Why can’t we have federated identity to login into fediverse instead of creating login for each instance?
You must log in or register to comment.
You don’t create a login for each server, you create a single account on a single server and then interact with people and posts on various servers. You don’t login to other servers because it wasn’t designed to work that way, and it isn’t necessary.
Email is a good parallel. I make an email account on ProtonMail, and so that’s where I log in to read and write emails (to other users, potentially on other servers). I can’t use that same username and password to log into GMail, because that’s a different email service provider altogether. You certainly don’t need to make multiple email accounts if you don’t want/need to.
So should we display full usernames by default? What’s going to happen when someone important, IRL, wants to interact with Lemmy?
In a way yes it’s similar to email need to know if your @gmail or @yahoo.
As for “important” people, same noteworthy as any other thing. Only extra they could do is if they are with a company could have a server that is @target @mbl or @meta (though everyone might block the latter xp)
When you put it that way, fediverse is probably better for official companies. I suppose that’s what bluesky was doing with their protocol too
So, anyone can spin up a Lemmy website. They’re all independent sites, with independent and unaffiliated admins.
In order to sign in to a website with a given set of credentials, that website needs to know something about those credentials. Importantly, they need to know something about your password.
And that’s a security nightmare that no user should be ok with.
Now, there are single sign-on (SSO) possibilities, but for them to be universally accessible across the Fediverse, you either need to impose them on 20,000 admins across two dozen software implementations, or you need them all to a) agree to support SSO, and b) agree to support the same SSO options.
Despite the fact that most of these websites look the same, they’re all completely different websites, and while they can be treated, on first glance, as having the same content, they’re very different places run by very different people. They can’t be treated like a singular entity.
Now, there are single sign-on (SSO) possibilities, but for them to be universally accessible across the Fediverse, you either need to impose them on 20,000 admins across two dozen software implementations, or you need them all to a) agree to support SSO, and b) agree to support the same SSO options.
Yeah, this is the real crux of the issue and is a large unsolved problem. We simply have no standardized system for decentralized identity verification.
SSO works as a way of maintaining identity across the fediverse, but that’s not really federating identity so much as it’s getting all instance to offload identity verification to various central services.
I believe I heard Microsoft had a research project in the area of decentralized identity verification but I don’t know if it went anywhere or how suitable it would be.
But do we need some kind of SSO layer with DID verification? All I need to prove my identity anywhere, technically, is my private+public keypair. As long as I hold on to this keypair, distribute it between apps/computers, back it up, I could log in anywhere on a federated platform and use it.
I hope we’re going to see key-based decentralized identity on ActivityPub at some point… Having accounts tied to instances is just not very robust or scalable.
@masterspace @mango_master @Kichae
The matter of fact is , just in simple terms for SSO to work, every fediverse implementation has to agree on a standard for federated authentication.
Maybe, I’m just not seeing the issues or don’t really grasp fediverse and it’s implementations yet.My idea, every fediverse instance is unique (no matter the implementation, i.e. mastodon, lemmy, pixelfed,…).
@masterspace @mango_master @Kichae
…
If that’s given, every entity (@‘person, @‘community, …) on each instance is unique.
Therefore, there can never be a duplicate identity = <entity>@<instance.domain>
Which allows the general assumption (all implementations adhere to the standard) each instance (homing instance, where the user is based) can verify the every identity within it’s domain.
…
This explains the fediverse with some examples of different instances
https://socialhub.activitypub.rocks/t/introduction-to-activitypub/508
It’d be great to support identity based on a key hash, so that it’s completely decoupled from any instances. Maybe some time in the future.
error loading comment
I’ve seen a lot of discussion of account portability, so I think it’s a feature that will be coming, and hopefully soon.
The technical challenges are vast, is the long and short of it. But it’s high time there’s a good discussion over how it should (or might) work, at least the kinds of properties such a system should have.
