Eartho sounds like a something a user wants. We have found that privacy is an added bonus, but that it is only one of many features a developer wants.
Adding yet another button that users don't understand confuses users.
I'm the founder of Hellō and we have a similar service that has cooperative governance. https://hello.coop/
FWIW it is a myth that Google uses where you login with Google for retargeting. Big Tech is always concerned about having to share user specific usage with US agencies. Google considers knowing where you login to be toxic data that they want to dump as quickly as possible. There are more than enough other signals from re-targetting.
Can you please provide a source for your information about Google handling login data? Your words are very interesting, but they would have more impact if you could provide a source.
OAuth 2.1 has no new features. It is OAuth 2.0 rolled up with all the specs since 2.0. It is the better place to start for learning about delegated authorization.
I wonder. Do open source oauth servers actually implement all of 2.0 these days? Do clients? What do they do for the bits the spec leaves... unspecified? My memory isn't the best but I remember ten or so years ago when the spec was fresh that so-called off the shelf servers at the time didn't actually implement anything of value, so had to write my own barebones version. I remember thinking the 1.x spec was actually better, but it didn't matter anyway because every real app would just write code targeting whatever it was that social media companies were doing and calling oauth. (One notable thing was not ever presenting the user with an HTTP Basic experience, and everyone is still addicted to JSON vs. form-encoded body parameters.)
Fair! I considered "OAuth 2.0 rolled up with all the specs since 2.0" an update, but you are correct. They specifically didn't want to set out any new features in OAuth 2.1.
From the spec:
"This Standards Track specification consolidates the information in all of these documents and removes features that have been found to be insecure..."
OAuth 2.0 took the best features of what was already being deployed by Google, Microsoft, Yahoo, etc. and added in scopes and refresh tokens. The objective was to standardize how to delegate authorization so that developers did not have to learn slightly different ways of doing effectively the same thing.
Typing your username and password into a 3P website so it could crawl your contacts was horrible anti-pattern.
... especially if you are building with Next.js, Express, or Fastify and using our Quickstart which removes all the manual configuration so that you are running locally in a minute, and can be deployed fully configured a minute later.
Since then we have added support for Discord, GitHub, GitLab, Mastodon, and Twitter. If you are on a mobile device, you can enroll a passkey for future logins on that device. On the desktop, you can scan a QR code to login with your phone.
- Our approach
- How the cooperative works
- How we’ll fund Hellō with smart contracts
- Our guiding tenets
- How we protect people’s privacy
- Our architecture
Thanks for reading and trying! Please share your questions, impressions, criticisms, and requests here, or you can email me @ dick.hardt@hello.coop
Tl;dr:
If you are a developer considering adding World ID to your project. Wait.
If you see an app using World ID. Be safe.
The OAuth Best Security Current Practices have not been followed. Combined with the following point, applications using World ID may be vulnerable to attacks.
The implementation is not compliant with the OpenID Connect specification. Times are in milliseconds instead of seconds, requests can be made without required parameters. Update Aug 9, these have been addressed.
The user’s privacy is being violated. The authorization page presents no information on what the application is requesting, nor on what worldcoin.org is releasing. There are no application terms of service and privacy policy links.
The OP conflates the fediverse with Mastodon, and my understanding of his key point is that it is doomed because Mastodon is complicated to run. As the operator of https://press.coop, I agree. Mastodon is 10 yr old web tech (Ruby on Rails with Postgres) that does not take advantage of modern cloud architectures. (The streaming service is written in nodejs and is efficient and just works)
But software continues to evolve. There are numerous other software projects on the fediverse, Cloudflare's Wildebeest being an example of a more efficient, and easier to manage implementation. Crowdfunding has become a common means for instances to be funded. It is still early days for the fediverse, and the pace of innovation continues to accelerate. Remember that Twitter was twttr when it launched, and was an SMS based app. Flickr was a Flash app.
Adding yet another button that users don't understand confuses users.
I'm the founder of Hellō and we have a similar service that has cooperative governance. https://hello.coop/
FWIW it is a myth that Google uses where you login with Google for retargeting. Big Tech is always concerned about having to share user specific usage with US agencies. Google considers knowing where you login to be toxic data that they want to dump as quickly as possible. There are more than enough other signals from re-targetting.