@Scott M. Stolz Sure! "Use Cases" sounds great. A "compare and contrast" with OAuth sounds great, too, but might give people the i...

OpenWebAuth doesn't Authenticate Specific Users?

2025-06-27 12:16:29

scott@loves.tech

There is some confusion over a specific paragraph in the OpenWebAuth spec. Some are interpreting it to mean that OWA does not authenticate a specific user, but simply says someone on the home instance logged in, but we don't know which one, therefore it is impossible to tell which user is authenticated.

That is obviously not how Hubzilla works since Hubzilla knows which user authenticated, but that is how people are interpreting this paragraph in the FEP.

Does anyone know what this paragraph is supposed to mean?

When the OpenWebAuth flow succeeds, the owt= query parameter will identify the user who is logged in to the home instance. This will be a user from the domain in the original zid= parameter, but may not be the exact same user.

https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/fep-61cf.md#3-target-instance-provides-a-token

show all 17 comments

2025-06-27 13:04:17

FenTiger

fentiger@zotum.net

@Scott M. Stolz If I'm logged in as fentiger@zotum.net and I visit a URL that ends with ..?zid=someoneelse@zotum.net, OpenWebAuth will send me back home, and I'll return with an owt= token that identifies me as fentiger@zotum.net.

It's important to trust the actor ID that signed the token request, rather than trusting the original zid= query parameter, to prevent me from being able to impersonate any other user on the same instance as me.

2025-06-27 13:06:03

Scott M. Stolz

scott@loves.tech

@FenTiger That is what I thought it means. I just had an argument with someone that claims that OWA does not authenticate individual users because the spec says "but may not be the exact same user."

2025-06-27 13:13:01

FenTiger

fentiger@zotum.net

@Scott M. Stolz Not too heated, I hope!

Maybe this section can be improved - and perhaps it should move into "Security Considerations" under a heading like "Impersonation Attack".

2025-06-27 13:23:24

Scott M. Stolz

scott@loves.tech

@FenTiger It was pretty heated. They said I was gaslighting. I told them we literally invented OpenWebAuth, so I think we would know.

2025-06-27 13:31:42

FenTiger

fentiger@zotum.net

@Scott M. Stolz Well, having written the FEP, I think I can reasonably claim to know exactly what that paragraph means; feel free to tell them that, if you like.

Maybe I'll find time to update it tomorrow (and hopefully I can sort out the other misunderstanding too, at the same time.)

2025-06-27 14:24:06

Scott M. Stolz

scott@loves.tech

@FenTiger They did calm down when I said Hubzilla invented OpenWebAuth in 2017, and then quoted what you said above. I think it was a case where they thought I was just some random person who did not know what he was talking about. It was heated but respectful.

2025-06-27 14:37:40

Scott M. Stolz

scott@loves.tech

@FenTiger I was also thinking of making some other changes too. When I talk to people about it, they seem to think it works like OAuth and don't understand the use cases OWA addresses. So adding a section on use cases might help people understand.

I can start writing a use cases section for inclusion.

And we might want to mention certain activities, like how to get someone's profile and avatar, since that is a question that came up. We could even point to other FEPs or the ActivityPub specs to explain how it is done, since I don't think OWA includes the full profile information.

Basically, explain some of their next options after they authenticate the user, emphasizing that OWA was meant to be flexible and work with multiple protocols, such as ActivityPub, Zot6, and Nomad.

2025-06-27 14:47:27

FenTiger

fentiger@zotum.net

@Scott M. Stolz Sure! "Use Cases" sounds great.

A "compare and contrast" with OAuth sounds great, too, but might give people the impression that they have to pick one or the other - which I don't think is necessarily true, though I haven't fully explored the implications of merging them.

Using OWA with ActivityPub, as described in the FEP, requires fetching (and bidirectionally verifying) the AP actor record, in order to find the user's public key. Once you've got it, you've got their name and profile picture too; that's where FedIAM gets them from. Maybe this is worth mentioning.

I don't know how it works when it's paired with Zot/Nomad. If you have any technical details on these protocols then maybe they're worth including - but I'm a bit doubtful that anyone will ever want to reimplement them, so maybe this info will just confuse things.

2025-06-27 14:48:59

Scott M. Stolz

scott@loves.tech

Speaking of which, if OWA does not send profile information, such as display name and avatar, maybe it should. Because we can't assume that other platforms will use the same protocols for communication. Will an ActivityPub only platform be able to get the display name and avatar and profile of a Zot only user, for example?

How would such a situation be handled?

2025-06-27 14:58:55

Scott M. Stolz

scott@loves.tech

@FenTiger

A "compare and contrast" with OAuth sounds great, too, but might give people the impression that they have to pick one or the other - which I don't think is necessarily true, though I haven't fully explored the implications of merging them.

I think it is more a situation where each has a different use case.

OWA allows someone@example.social to log into example.com as someone@example.social, and example.com determines what someone@example.social can do on example.com. Example.com cannot impersonate support@example.social, nor can example.com control example.social on behalf of the user.

Whereas with OAuth, you can set it up so that example.com becomes an agent for someone@example.social and depending on how you set it up, example.com can manipulate example.social on behalf of the user.

Or at least that is the layman's explanation of it. In that sense, OWA is simpler to set up, and also purposefully limits the scope of power example.com has in relation to example.social.

2025-06-27 15:03:48

FenTiger

fentiger@zotum.net

@Scott M. Stolz This is all true - but a lot of people think of OAuth as an authentication protocol.

As you point out, it's not - it's an authorisation protocol, with authentication layered on top - but this is what a lot of people think.

Maybe we should try to emphasise the distinction.

2025-06-27 15:17:25

Scott M. Stolz

scott@loves.tech

@Scott M. Stolz

Speaking of which, if OWA does not send profile information, such as display name and avatar, maybe it should. Because we can't assume that other platforms will use the same protocols for communication.

Maybe we can provide a way of including the display name and avatar of the authenticated user as part of the OWA authentication process. Make it optional, and state that as a fallback, you would use other methods to get this information (and provide a list of the fallback methods). That way the protocol remains backwards compatible, while providing additional information for those who want to utilize it.

2025-06-27 15:33:52

FenTiger

fentiger@zotum.net

@Scott M. Stolz Stepping back a little - I have a half-formed list of things that I would suggest changing about OWA, but I haven't yet got around to writing it up.

My plan was for FEP-61cf to document OWA as it exists today, and then follow it up at some point with a discussion of potential changes, possibly leading to a subsequent FEP on "OpenWebAuth 2.0" further down the line, leaving FEP-61cf as a more historical document.

Does this sound like a sensible approach to you?

2025-06-27 15:38:57

Mario Vavti

mario@hub.somaton.com

@Scott M. Stolz discovery is done with webfinger which provides all the necessary information...

2025-06-27 15:51:17

Scott M. Stolz

scott@loves.tech

@Mario Vavti That's what I thought. We should probably mention that in the spec.

2025-06-27 15:54:33

Scott M. Stolz

scott@loves.tech

@FenTiger It sounds like a sensible approach to me, but @Mario Vavti and @Mike Macgirvin 🖥️ would be the ones implementing it, so it depends on what they think.

2025-06-30 01:33:50

Scott M. Stolz

scott@loves.tech

@FenTiger I updated MagicSignOn.org with use cases and added a brief comparison between OAuth and OpenWebAuth.

Use Cases:

https://magicsignon.org/page/openwebauth/uses

New Home Page:

https://magicsignon.org/page/openwebauth/home

Sorry, you have got no notifications at the moment...