I wish there was a way in atproto oauth to enable login without typing your handle that also supports multiple PDS hosts
24.04.2025 21:05
👍 7
🔁 1
💬 2
📌 1
I wish there was a way in atproto oauth to enable login without typing your handle that also supports multiple PDS hosts
Announcing Datasette for Newsrooms - a hosted version of @datasette.io specifically targeted at newsrooms and data journalists
Think of it as a library for your data - load in CSVs and JSON, extract data with LLMs, collaborate on analysis with the rest of your team
simonwillison.net/2025/Apr/24/...
A few days ago I gave a keynote at the PaPoC workshop on Byzantine Eventual Consistency and Local-first Access Control. It wasn't recorded, but slides are here
speakerdeck.com/ept/byzantin...
HOLY MOLY – Weird is fully public!
Our v0.3 mvp is finally done after a year of development and many more spent pondering cozy community design.
Today it's a minimalistic personal site generator. Before long it'll be a social network made of people's personal websites.
Nerdy web weirdos unite ✊❤️🔥
I want to create an incubator that funds atproto/bluesky experimental projects to the tune of $5k-$10k dev grants.
I am sorely tempted to call it “Chemtrails”, because it seeds the ATmosphere
Hit me with your best ideas!
@whtwnd.com any chance of implementing atproto OAuth?
Hello! The skies look very blue over here! We're going to start posting updates on this platform as well. Please share and follow for new stuff from Tailscale and our community of networking nerds
North Idaho is practically a different state.
Spent a year in the Palouse. Beautiful area. Everything turns green in the summer, gold in the fall before harvest, white during the winter, and brown in the spring after plowing.
Deep inside Internet Archive is a grinder. It has not been grinding in any meaningful way since October 10th. It is now grinding. It has three weeks of back-grinding to do, and then will keep grinding. There won't be anything obvious on the outside but this is the moment Archive came back alive
@molly.wiki are the RSS feeds for mollywhite.net working properly? I'm not seeing any updates the last several days, but I see more recent posts directly on the site.
There are definitely tradeoffs, but I think the key point is that did:web is the only way today to have an atproto identifier that wouldn't die with Bluesky. Moving plc.directory to an org would be a great step but it could take a very long time for it to achieve the same level of trust as DNS.
@pfrazee.com the most common concern I see (and share) with atproto currently is the centralization of plc.directory. The best solution (currently) for technical people is to host their own PDS with did:web. Are you aware of any businesses offering paid PDS + did:web instances?
ok, let's break it down.
at the core of atproto is the data. it lives own your own computer (or someone hosts it for you). think of it as a hard drive with JSON files on it
data is structured (i.e. has a type), and can references other records on other peoples' computer with a URI like a hyperlink
If any #vuejs #elkzone people are interested in working on a cross-platform client for Bluesky plus Mastodon, we’re discussing the viability of that here:
github.com/elk-zone/elk...
@jsalvador.me is tentatively on board already. Anyone else wanna help make this happen? 💫
atproto aha moments:
- you can host your data
- it's just json
- it's typed but any app dev can invent those types
- records have URIs
- records are signed so cacheable without trust
- relay aggregates everyone’s events into a global stream
- backends subscribe to relay and update local DBs
Over the last few months I've received some questions about how I view the wider "decentralized social media" ecosystem outside of Bluesky. I wrote something about that here: www.techdirt.com/2024/10/29/s...
If you're curious why everybody's username is a domain, it's because every user is essentially a website
In addition to reusing existing libraries, there's also avoiding fracturing the ecosystem, just when OIDC is starting to get some traction in the decentralized world. To be clear, I don't necessarily think this is vital, I'm just trying to advocate for existing standards as much as possible.
I envision it as a 3-step process with OIDC in the middle:
1. You get some sort of handle/identifier from the user and look up their OP
2. Do OIDC
3. Verify the OP is authoritative for the handle
I've been thinking about this a lot lately, because I'd like a system that doesn't require different logins. Do you already have thoughts on how this could look?
And I'm not sure how much protection your current approach adds. Definitely a lot for devs using your libraries, but anyone making their own implementation (as I did) can just skip the checks.
I would ask you to not give up on OIDC too easily. See for example the way Tailscale implements custom OIDC providers. You give them an email address, and they use WebFinger to look up the OIDC provider. I've found this to be an excellent way of doing things.
The main issue isn't that it returns extra data, it's that `sub` is a DID, and you need to resolve that DID before you can trust that AS as authoritative for it. The protocol also requires use of the `atproto` scope. But I don't think either of these necessarily make it non-OIDC compatible.
If you trust the AS (which in atproto can be provided by the user), then the user could set up a malicious AS that claims to be authoritative for any DID, and thereby log in as anybody on every app.
openid.net/specs/openid... states that `sub` must be locally unique, but does it say anything that it can't be considered globally unique in specific implementations? Just because atproto requires an extra check at the end doesn't necessarily mean it can't be OIDC compliant.
One of the projects I've had simmering away in the background with @aaronpk.com is OAuth Client ID Metadata Documents. In this article, I explain what they are and where they come from: medium.com/@thisismisse...
This is what Bluesky uses for OAuth.
@bnewbold.net does AT Protocol's OAuth support the `profile` scope and userinfo endpoint from OIDC? We're considering these for Mastodon: github.com/mastodon/mas...
(essentially a stripped down version of the Account entity in Mastodon, or the DID in At Protocol is how I'd think of these)
