I don’t know why anyone wants to use a federated identity to sign into things. Where did the messaging that it’s more secure come from, Google?
Why would I want the headache of having yet another login/password to remember, if (like most people) I haven't figured out password managers? I'd rather just use my Google identity, especially if I don't really care about this particular web app.
I have both Google and Github Oauth flows added to this idea in code, and it works great for my purposes. Prior to coding agents, I wrote the code by hand and went over it a few times to ensure it worked and was safe (for the email token thing at least). I even wired up the Oauth stuff myself, without an agent. It's not hard.
With agents, it's super easy to audit this and also deploy services using them, so I'm not sure why any arguments here mention how hard it is nowadays. It's not hard, but it does expose what site a user is logging into. That's just a easy function for the user though, with known risks.
With Google email, if I use a site with email logins, Google STILL knows I used them. It's just in my email instead of a logfile that I authenticated to a site. I would note that as long as the token is alive, dependent on the provider's choices, Google doesn't know I'm going back again, and has no idea what I'm doing on the site. I'd trust Google over anyone else about this, even Github (as related to Oauth to avoid the nitpick that has been common here recently).
I would hardly call this a "security nightmare" (as someone else said, not you) as Google only knows someone is authenticating to a given URL which they've vetted (a little) during the setup process. Same for Github. If you don't like Oauth, or feel that then every site someone uses should provide an email login fallback.
People trying to remember passwords is a pretty bad security situation.
I'm not an expert but so often folks on here throw criticisms without giving credit to some of the merits of solutions. Nothing is perfect, and progress can still be made. :)
Respectfully, I disagree in a time when all your data is being slurped up and resold constantly I hate any additional costs to my privacy.
> People trying to remember passwords is a pretty bad security situation.
But that's their problem, not mine. I'm an adult and I use a password manager.
The only way to preserve privacy while having a central and easy authentication mechanism I can think of is to use IndieAuth[0] which is built on top of OAuth 2.0.
Of course, you will need to be your own provider, using an IndieAuth provider service defeats the purpose, which is what I see most IndieWeb devs are doing.
You will need to own a (sub)domain though.
Privacy nightmare in the real world, "tech" company wet dream in SillyCon Valley
You may also be interested in the FedCM protocol Google is working on.
(Apple login is in nearly every iOS app and most websites)