The battle between OAuth 1.0a, 2.0, and OIDC is really long and drawn out and doesn't seem to have a clear winner which I think is hurting everyone (though of course some companies are winning because they can support everything and offer that as value).
I sure do wish people would just standardize on OIDC...
It’s unfortunate. Big companies are pushing for OAuth 2.0 and trying to blindsided people as if it is an upgrade to OAuth 1.0a. It is not. OAuth 1.0a provides authenticity, integrity, and non-repudiation. Something that OAuth 2.0 does not provide.
large providers will drag their feet kicking and screaming because the prominent 'login with facebook / google' link are both selling point of their platform and monitoring opportunities for third party users.
But not the extensions the GP cites as meaning OIDC solves the same problem. And even if they did, I don't think it allows to isolate your identity from the identity provider you currently use, which seems to be a key aspect of IndieAuth: You can delegate the role of Identity Provider to a third party, but can change that third party, similar to how you could in "original" OpenID.
Of course you can isolate the identity from the identify provider. It's fully supported by OIDC. It's a main use case for every website that wants to manage its user accounts.
Right, seems I misunderstood it last time I looked at that spec or was misremembering, re-reading it one could of course point to an external service. Is there an actual implementation of that in the wild, that I e.g. could use with my e-mail address at my domain? Even support for discovery at all seemed basically non-existent.
It's already available if you use any of the major email provider.
If you want to provide it from your own domain, it's perfectly doable, but it takes a lot of work to setup. This won't be usable from other sites though because they won't trust yoursite.com
Discovery is non existent because it makes zero sense in practice.
It's not a subset, it's a superset (or built upon Oauth 2.0 if that's the more accurate way to put it) -- I just read through the OpenID Core spec[0] today since I felt like I didn't know enough about it.
Does anything actually implement discovery? I looked at various OpenID Connect implementations a while back and nobody seemed to support it. It's a pretty big user-education problem if you can't just say "you can use OpenID Connect", but have to explain "you can use OpenID Connect, provided your provider supports Extensions X and Y, and they probably don't clearly document that they do, so please just try logging in here and see if it works".
Quite a few things implement discovery. Most IDPs advertise metadata, and many RP libraries consume it by default. IDPs even motivate them to consume it by rotating signing keys pretty often.
Not many things support dynamic client registration, which means the list of IDPs a site can use are pretty static.
I sure do wish people would just standardize on OIDC...