It's been a year since I wrote about Weird web pages as a prospective catalyst for the reclamation of my digital identity. There's been significant progress towards that end – more spread out among individual efforts than I initially envisioned, but ultimately for the better.

In this time a lot of necessary groundwork has been completed, some of which I didn't even realize was needed until I learned about it. Continuing from where I left off a year ago, let's go a few levels deeper into the vision of Weird, and the more clear-sighted vantage point we're looking out from today.

Starting with the self

Around a month ago I edited Assembling Community OS to reflect an emerging piece of technology which greatly helped crystallize my idea of Weird's most elementary purpose as a product. We'll come back to the shiny tech later; here's what we wanna do with it:

Digital autonomy begets individual freedom begets fairness & equality.

The hopeful possibility of this moment lies in the open-social web protocols which make up the foundations of a comms & coordination ecosystem owned and operated by the general public.

We have yet to bring these components together into one cohesive communications product, wherein messages and knowledge artifacts can move seamlessly from one flow-mode to the next and your identity remains the same throughout. Yet this ideal is closer to becoming reified than you might think.

Here's how I intend to do it, with a lot of help from my friends.

Part 1: Weird Identity

Before I can interact with other netizens, I need an online persona to make my digital self presentable and increasingly trustworthy. That's what Weird is all about. Most basically it's an open source equivalent to Linktree, supercharged by self-sovereign identity.

Weird will aggregate your fragmented persona into a single unified view. Establish your little slice of home on the internet without getting stuck in the content-production imperative of a custom website or a blog.

Then, thanks to the commodification of ID-tech steered by the OIDC standard, Weird can grow up to become a full-fledged identity provider by standing on the sturdy shoulders of rauthy. Meaning, you can 'Login with Weird' and use it as a kind of Gravatar on steroids. This will enable seamless login to all of the additional services we want to plug into our community stack.

To free ourselves of our current predicament, we must simultaneously de-centralize and re-centralize identity.

By de-centralizing the ownership of identity away from platform monopolies and back to individuals, we can re-centralize the agency of personhood.

Once more for clarity:

• Decentralize ownership.
• Recentralize agency.

The central authority of ones digital identity must first and foremost be the individual themselves. That's how we regain our digital sovereignty.

Everything we're gonna build towards in this article is based on The Path to Self-Sovereign Identity by Christopher Allen, written in 2016.

Rather than just advocating that users be at the center of the identity process, self-sovereign identity requires that users be the rulers of their own identity.

This is a lot to take in, so let's unpack it with a practical example.

The unbearable monopolization of being

In order to easily sign up for a new internet service today, without doing the tired email-and-password dance, I use “social sign-in”. We're all familiar with the usual “Google / Facebook / Apple / Microsoft / etc.” options.

It's very convenient because in this glorious age (/s) of technofeudalism you will inevitably have been forced on to one or more of these platforms already. You may as well entrench your identity in their unchallenged dominion even further by accepting their superstructure as the parent authority of that smaller service, even though the two are completely unrelated.

Incidentally, in a fairer world, that small service would be an up-and-coming challenger to the dominance of the ruling platforms. But that game has been rigged for a long time.

https://pluralistic.net/2024/02/08/permanent-overlords/

The authors of the paper 'Coopting Disruption: Has Big Tech disrupted disruption itself?' propose a four-step program for the would-be Tech Baron hoping to defend their turf from disruption.

First, gather information about startups that might develop disruptive technologies and steer them away from competing with you, by investing in them or partnering with them.

Second, cut off any would-be competitor's supply of resources they need to develop a disruptive product that challenges your own.

Third, convince the government to pass regulations that big, established companies can comply with but that are business-killing challenges for small competitors.

Finally, buy up any company that resists your steering, succeeds despite your resource war, and escapes the compliance moats of regulation that favors incumbents.

Then: kill those companies.

The authors proceed to show that all four tactics are in play today. Big Tech companies operate their own VC funds, which means they get a look at every promising company in the field, even if they don't want to invest in them. Big Tech companies are also awash in money and their “rival” VCs know it, and so financial VCs and Big Tech collude to fund potential disruptors and then sell them to Big Tech companies as “aqui-hires” that see the disruption neutralized.

Identity feudalism is an invaluable weapon in a tech baron's anti-disruption arsenal. Not only does it provide them with a to-the-second ticker on emergent platform upstarts that show signs of exponential growth, but every smaller player that defers to the mega-platforms for their network effects is consequently helping the fiefdoms deepen their moats by foregoing any network strength of their own.