- Self hosting of federated credentials should be possible, but not required
- ‘Backwards tracking’ of federated credentials should only be possible with limited requests (e.g. ‘verify author of post’) and approval of the credential owner
- All data on the credentials instance should be properly encrypted
- All data on credentials instance should be fully and easily portable to other instances via common protocols
There are several issues involved here, beyond just ‘mere’ technology, that need addressing. Personally I think a good start might be to engage with public libraries here. They already keep simple identity records (library cards) and have public service purpose well-aligned with the concepts of the federation and public distribution of information and knowledge.
error loading comment
well if we can move to another instance and migrate our saved posts, post and comments history, subscribed community easily this might drive adoption because people are used to centralized platform
From my understanding, a current goal is to make any account transferable, in case the instance the account is attached to decides to shut down/defederate?
If implemented, we can hope that won’t be tied to an instance shutdown.
error loading comment
Absolutely.
But no community is created by an individual. I guess that’s where choosing wisely, and trust come into play.
This is why I’m not really on board with the people that advocate for others to seek out and join small instances unless they are older, well established, and active.
error loading comment
This was thrown around a couple of weeks before the Reddit migration really kicked off, it appears to be excessively difficult to code. And it also doesn’t really fit with the system that Lemmy runs. It’s a great idea, but Ive been lead to believe that it is too difficult to create Although people do feel that account transfer would be a nice feature
error loading comment
If your instance shuts down your posts will still be visible on the other servers that your instance was federating with. Which might raise concerns if you want to have them removed, but that’s another issue.
On Mastodon it’s possible to move from one instance to another, taking your followers and the list of people you follow along with you and having the old account point to the new one. In the threadiverse, the most important feature would probably be to not have to manually re-subscribe to a bunch of communities. I think this moving of accounts from one instance to another will probably become standardized at some point in the future, so that you could for example move an account from Mastodon to Lemmy if you should wish. It’s probably pretty far down on the list of priorities though.
In my opinion, the idea of a hierarchy of users as enforced on Reddit through karma is a bit obsolete. I think we’re posting and commenting out of interest in the topic or a willingness to help or entertain. If that’s the motivation, I don’t see how starting over on a different server is such a bad thing; you’re not really losing anything. We’re not here hoarding upvotes like a dragon hoards gold.
error loading comment
There’s a difference between a federated identify and single-sign on. Your identity /u/mango_master@lemmy.world IS federated. You don’t need to have a separate login for each instance. You can use that identity to interact with any instance much the same way I am using my federated identity to currently respond to you.
I think what they mean is identity that is coupled to them the person and not whichever instance they choose to sign in on.
I do not have the same experience. If I want to interact with a different instance then I have to login to that instance. Granted I’m very new to Lemmy but so far the apps are not quite there yet and exploring the fediverse is difficult. Searches are useless unless you know exactly what instance you need to find what you’re looking for.
I understand. It really comes down to your entry point. For example, as long as I’m viewing the community/user/content via my instance I can interact; e.g. I’m replying to a post on https://mylemmy.win/post/114914 ; you, on the other hand are replying to https://kbin.social/m/fediverse@lemmy.world/t/158389/why-can-t-we-have-federated-identity . Since we’re viewing from our own instances we can interact. If either of us goes directly to the canonical URL, https://lemmy.world/post/1194109 , we’d be forced to login. It’s all the same post, just different points of entry that muddy the user experience.
As a new lemmy user this has made a lot of sense! Thanks.
This works great for apps. But I want to use the web interface to post a reply to content that’s not on my home instance. I can’t do that easily.
Gotcha. As others have already mentioned it is obtuse. If you end up at the post via your own instance it works but if someone links directly to the canonical post then you get confronted with needing to login. e.g. I see this post as https://mylemmy.win/post/114914, so I can interact just fine whereas if someone sent me the link to https://lemmy.world/post/1194109 (same post, different entry point) I’m stuck.
What interface are you using now? I’m responding to this thread from kbin.social instance usin kbin webclient
If you post a link to this, then I click that link, I am unable to reply directly, since I am on lemmy.world. I would need to first track down the equivalent post in my instance to reply. SSO solves this
Oh I see. Yeah, there could be a feature (a browser addon would work too) that reads the webpage meta data before opening it, and pops a “Open in kbin/lemmy/whatever?” window.
