> There are some discovery mechanisms that can be added for DNS/http(s) services as well against different tlds.
I'm aware of OIDC's webfinger discovery mechanism; IIRC, it lets you translate "person@example.com" into a valid login. (But I don't think I've ever seen anyone implement this.) Is there something else?
I think you could also implement just a DNS identifier to OIDC discovery which would let you translate something like "apple.com" into an OIDC flow, but you would need the provider to publish a OIDC discovery document, which Apple's implementation does not do. (Why, IDK, since that seems like a really easy thing to do. But Google — which does have one, technically — also isn't "google.com" or "gmail.com", so entering this seems a bit hard for a user to enter. (It's under "accounts.google.com"))
My Apple ID is a personal email address at a custom domain name. I also use the same email address as a Microsoft ID. How would/should/could a service be expected to take my email and determine what services it is associated with? I assume that’s not really possible, and as an end-user I don’t particularly want that to be possible anyway.
But let’s take a simpler scenario, just because my email address is something@gmail.com, does that mean Google should be used as the OAuth provider? Maybe I use that same email address as an Apple ID and as a Microsoft ID as well.
If I understand correctly AppleID is supposed to obfuscate your real email such that the website you connect to will only see a hhfyguihry636357484@privacy.apple.com or something similar.
I'm mostly trying to clarify if the parent poster knew about something more than Webfinger, since his post mentions "DNS/http(s) services"; wasn't sure if that referred to Webfinger, or something else.
> How would/should/could a service be expected to take my email and determine what services it is associated with?
By following the OIDC standard, namely, using Webfinger discovery. I was mostly confused since, AFAIK, OIDC only mentions webfinger, not DNS, so I was curious if the parent to my post knew something I did not.
> as an end-user I don’t particularly want that to be possible anyway
I don't see why not. Note that this is discovering who the identity provider associated with an email is in an automated way — this is not discovering what services you log in to with that identity. That is, for "example@gmail.com", Webfinger would discover that Google is the identity provider. This is something a human can — roughly — already discern from the email anyways; this just provides an automated means. Moreover, it provides a means for the service wanting to log you in to then subsequently redirect you to; there are certain configuration parameters needed beyond just the email.
The idea is to make it simple for the average user: just enter your email.
> just because my email address is something@gmail.com, does that mean Google should be used as the OAuth provider?
Not necessarily, but I think the OIDC flow there is pretty good. One could imagine an implementation whereby GMail allowed you to specify an alternative IdP for your email, and then responded to with that when queried. This is more to do with Google's implementation. (Which, AFAIK, doesn't implement Webfinger at all, so it is kind of moot. And while I doubt they'd ever implement this sort of thing, the point is more that an IdP under your control could / that nothing in the spec prohibits it.)
> Maybe I use that same email address as an Apple ID and as a Microsoft ID as well.
I think OIDC supports this. The Webfinger query is not limited to a single result. (Though, given the paucity of webfinger implementations, I don't know how well UIs would handle this. But again, implementation vs. specification.) Even if that didn't work, you could always enter your IdP hostname directly into the RP, and it could either Webfinger that, or just see if that hostname is the IdP by attempting to pull the metadata from it.
(It is sad that most OIDC implementing RPs only give you a few hand-selected buttons leading to major IdPs to choose from.)
Microsoft's online login is probably the most prominent example of translating "user@domain.com" into a SSO login/redirect that uses Azure AD or another SSO provider for signon that I can think of.
I know it's based on DNS and/or HTTP(S) entries for the common SSO, just don't recall all the specs off hand.
For the google/apple and other very common cases you can detect by a whitelist for the domain part. For others, if there isn't a discovery mechanism in place, would have to defer to internal (password) created accounts.
It's a bit of a mess, fortunately there's a handful of TLDs that account for over 95% of public users. IIRC, when I worked at emailage, it was something like >85% of requests were from 20 domains, and 95% or so were from 100.
I'm aware of OIDC's webfinger discovery mechanism; IIRC, it lets you translate "person@example.com" into a valid login. (But I don't think I've ever seen anyone implement this.) Is there something else?
I think you could also implement just a DNS identifier to OIDC discovery which would let you translate something like "apple.com" into an OIDC flow, but you would need the provider to publish a OIDC discovery document, which Apple's implementation does not do. (Why, IDK, since that seems like a really easy thing to do. But Google — which does have one, technically — also isn't "google.com" or "gmail.com", so entering this seems a bit hard for a user to enter. (It's under "accounts.google.com"))