There is some confusion over a specific paragraph in the OpenWebAuth spec. Some are interpreting it to mean that OWA does not authenticate a specific user, but simply says someone on the home instance logged in, but we don't know which one, therefore it is impossible to tell which user is authenticated.
That is obviously not how Hubzilla works since Hubzilla knows which user authenticated, but that is how people are interpreting this paragraph in the FEP.
Does anyone know what this paragraph is supposed to mean?
When the OpenWebAuth flow succeeds, the owt= query parameter will identify the user who is logged in to the home instance. This will be a user from the domain in the original zid= parameter, but may not be the exact same user.
https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/fep-61cf.md#3-target-instance-provides-a-token