That should just work. You view the post on your own instance and reply there. That reponse trickles to the other instances.
It may take a while to propagate though. The paradigm is close to that of the ancient nntp news groups where responses travel at the speed of the server’s synchronisation. It may be tricky for rapid fire conversation, but works well for comments of articles.
I believe they’re talking about a situation where somebody is like …
Wow, everybody check out this amazing thread! https://someother.instan.ce/post/1194109
Anybody who sees that link and is not already from someother.instan.ce now has to track down that post on their home instance in order to interact with it, which is a bad experience. It’s not the absolute worst thing in the world, like the home URL for the discussion we’re in right now is https://lemmy.world/post/1194109 and if you paste that URL into your local domain’s search it should find you the relevant discussion locally, but it still kinda sucks. In theory this would be sort of solve-able on the server end by having it search for any instance links behind the scenes and re-write other people’s links to point to the equivalent page on your own instance, but right now there’s no “nice” way to handle that situation.
Agreed on your point. We need a way to identify those links so that our browser or app can automatically open them through our own instance.
I am thinking along the lines of a registered resource type, or maybe a central redirect page, hosted by each instance, that knows how to send you to your instance to view the post there.
I am sure it is a problem that can be solved. I would however not be in favour of some kind of central identity management. It is to easy a choke point and will take autonomy away from the instances.
I think you mean /u/mango_master@lemmy.world
Should be @mango_master if all is working correctly, actually ;)
The threadiverse is a bit complicated since there needs to be a way of distinguishing between users and groups, but the
@user@host.orgformat is standardized across the fediverse.It’s funny because using the /u/ format seems to work just fine in the web interface, creating the proper link. Typing it out in the @ format doesn’t automatically create the hyperlink when I type it, but yours works just fine. ¯\(ツ)/¯
Also the /u/ format works when viewed in the Lemmy web interface, but not necessarily inside apps or from other federated services. :)
It also probably doesn’t count as a mention, so the user won’t be notified even if they have that enabled in the settings.
deleted by creator
I attended a talk in 2019 by Sir Tim Berners-Lee on Solid, which sort of seems related to what you are getting at. The idea being that you own your data/identity, and can decide to share it with third parties. It goes over things like files, but I believe login identities were also meant to be part of it, I see when I scroll down:
authenticated by a decentralized extension of OpenID Connect
I’ve been wondering recently, especially with Pixelfed adding login with Mastodon recently, if anyone has heard or experienced anything with that project. But considering I haven’t seen it spoken about or implemented since then, I’m not sure I should be hopeful
deleted by creator
Please tell me you haven’t been creating accounts on every instace. You can register on one instance then use that account to interact with content and communities on all other instances.
No, but some people are discussing about creating new logins, so I want to clarify. Thanks for the clarification.
Some people do make this mistake, I’ve seen a thread or two asking about it after they already started. We’ll need a proper solution eventually, likely education/tutorial-based.
Literally every single explanation of Lemmy or fediverse that I have seen makes this really clear. I don’t understand where people would get the idea that you have to sign up to every site.
Because when you click a link out of link Google or something you try to login and it says your login doesn’t work. To actually view that page properly you have to copy the link go you home instance and search it again then go to the post and then you can interact with it. Some people either A. don’t realize that or B. Don’t understand that’s how it all functions. It confused the shit out of me for the first couple days but I just didn’t care enough to create a new account because my account “should” have worked there I just didn’t know how to make that happen.
The process to open a link on your home instance is just way too complicated right now. Some sort of browser presence could help redirect users to the right places.
Some sort of browser presence
It seems like it could be as easy as a redirect in Apache/nginx so that local-format links are laundered through.
Agreed I haven’t spent much time using Lemmy on an app but I’m hoping those can make it easier somehow atleast for mobile users.
