Comment by clhodapp
8 months ago
OpenID Connect can totally work that way if used with WebFinger for endpoint discovery, and occasionally this is implemented (though many websites do not).
8 months ago
OpenID Connect can totally work that way if used with WebFinger for endpoint discovery, and occasionally this is implemented (though many websites do not).
Hm, so the point of adding this additional hop (which is also a JSON under the .well-known/ prefix), is that I can always put the domain of my homepage into WebFinger aware OIDC login boxes, no need to remember the domain of my OIDC provider?
Yes. This is how, for example, Tailscale implements bring-your-own identity provider: https://tailscale.com/blog/custom-oidc
It is, to date, the only non-selfhosted service with which I can use my self-hosted SSO setup.
I feel like I remember StackOverflow (and related sites) having OpenID login as an option, but I don't see it anymore. I figure they removed it due to low popularity.
2 replies →