[camsjams]

This did indeed work for Google (that's the only one I tried), but the details of how this works is best detailed in this post: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web

The above post was also linked from the obligator project's GH readme

[omneity]

IndieAuth is super super cool and a vital component to get back control of the internet to users, but I can't shake up the security concerns.

Also, near the end of the article. Using a security nightmare such as Wordpress as your identity provider, what could go wrong? It only takes one single rogue plugin.

[apitman]

What security concerns specifically?

[omneity]

Someone breaking into a Wordpress install due to a plugin's 0-day for example, and then being able to log into all the accounts managed by that WP's openID server.