Oddbean new post about | logout
RebelOfBabylon | 4 months ago (raw) | root | parent | reply | flag +1 
 What if we use OIDC. You're building your app and you want to allow nostr login. Your app uses OIDC via a nostr ID provider. This nostr ID provider connects with an app you have on your phone which is where your nsec is. Whenever you click "login with nostr" the nostr app uses OIDC and pings the nostr ID provider. Nostr ID provider then provides a NIP-97 auth URI back to the nostr app. Nostr app displays this URI as a QR code. Using the app on your phone, you scan this QR code. This will then prompt you to confirm you want to log into this site, and even what info you'd like to share with this site. All your personal info is stored only locally on device in the app and you could even create different profiles for different sites. Once you confirm, your app sends that in the form of NIP-97 auth message to nostr ID provider. Nostr ID provider then creates session token, refresh token and ID token and gives it back to nostr app. Voila you're logged in and you never had to enter your nsec anywhere.
jb55 | 4 months ago (raw) | root | parent | reply | flag +1 
 🤔 people still use oidc ? Interesting idea, Will have to dedicate some cycles to think about this later
semisol | 4 months ago (raw) | root | parent | reply | flag 
 there is openid which no one uses
and there is openid connect which is basically a majority of enterprise implementations along with SAML

unfortunately no what you are saying used openid not openid connect

and a “nostr identity provider” defeats the entire point since you can just use passkeys or the npub directly depending on need
RebelOfBabylon | 4 months ago (raw) | root | parent | reply | flag 
 Why would it defeat the point entirely? The nostr ID provider gives the nostr app a session token, refresh token and ID token so that you don't continuously have to log in everytime you click a button on the page.
semisol | 4 months ago (raw) | root | parent | reply | flag 
 what do you need a refresh token for if you are getting an npub once
how do you trust the ID provider
RebelOfBabylon | 4 months ago (raw) | root | parent | reply | flag 
 Refresh token so you don't need to log in every 15 minutes (because session token should not be long lived). There isn't much trusting to do with the ID provider. You have to trust that the software works. It's like using the "login with Google" or "login with Facebook" buttons. They also use OIDC. In those cases, you have to trust them with your personal info. With this nostr ID provider, you hold the personal info on your device. We can maybe have some sort of encryption scheme between the nostr app and your phone app to make sure the info doesn't leak in transit. And tbh so far nostr apps have asked for your name, username, maybe an email. You can always enter fake or burner info in your device app so that nostr ID provider gets nothing. Its a very low trust system IMO.
semisol | 4 months ago (raw) | root | parent | reply | flag 
 please read up on what a refresh token is for
RebelOfBabylon | 4 months ago (raw) | root | parent | reply | flag 
 Lol I know what it's for. I don't think you're following this convo.
remcoros | 4 months ago (raw) | root | parent | reply | flag 
 OAuth/OIDC flows are perfect for this, no need to reinvent the wheel and OIDC support in libraries/frameworks is pretty solid these days. Which makes integrating this in apps quiet easy I suppose if you can expose OIDC compliant "nsec bunker" endpoints.
the axiom | 4 months ago (raw) | root | parent | reply | flag 
 I thought pablo had invented an oauth-like login method, no?