Comment by dwattttt
Authentication requires the opposite of privacy. If you don't want to be identified, you can't restrict anything to your identity.
Authentication requires the opposite of privacy. If you don't want to be identified, you can't restrict anything to your identity.
... which requires an addon to the browser, or for it to be built in specifically for that company.
That's not something companies like Matrix can use. If you're installing software already, why not skip the browser engine and install a full Matrix client instead?
I wasn't responding directly to Matrix's use of MAS. More generally I aimed to make the parent poster aware of a new technology that allows for private authentication, which they claimed was impossible.
Privacy Pass is currently being standardized by the IETF, so we may see more widespread adoption eventually: https://privacypass.github.io/
If I'm authenticating with server A. I shouldn't have to carry ephemera from server B. A can interact with B on its own if necessary.
Bubbling up these architectural details to the front end is a symptom of the webdev cargo cult coming up with broken ideas that get fossilized as the status quo.
With OIDC, both occur: the client is redirected to the authentication server where they directly authenticate, then carries a token cross-domain back to the service. Finally, the service validates the token against the auth server.
The alternative would be something where I enter my Google username/password on random websites, and trust that they will forward it to Google and not do anything nefarious. This is less secure and less private.
It kind of depends. See Kagi Privacy Pass ("Allows you to use Kagi Search with Privacy Pass, which cryptographically ensures that Kagi cannot tie that request to an account and allows for further privacy and anonymity."): https://help.kagi.com/kagi/privacy/privacy-pass.html