[hardwaresofton]

The battle between OAuth 1.0a, 2.0, and OIDC is really long and drawn out and doesn't seem to have a clear winner which I think is hurting everyone (though of course some companies are winning because they can support everything and offer that as value).

I sure do wish people would just standardize on OIDC...

[woranl]

It’s unfortunate. Big companies are pushing for OAuth 2.0 and trying to blindsided people as if it is an upgrade to OAuth 1.0a. It is not. OAuth 1.0a provides authenticity, integrity, and non-repudiation. Something that OAuth 2.0 does not provide.

[LoSboccacc]

large providers will drag their feet kicking and screaming because the prominent 'login with facebook / google' link are both selling point of their platform and monitoring opportunities for third party users.

[Boulth]

Google and Microsoft are two big companies supporting OIDC.

[detaro]

But not the extensions the GP cites as meaning OIDC solves the same problem. And even if they did, I don't think it allows to isolate your identity from the identity provider you currently use, which seems to be a key aspect of IndieAuth: You can delegate the role of Identity Provider to a third party, but can change that third party, similar to how you could in "original" OpenID.

[user5994461]

Of course you can isolate the identity from the identify provider. It's fully supported by OIDC. It's a main use case for every website that wants to manage its user accounts.

[detaro]

Right, seems I misunderstood it last time I looked at that spec or was misremembering, re-reading it one could of course point to an external service. Is there an actual implementation of that in the wild, that I e.g. could use with my e-mail address at my domain? Even support for discovery at all seemed basically non-existent.

[user5994461]

It's already available if you use any of the major email provider.

If you want to provide it from your own domain, it's perfectly doable, but it takes a lot of work to setup. This won't be usable from other sites though because they won't trust yoursite.com

Discovery is non existent because it makes zero sense in practice.

[detaro]

Ok, so you confirm that while the standards theoretically exist, OpenID Connect doesn't provide those features from OpenID in practice (where they did make sense for some reason?)

You don't need trust to the domain if you just want "an identity" to recognize a user, which is the use case for many services: basically as soon as you allow e-mail + password sign-up, that's the only thing you get. OpenID did the same.

Delegation is helpful exactly because it is somewhat difficult to implement OAuth nicely. OpenID did the same.

Which I guess answers the original question of "why not OpenID Connect" with "because nobody in that ecosystem cares about those features, even if someone at some point wrote down how they can work".

[icebraining]

This won't be usable from other sites though because they won't trust yoursite.com

Why do they have to trust it at all?

[user5994461]

OpenID Connect is a subset of the OAuth 2.0 spec. They come in a bundle.

[hardwaresofton]

It's not a subset, it's a superset (or built upon Oauth 2.0 if that's the more accurate way to put it) -- I just read through the OpenID Core spec[0] today since I felt like I didn't know enough about it.

[0]: https://openid.net/specs/openid-connect-core-1_0.html