On Thu, Jan 22, 2026 at 11:46 AM Andy Smith <[email protected]> wrote: > > On Thu, Jan 22, 2026 at 11:00:52AM +0800, Maytham Alsudany wrote: > > On Wed, 2026-01-21 at 00:30 +0000, Andy Smith wrote: > > > [...] You could choose to expand this notion beyond the individual site, > > > so > > > instead of it being forums.debian.net working out its own authentication > > > scheme there were some central service managing the identities of the > > > users. [...] Decentralized identity providers exist that can be > > > self-hosted, like OAuth. > > > > FYI salsa.debian.org already serves this purpose. It doubles as Debian's > > GitLab instance as well as an oAuth2 provider for many Debian sites such > > as nm.debian.org. > > This is nice but it only really goes to emphasise my point: An > organisation (Debian) made an identity provider for its own services, > but is it something that's simple enough and pleasant enough to use that > a service like forums.debian.net would realistically want to use it for > authentication? > > > > These are highly obscure and probably a dead end: anything that > > > can be self-hosted can be abused to create infinite identities. > > > > Salsa registrations require manual approval from the admins to protect > > against spam / bot accounts. > > …which is great for internal Debian services for a total population of a > few thousand experts who know they have to work through some initial > inconvenience if they want to participate in Debian. I don't think it > would suit something like a forum for novice Debian users that wants to > attract new users with lowest friction possible. > > I can't really imagine that Salsa admins would want to be manually > approving new signups for people who want to write posts on > forums.debian.net, and that is assuming that only write access needs to > be authenticated - this thread did start with a question about even > abusive scraping being stopped by authentication. > > What I was saying here in this thread is that the technology exists, in > multiple implementations, it's just that it's too inconvenient and > fragmented. Due to that, users often have to be forced to use them and > their use remains niche, not a silver bullet that all popular services > could use.
My observation has been, just about everyone wants to be the Identity Provider (IdP), and most people don't want to be a Relying Party (RP) who confers trust to the IdP. Jeff
