Consider supporting unregistered OIDC clients #66
Comments
|
@anderspitman this is the right place! (thanks @samuelgoto for the promo) I'm not understanding what problem you are trying to solve. Do you want users to be able to run their own self hosted OIDC server? That is on the roadmap. What is it about dynamic client registration that you are looking for? Hellō does not require the app to manage a secret if that is the concern. If you are wanting to enable your users to run your app on their own URL, our Quickstart flow https://www.hello.dev/docs/sdks/quickstart/ would enable them to register their version of the app in a seamless way, which would let them manage it themselves and have their own client_id. |
|
My goal is probably best explained with an example. You can use any compliant OIDC client for this. I'll use https://openidconnect.net/.
Note that never at any point did you need to register the client with LastLogin. This creates a very convenient UX for self-hosters. They can run dozens of apps, and use LastLogin to authenticate for all of them, without needing to register every one of those apps with LastLogin. They don't need a LastLogin account. In fact LastLogin doesn't even have accounts. Everything is stored client-side in cookies. |
|
It's awesome that you've put thought into streamlining the registration problem with Quickstart, but IMO it's still extra unnecessary steps. Totally fair if you disagree. It's reasonable to want to keep track of who's registering clients. |
Sorry if this is the wrong place for this.
I was introduced to Hellō by @samuelgoto, because there's a lot of overlap with my LastLogin project. I would love to see Hellō succeed. A big reason I started LastLogin was because I didn't know of anything similar that existed.
One feature LastLogin implements that's important to me pertains to self-hosting software. If I develop an app intended to be self hosted, I don't want every single one of my users to have to register with OIDC providers in order to log in. Obviously Hellō helps with this already by having one single provider that proxies many others, but it's still an extra step.
There are ways to securely support clients without preregistration. The most spec-ish way is by implementing OIDC dynamic client registration and allowing clients to register without credentials. But this introduces extra unnecessary steps for client applications and potentially opens you up to attacks from lots of bogus clients registering, if you're storing the data.
My preferred approach is to simply use URI's as client IDs, which are presented to the user for consent, and then verifying the redirect URI is on the same domain as the client ID. I was introduced to this method by @aaronpk's blog (https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web).
Would Hellō consider implementing this type of functionality?
The text was updated successfully, but these errors were encountered: