flori_ava_star:~:cursor_blinking: :made-with-estrogen: :verifiedlesbian: (@star)

@star@amazonawaws.com

It is, to me, crazy that OIDC is the best thing we collectively have as an industry, and it just doesn't specify things such as... how to list all active sessions. Honestly, OIDC is very nice, but WOW does it have a *lot* of gaps which force you to do really funky shit to be able to have functionality which sounds very basic on the surface

❤️1

aura @aura@gts.foxsnuggl.es

@star uhhh, that's super out of scope?

flori_ava_star:~

@star@amazonawaws.com

@aura I would argue it is not out of scope. You already have session management. There should just be an RFC extending on this.

flori_ava_star:~

@star@amazonawaws.com

@aura What is "in scope" for any protocol is entirely arbitrary

aura @aura@gts.foxsnuggl.es

@star except you really don't have session management, you have some primitives in an optional spec that can pretty much only signal a logout event

aura @aura@gts.foxsnuggl.es

@star also imo that spec is incredibly silly, if you want the same properties, issue shorter tokens and refresh once it expires (or use back-channel logout which checks more compliance boxes anyway)

aura @aura@gts.foxsnuggl.es

@star but also, oidc is a pretty broad protocol, listing sessions kind of implies choice of database tech in some ways whereas the existing spec can be entirely implemented with a key-value store (for super large deployments)

this is a provider i wrote at work and... it doesn't do state at all!

flori_ava_star:~

@star@amazonawaws.com

@aura Yes true but to me it's just about having a standard for it, so that I know that stuff I design works with multiple IdPs