Learning Digital Identity by Phil Windley is a great resource as long as you skip over the SSI parts
https://www.oreilly.com/library/view/learning-digital-identi...
Readit NewsThere's also the RFC on OAuth2:
https://datatracker.ietf.org/doc/html/rfc6749
The introduction will give you a bit of a background. The most important to read (for now) is just the introduction up to chapter 2.
Nice to hear that has stood the test of time. :)
As mentioned elsewhere, I'd probably start with OAuth2.1 (not quite a standard but well on its way) as this updates the OAuth2 standard, as well as consolidates lots of improvements.
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.htm...
OAuth 2.1 has no new features. It is OAuth 2.0 rolled up with all the specs since 2.0. It is the better place to start for learning about delegated authorization.
This is practical, but awful advice. Auth (z or n) has been very badly over engineered. You don't need anything more than http basic auth, the rest is just people with too much time on their hands. Oauth particularly is a travesty that their authors should be ashamed of.
OAuth 2.0 took the best features of what was already being deployed by Google, Microsoft, Yahoo, etc. and added in scopes and refresh tokens. The objective was to standardize how to delegate authorization so that developers did not have to learn slightly different ways of doing effectively the same thing.
Typing your username and password into a 3P website so it could crawl your contacts was horrible anti-pattern.
Hey HN, I’m Dick Hardt[1][2][3], and I’m the founder of Hellō.
Hellō is a new paradigm in Identity as a Service that empowers the user, simplifies development, and has a much lower cost structure.
If you are building a new app, Hellō is faster (minutes) and cheaper (free) than the alternatives.
https://www.hello.dev/docs/comparison/
... especially if you are building with Next.js, Express, or Fastify and using our Quickstart which removes all the manual configuration so that you are running locally in a minute, and can be deployed fully configured a minute later.
We posted about our co-operative approach on HN last year https://news.ycombinator.com/item?id=33177705
Since then we have added support for Discord, GitHub, GitLab, Mastodon, and Twitter. If you are on a mobile device, you can enroll a passkey for future logins on that device. On the desktop, you can scan a QR code to login with your phone.
We expect you have more questions. https://www.hello.coop/pages/approach.html describes:
- Our approach - How the cooperative works - How we’ll fund Hellō with smart contracts - Our guiding tenets - How we protect people’s privacy - Our architecture
Thanks for reading and trying! Please share your questions, impressions, criticisms, and requests here, or you can email me @ dick.hardt@hello.coop
[1] https://www.linkedin.com/in/dickhardt/ https://en.wikipedia.org/wiki/Dick_Hardt https://twitter.com/DickHardt
[2] https://datatracker.ietf.org/doc/html/rfc6749, https://datatracker.ietf.org/doc/html/rfc6750, https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
dickhardt commented on A Critique of World ID's OpenID Connect Provider medium.hello.coop/worldco... · Posted by u/dickhardt
Tl;dr:
If you are a developer considering adding World ID to your project. Wait.
If you see an app using World ID. Be safe.
The OAuth Best Security Current Practices have not been followed. Combined with the following point, applications using World ID may be vulnerable to attacks.
The implementation is not compliant with the OpenID Connect specification. Times are in milliseconds instead of seconds, requests can be made without required parameters. Update Aug 9, these have been addressed.
The user’s privacy is being violated. The authorization page presents no information on what the application is requesting, nor on what worldcoin.org is releasing. There are no application terms of service and privacy policy links.
Adding yet another button that users don't understand confuses users.
I'm the founder of Hellō and we have a similar service that has cooperative governance. https://hello.coop/
FWIW it is a myth that Google uses where you login with Google for retargeting. Big Tech is always concerned about having to share user specific usage with US agencies. Google considers knowing where you login to be toxic data that they want to dump as quickly as possible. There are more than enough other signals from re-targetting.