Federating authentication

Hey folks, I’m not sure if there’s a topic for this because it’s something that I’ve seen people talk about elsewhere.

With the large number of potential ActivityPub platforms available, it would be nice to use one user account for multiple platforms, and have activities on all platforms broadcast from the auth provider. The process would look like this:

  1. Set up an actor/account at https://site-a.example/@actor
  2. Sign in to another platform on https://site-b.example/
  3. Create a resource on site b at https://site-b.example/resource - probably signed to prove authenticity
  4. Send a Create event from https://site-a.example/ to all of the actor’s followers

Step 1 can be done with OIDC.
Step 2 can use something like SOLID, but would additionally require a standardized API to ask the actor to sign the resource
I thought Step 3 could be done with C2S, but actually it would probably need something slightly different, because we don’t want to create any side effects - we’d want to describe an action that has already happened, not cause an action to happen as the C2S spec actually does.

Does anyone know any existing ways to accomplish this? Or am I coming at it from the wrong angle?

1 Like

Currently I don’t think any implementations would accept an activity owned by a domain different from the Actor. If they sent a Create it would be technically verifiable, but I don’t think we have any mechanism for fetching a Create from the created activity.

Note that I’m ignoring the suggestion of signatures, as that would probably have to be LDSigs and only a few implementations actually support those.

No, I don’t think any existing implementations would accept an activity from a different origin to the actor. Some of them might accept an activity from the same origin whose object is on a different origin, I don’t know.

But I am more thinking here about future implementations. If we could create a new platform to accomplish this task, how could it be achieved?

I don’t know - am not a developer myself - but I do think this would be a game-changer for ActivityPub adoption. I administer two instances of different fediverse applications, and users often assume they can use the same login credentials at both sites. If we could offer something like this I think people would add great value and make people more willing to try switching over to federated platforms.

1 Like

I took think that this is a crucial feature for driving AP adoption.