Oddbean new post about login | logout 🤔 people still use oidc ? Interesting idea, Will have to dedicate some cycles to think about this later
there is openid which no one uses and there is openid connect which is basically a majority of enterprise implementations along with SAML unfortunately no what you are saying used openid not openid connect and a “nostr identity provider” defeats the entire point since you can just use passkeys or the npub directly depending on need
Why would it defeat the point entirely? The nostr ID provider gives the nostr app a session token, refresh token and ID token so that you don't continuously have to log in everytime you click a button on the page.
what do you need a refresh token for if you are getting an npub once how do you trust the ID provider
Refresh token so you don't need to log in every 15 minutes (because session token should not be long lived). There isn't much trusting to do with the ID provider. You have to trust that the software works. It's like using the "login with Google" or "login with Facebook" buttons. They also use OIDC. In those cases, you have to trust them with your personal info. With this nostr ID provider, you hold the personal info on your device. We can maybe have some sort of encryption scheme between the nostr app and your phone app to make sure the info doesn't leak in transit. And tbh so far nostr apps have asked for your name, username, maybe an email. You can always enter fake or burner info in your device app so that nostr ID provider gets nothing. Its a very low trust system IMO.
please read up on what a refresh token is for
Lol I know what it's for. I don't think you're following this convo.
OAuth/OIDC flows are perfect for this, no need to reinvent the wheel and OIDC support in libraries/frameworks is pretty solid these days. Which makes integrating this in apps quiet easy I suppose if you can expose OIDC compliant "nsec bunker" endpoints.