I’ve made some more updates to this FEP since my last post on this thread:
- Add a sequence diagram (PR in review)
- Mention that the
zid=login mechanism can work with other authentication protocols too - Mention the risk of mixup attacks introduced by doing the above
- Point out that a session cookie is typically used to check if the user is logged in
- Briefly discuss the question of how a remotely logged in user can post to the Fediverse; mention that Hubzilla does this by signing posts using the target instance’s key
- Some other minor updates based on attempting to implement it
On another note, step 6 of the FEP process states:
If after 1 year the authors have not requested the proposal to be finalized, a facilitator should inquire about the status of the proposal.
Preempting this: I have not yet requested finalization for this FEP because there’s an important use case which it doesn’t cover yet: authentication/authorization of media file fetches.
Suppose that
- Alice posts an image file to her instance, without making it public. Bob is allowed to view this image, but other users in general are not.
- Bob visits his instance at
bob.exampleand sees Alice’s limited-visibility post, which contains an image tag pointing to her instance:<img src="https://alice.example/my-private-picture.jpg">
OpenWebAuth can be used to demonstrate to Alice’s instance that Bob’s web browser should be allowed to retrieve the image. I don’t think this FEP should be considered to be “FINAL” without a detailed description of how this mechanism works.
Any objections to this?