[StavrosK]

Isn't the "problem" with this that you can't get arbitrary websites to talk to your OAuth2 server? For example, even though, say, Gitlab, supports OAuth2 login with Github, I can't get it to authenticate with stavros.io.

This is the problem Portier (https://portier.github.io/) and OIDC aim to solve, ie to be able to auth on any website with an auth instance you run.

I love this idea because it's much easier to secure one thing whose sole purpose is authentication than to secure every thing you want to authenticate on.

[machete143]

I'm not sure if I understood you correctly. Delegation of authentication usually implies trust between the two parties. GitLab (the hosted version) does probably not trust stravros.io enough to allow people to log in through there.

Portier looks indeed very nice, maybe I'll set up a tutorial how to get those two working together to get full Authentication (portier) + Authorization (Hydra) with using only open source technology.

[icebraining]

Why does Gitlab have to trust anyone? It's the user that has to trust stravros.io not to tell Gitlab that other people are authorized.

It's no different than a regular email/password (with password recovery): if I register with user@stravros.io, then that email server becomes empowered to give access to the Gitlab account to anyone it wants. But that's not Gitlab's problem.

See also OpenID.

[StavrosK]

Exactly, and OpenID connect adds an authentication layer over OAuth2 for this exact purpose. If we manage to build that future, it will be very useful and quite exciting, at least to me. There won't be compromised passwords any longer, just the one password you can easily change.

[lucaspiller]

You are ten years too late. The original OpenID did exactly this, and quite a few sites (especially tech focussed sites) let you sign in with it. Except then along came Google and Facebook with their proprietary login systems, and everyone jumped ship to those as they offered access to profiles rather than just a domain and possibly email address.

[dboreham]

We first worked in this problem at Netscape just after the AOL acquisition in 1998. It turns out to be impossible because: show me the money. Something we figured out within a few weeks back then.

[cat199]

Which is precisely why DNS and SMTP have failed miserably.

[StavrosK]

> You are ten years too late.

As in, what I want has been working for ten years?

I'm obviously not late at all, since websites still won't let me delegate my auth.

[chowells]

The few that allowed OpenID 10 years ago did let you delegate your auth. OAuth and OpenID Connect killed that.

[tinus_hn]

Not just the data but also using Facebook or Google accounts means your users are much more likely to be real people instead of spam bots.

[onli]

If you have questions for the portier side of things for that, send me a mail (in profile). A tutorial like that would be very cool.

[koffiezet]

In my mind, this would mostly be to have OAuth2 on your own server, allowing self-managed combined with external authentication sources like github.