And now we know how the Fediverse got all that users in the last period 😆
It is really clear until a newb tries to use it:
- Someone gives you a link, or you find it in search
- You click on the link, because that’s what you do with links
- It takes you to what you are looking for, but it says you have to log in to comment or vote
- You log in so you can comment or vote
The UX for interacting with off-instance subs is abysmal. What is even worse is that as far as I can tell, there is no way to link a post or comment that is instance relative / instance independent.
there is no way to link a post or comment that is instance relative / instance independent
I’m commenting mainly as a reminder to myself to check back later if someone comes in with a correction.
That said, the answer to this in the long term should be for the front ends (Lemmy UI, Jerboa, Sync for Lemmy, etc.) to be smart about this. My Mastodon app, Megalodon, does it. If you click a link to a post in another instance, it automatically looks up the same post from your instance and takes you there. It’s a little slower (and Megalodon shows you a button to short-circuit it and just go to that URL if you don’t care to be on your instance), but it lets you interact with the post as normal.
Even at the most basic level it is broken - at the bottom of your comment is a “context” button with the fediverse symbol. If I click on it, it won’t take me to the comment on my instance (lemmy.world) but instead is an absolute link to the comment on your instance (Aussie.world) even though the community lives on lemmy.world.
I love lemmy, and I think it has a bright future, but this fundamental problem really needs to be fixed.
You’re probably looking at the rainbow pentagon button, which behaves as you describe. There’s also a kind of chain link button. That one should take you to the context within your own instance. At least on web that’s how it works. Different apps may display differently.
The tooltip doesn’t help either - both links only have a tooltip that just says
link… IMHO it should beLink to this comment on CURRENT_INSTANCE_DOMAINfor the chain icon thing, andLink to this comment on COMMENTER_INSTANCEfor the rainbow thing.Anyway, the issue about this messy behavior described by @cerevant@lemmy.world is here https://github.com/LemmyNet/lemmy-ui/issues/1048
The problem will stay there as long as lemmy links don’t automatically redirect to your instance in somr way.
True, but changing this is unfortunately unfeasible with the way the web works. If I just access the URL of a post on instance A, there is no reasonable way for it to know that my home instance is B.
There should at least be a button or something that sends you to your home instance after entering the domain though. Other than that, we’ll have to keep using browser addons and userscripts…
As a newb to Fediverse, I agree because it is ambiguous how to use one account for several instances. I’ve browsed the web for several hours. But I only found out that the above is not a one-size-fits-all because some instances require registration.
Also, saying that an account can be created to access communities in my experience, implies I can only see and minimally interact on those instances. But I cannot go as far as posting anything because as I previously stated, I need an account on the said instance to do that.
I see the Fediverse being an umbrella of apps/services. However, from my experience, they’re not synchronized. More like silos.
Yeah, it’s a bit of an issue, there’s a lot of concepts that can get subtly mis-communicated. I wrote this awhile ago, as I felt it helps navigate more intuitively when you have a full top-level view of the whole idea in the first place:
deleted by creator
From my understanding, yes. You can also follow Lemmy communities on mastodon and have their posts show up in your feed. @fediverse@lemmy.world I believe that’s the right format? Someone will undoubtedly correct me if I’m wrong.
Yes, you can. See my post I made on lemmy.world - showing up in the feed of @fediverse@lemmy.world using my mastodon.social account (in the mastodon app). For that to work you have to have the community address and look for it via the search on the mastodon instance.
Screenshot is made in the mastodon instance.
Yes, and no. You can access lemmy and kbin instances from mastadon. But the format doesn’t work so well I think. I’m not sure how far it goes and how viable it is though. I’m not on mastadon.
But once you have an account on one of the threadiverse instances, defederation aside the same content should be available.
deleted by creator
Yeah I think the main actually viable use case for the fact that Lemmy and Mastodon can cross-interact is just when a Mastodon user gets @mentioned on Lemmy and is able to reply to it from there. And vice versa. You don’t want to actually be browsing Lemmy from Mastodon.
I registered on a bunch and they all went down except for the biggest ones
No some communities need a new login. lemmy NSFW has no content without it. th there’s the issue of having a slow instance like world vs another instance
Others have already said, but I will reinterate:
You have to go to your account settings and enable “Show NSFW”. It is off by default.
