushing this and interested to move it forward. Chrome just launched the Multiple IdP #319 origin trial, which is a pre-requisite here.
From an ecosystem perspective, we are still lacking evidence of demand / product market fit with relying parties. It is clear to me that browsers, users and IdPs would be motivated to use this extension, but it is not yet clear whether relying parties [i.e. web apps] would. We got webmention.io, which helped us build a proof of concept, but we are still lacking RPs to give this a try organically.
We could really use 3-5 real RPs that we could use to help us co-design this in an origin trial against real users.
Is that something that you feel you could help us activate this part of the ecosystem?
So here I am, 👴🏻 Once Again asking for the support of my fellow indie agitators. We need live applications, already in production use, to experimentally support FedCM. Possibly also IndieAuth while you’re at it.
This is an emerging web standard; all you need is already in the (Chrome-based) browser:
- https://developers.google.com/privacy-sandbox/cookies/fedcm-developer-guide
- https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
- https://indieweb.org/FedCM_for_IndieAuth
simple as.
Live Applications
Who exactly is this post talking to? Essentially any independent or open source application that offers a legitimate (service-oriented) alternative to the incumbents which are Too Big to Care.
Top of mind for me are:
Bluesky
Though currently in the throes of a (very friendly) Brazilian invasion, once the Bluesky devs have capacity to spare there’s probably no one better suited to lead this charge. Domain names as handles is a flagship feature of the Bluesky network. It follows rather naturally that users ought also be able to log into the network using their own domains.
Discourse
As the most widely used forum software today, Discourse is quietly one of the biggest indie social networks around; it’s just not an interconnected super-network, though that’s gradually changing as they’re adopting the ActivityPub protocol. With its deep roots in internet geekery, Discourse powers many communities whose participants would jump at the opportunity to log in to their favorite forum instances with their very own identity provider.
Codeberg
As a passionate advocate of open source values, Codeberg avoids proprietary technology to the greatest extent possible:
Dependencies on commercial, external, or proprietary services for the operation of the platform are avoided, in order to guarantee independence and reliability.
Even so, they pragmatically provide login-via-GitHub as an option, presumably because of the undeniable accessibility/onboarding gains realized by GitHub’s massive network size. Enabling independent domain logins would allow them to chip away at this undesirable status quo.
WordPress
Bastion of the personal webpage, WordPress already has mature plugins for an instance to operate as its own OIDC or IndieAuth provider. There’s a straight shot from there to OIDC-FedCM or IndieAuth-FedCM.
Mastodon/Fediverse
It’s already possible to log into an experimental RP with a fediverse account, as demonstrated by FedIAM.
Going the other way around – logging into a fedi instance via FedCM – might be closest within reach for a single-user server like Hollo.
Now or never
But what if no one uses it? What if Google-corp pulls the rug? What if macroeconomic factors beyond our control brings everything to a halt!?
There’s no guarantee that this will work, but if we don’t try now it’ll be another 5-10 years before the opportunity comes along again. And if it does work we will have successfully nudged the web we love one step further towards greater agency and equal access. If there ever was a time…