How corporate centralization begets identity fragmentation

Ironically, the more corporation-centralized our identities become, the more fragmented they actually get. That's because when each of these mega-monopolies are big enough, they consider themselves the ultimate, unparalleled authority of digital identity. You won't find a “Log in with Google” button on Facebook, Apple or Microsoft's account page.

And yet you'll invariably need more than one of these accounts because, much to their chagrin, none of these companies have achieved complete world dominion quite yet. But if we stay the course, it won't be long until we can all enjoy the supreme technoutopian state of Absolute Customer Convenience.

Chain me up and sign me in your lordship!

Additionally, niche-targeted services will ask you to log in via the comparatively smaller but still monopolistic overlords of their particular domain. A project management app for instance might provide social logins via Notion, Slack and GitHub.

The built-in social providers of the app development platform Supabase demonstrates how fragmented our digitial identities really are in the current landscape:

Decoupling identity

Weird attempts something that other platforms don’t dare to do: It presents identity as the main attraction of its platform offering.

All mainstream identity providers get you hooked into their ID-network by means of a tight coupling between a light identity layer plus a heavy service:

• GitHub: ID + git
• Discord: ID + chat
• Gmail: ID + email

The indivisibility of this coupling weakens our digital sovereignty. Even if I stopped using Gmail for email, I still rely heavily on it for my authentication to hundreds of sites & services. It’s part of their lock-in scheme.

Gmail et.al. make identity confusing because they've made it appear necessarily coupled with an overarching complexity like email or a social network. But identity should stand on its own. In fact it is paramount that our identity is not owned by a personal-data-loving megacorp because there's nothing more valuable for them to keep locked up than the very essence of your digital self.

However, identity on its own just doesn't sell because we've become complacently accustomed to it as a byproduct of a headliner service, and usually a “free” one at that.

So Weird makes a compromise. We acknowledge that plain identity is somewhat lackluster, at least in the current landscape. To be competitive, we loosely pair your identity with what is arguably the other side of the identity coin anyhow: The personal webpage.

• Weird: ID as dynamic API + ID as static page.

And a ‘linkspage’ is the lightest, most low-effort webpage there is, since it only requires you to add links to wherever your online identity is already fragmented to.

Identity tech

Time for the techy bits! The past year has brought a series of innovations that, if brought together into a cohesive product such as Weird and others, could truly rock the foundations of the identity oligopolies.

I desperately want to be set free from my Big ID dependence. Sadly that cannot happen overnight since most sites need to explicitly add additional login options. Yet, a lot can happen sooner rather than later in the IndieWeb and fediverse that I now spend most of my online hours in.

Most of those web apps don't provide any 'social' login at all, but they absolutely should for the sake of easier onboarding. They just need better options than the mega platforms they are actively trying to avoid.

This and more is becoming possible thanks to three loosely related developments that are maturing simultaneously:

1. Commodified identity providers – OIDC libs

2. Federated logins – Bring Your Own Identity Provider with FedCM

3. Portability – Decentralized identity standards

As I map out these technologies, I'll also outline a rudimentary product plan for Weird as an identity provider for the IndieWeb. By the end it should be clear that Weird hopes to be one among many providers of such a service. That's how we collectively wrest back independent control of the web's identity infrastructure.

Commodified OIDC

It wasn't long ago that aspirations of being a root identity provider was reserved for large and mostly closed-source companies. Now this space is rife with open source solutions backed by single-vendor cloud companies or industry coalitions:

• https://ory.sh/
• https://zitadel.com/
• https://goauthentik.io/
• https://dexidp.io/
• https://keycloak.org/

Keycloak has been around forever. In the Supabase-logins example above, Keycloak stands out as the only open source option in the whole bunch.

Weird aims to appear on such lists as well. We keep our stack as lean as possible though, which boiled our search down to the perfect match I mentioned at the top of this article: Rauthy.

A Rauthy deployment with the embedded SQLite, filled caches and a small set of clients and users configured typically only uses between 17 and 22 MB of memory!

Rauthy's tiny footprint means we can realistically offer Weird as a self-hosted product for anyone who doesn't want to rely on our cloud service. In this first section however we'll focus on Weird as a cloud platform.

Now let's imagine what it would take to have 'Login with Weird' show up as an alternative on a real production service. For example, I'm an avid user of the read-it-later app Omnivore. Their login pa