Nah, it’s been enabled, it’s literally just that instance that wont show anything without an account on their instance.
Unless you mean the setting for my *.world account can be on everywhere else but OFF on the *nsfw instance alone??
I have an account on .world and can see NSFW content from lemmynsfw…
PornLemmy.com shows all comment even without an account
Does lemmynsfw.com and pornlemmy.com federate?
I think they do
Also it’s kinda practical to have an alt for lemmynsfw since account activity is openly available
You don’t need a new a account for this, just make sure you have “Show NSFW” enabled in your profile.
Not exactly because some instances defederate other instances. I’m pretty sure lemmynsfw is defederated by some instances (like Beehaw I think??), meaning you’d need an account on another instance in order to most properly view and participate.
Beehaw is not defederated from lemmynsfw.
You’re right. I’m not sure why I thought they were. I wonder if they were temporarily at some point??? Or maybe I am just having a massive brain fart.
You might be thinking of lemmygrad or lemmyworld, there’s a lot of lemmynames around these days :)
this is the sturm and drang of every collaborative work I guess. Those led by a single person / company will produce a more streamlined but restrictive product. Those led by committee produce a more chaotic but free experience.
Yes but it’s a bit of a mess to interact with lemmy from a Mastodon account though.
This would require either a central authority for registering and managing the identities, or the path of distributed ledger, where identity is confirmed with digital signatures when transacting - the second option is what crypto is. Some type of Blockchain tech could service it but all crypto related technology is buried in bad optics right now due to the current state of it being a big mouse trap setup by venture capital to squeeze money out of people without the protections of regulation afforded by their centralized identity management (which is run by the native government that the users are a citizen of.)
Or….everybody’s favorite tech buzzword….you go blockchain.
Once someone had a technical problem. “I know,” they said. “I’ll put it on the blockchain.” Now they have a million technical problems.
For identity verification, you can just do a simple key signing, just like how Nostr does it.
Each user will generate a public-private key pair on their own device and has all their posts (and edit/delete requests) signed using their key.
If someone wants to delete or edit their post, the site can just verify that the request is signed with the same key.
There’s still issue of who’s going to store the user’s follows, etc. but I think we can find a way to workaround it.
That then introduces ease of use problems. You won’t be able to log in to another device without copying your key over from an already logged in device for example.
Web browsers don’t usually allow access to local files made outside the browser, so even logging in between browsers would require having your key on hand.
Not to mention if you lose the file containing your key (hard drive craps out, etc), you’ll lose access to your account entirely. So users would be forced to backup their keys.
Not issues that would make the product unusable, but enough of a hindrence that 90% of users would just go find something else (like threads) to use instead.
I can’t use my account on another device until I input my password, so either way I need to use a password manager. If you reuse the same password (so you can remember it for hundreds of sites instead of using a password manager), being forced into using a key instead would actually be an improvement for your security.
You know you can interact with posts and users on other instances without having to login on their instance, right?
It doesn’t work for everything though. Having a self hosted account that wasn’t tied to any specific platform or instance would ideally allow you to have access to PeerTube and BookWyrm as well as Mastodon and Kbin, without having to worry about your instance shuttering and all of your posts and comments disappearing. I’ve also been really stewing on this idea, I think it’s a probable future state of the Fediverse
Let’s adopt the irc model: any user id for anyone :P
Cause it’s decentralised. Which is good.
Go implement it.
Somebody’s already sorta tried tbh.
You don’t need either. It’s not about places, so much as it’s about people and conversations.
Maybe you only have used corporate centralized giant sites? Believe me, that was the anomaly.
You can’t and don’t visit every cafe, every club, every library, you mostly visit a few locals and seek out the rest.
Same thing here. Also with this you get actual diversity. You can change instances and still see everything!
You just have to learn how this new system works. It’s far far better.
The whole point is to be decentralized. You can still interact with communities on other instances, so what’s the point?
