this post was submitted on 27 Jul 2023
60 points (98.4% liked)
Fediverse
28480 readers
730 users here now
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I would prefer an OAuth-like solution where you can “Log in with” your home instance on other instances’ URLs.
Is there a way for your home instance to set a cross-site cookie, accessible by all federated servers, that would store its URL so that they automatically contact it for the login process? Setting up such a cookie should be optional but enabled by default on account creation, which would make federation very seamless. Ideally, it would happen without fetching JS from all federated servers, which would significantly load the tiny personal ones, although I doubt the technology is there.
Also, I assume that browsers block such cookies because they’ve been used to track people across websites.
And yeah, you could do that with browser extensions but you cannot get everyone to install one.
Is it so desirable to sent even more info, this time potentially non-public, if you decide to interact with the other instance?
This includes partial information about your online identity, namely identifying you uniquely. Not all instances should be considered trustworthy, so your log-in token may get re-used by a malicious instance to post things in your name here and there. Kind of a silly situation, favorable to spammers for example.
I don’t think the other site needs your login token. Assuming your home instance is
lemmy.menf.in
, I guess it would justlemmy.menf.in
lemmy.menf.in
that would verify your session with its own session token (if you don’t have automatic fediverse-wide login enabled, it will take you to a confirmation page first).lemmy.menf.in
. You can safely interact using your account now.Because the address bar URL remains the same, even non-technical users now understand that they’re viewing another instance while logged in via their own. Because this happens automatically for all instances whitelisted by
lemmy.menf.in
if you have automatic fediverse-wide login enabled, federation is now completely seemless and nobody complains. I understand that setting this up securely and compatibly might be difficult but could greatly simplify the UX because posts, comments, communities and user pages would have just one visible URL and no ambiguous IDs.Wouldn't that overload popular instances even more? Right now, popular instances only need to accommodate their users, but with a "fediverse-wide" auth, soon they'll also have to serve content to people who followed that popular link to their content?
I think the server load increase from cross-instance browsing will be low. The extra load only really comes when:
Anyway, I’m quite tech-savvy but one of the first things I saw on Lemmy was “if your account is hosted on another instance, you will not be able to log in” and thought “so federation does not exist?” I hope you understand how this is discouraging: at present, federation is anything but straightforward.
There's also a question of perspective. If you approach federation with the mindset that it will be like the sort of SSO you get with using google products, microsoft ecosystem, or facebook to log in to many websites, then yes: it's doesn't look straightforward.
If you approach it with the perspective that the coupling between fediverse applications being more loosely coupled, and have the way email work in mind, then it is actually more natural. Each application can do their own thing, and provide all or partial compatibility with the fediverse. Think of a blog application, which rely on the fediverse only for the comment section of each blog posts, but also does other things specific to that application. Taking the example of email again, nobody thinks they should be able to log-in to microsoft outlook using their gmail account, or to gmail using their home-made account, in order to read and send emails.
There's a narrative aspect to it too.