Question about this indie auth thing, or anonymous clients, mentioned at the linked page.
Wouldn't that effectively grant access to your user data to everyone, regardless of their intentions?
Meta, for instance, has very strict TOS and privacy policy checks before approving a client_id. And those checks are on-going.
One problem with comparing to social login providers is that their OAuth2 APIs tend to provide a lot more access than just OIDC, which greatly increases the risk of phishing and other attacks. Since a simple OIDC server like obligator only deals with identity, the worst case scenario of a phishing attack is that the user's email address is exposed to the attacker.
You can think of obligator as a server that responds to client app requests with a response of "I have verified that the user running this OIDC session has control of X email address as of Y time".
Right, I wasn't sure if you were referring specifically to the user's profile information on the OIDC server, the other user data stored by the same entity which runs the OIDC server (which is common but not the case for obligator because it's identity-only), or the user's data on the app that they're trying to log into.
Wouldn't that effectively grant access to your user data to everyone, regardless of their intentions? Meta, for instance, has very strict TOS and privacy policy checks before approving a client_id. And those checks are on-going.
https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web