Anyone interested in single sign-on / #SSO? Want a new toy to play with? I've been experimenting with it recently, and now I've got something to share: an experimental demo of how a "Sign in with the Fediverse" mechanism might work.

If you have a Mastodon or Hubzilla account, or an IndieAuth-style self-hosted identity, I'd like to invite you to try and sign in to my test site at login.mythik.co.uk.

Headline features:

• User authentication/authorization based on the Ory tools.
• Supports signing in using an existing Fediverse (or other) account - or one you host yourself
• Open source - well, not yet, but it could be, if people are interested in it
• Written by a non-expert! Woefully insecure! All manner of attacks, just waiting to be found! Invite your security expert friends to the party, and laugh together at the n00b! Fun for all the family!

Supported identity providers include:

• Mastodon (must be a recent version that includes this pull request). mastodon.social is known to work.
• Hubzilla (any version). zotum.net is known to work.
• #IndieAuth / #FedCM
• Another instance of itself, using OpenID Connect

(There's a chance Streams might work, too.)

Protocols supported:

• #OIDC Discovery
• Client ID Metadata Document
• FedCM for IndieAuth
• #OpenWebAuth
• A method using the Mastodon API
• Classic (non-FedCM) IndieAuth (if you're lucky; I found this very hard to test, and had various problems with it)
• My original experiments used Dynamic Client Registration but I've moved away from this.

If you can get it to work - share a screenshot and let me know what you think!

(I'll try to keep this running for a while, but I can't guarantee it - partly because I haven't finished trying to attack it yet. If I have to take it down for some reason, I'll edit this post to say so.)