jeefave
commented
3 years ago The thought process on keeping the value undefined is to let a specific oidc provider handle their own default. A different OIDC provider could default to a different id manager.
The intent is to leave the separation of concern between the oidc provider and the id manager so the TXT _idmanager is being defined by the user intentionally and not being driven by the oidc component. To answer the point 3, yes the id manager should be the one responsible to prompt the user to set the TXT records for _idmanager. In the future id.manager.io could have an "eject" feature to set a custom _idmanager and deploy on heroku, s3, skynet, ...
The protocol does not impose a particular id manager. The implementation however requires a fallback. I am not sure the protocol necessarily requires a default value but I am curious to hear your thoughts if it has further implications. If the user did not decide to aggregate his identities into a custom identity manager, the oidc provider is in charge of defining its own fallback, this can be id.manager.io or a custom one. id.manager.io can totally be reused by other oidc provider. This would be an implementation decision.
Falci
When the user starts the login flow, the OIDC should query for the TXT record on
_idmanager.<name>'s DNS. What happens if the name has none?Namebase's OIDC default action is to send the user to
id.namebase.iowhich is Namebase's id manager. However, during the registration process, this id manager asks the user to add only the device/fingerprint DNS record, keeping the id manager undefined. If later, the same user tries to login using the same name, in a different website (that has its own OIDC) it won't be possible to know its idmanager.id.namebase.io?id.namebase.ioopen and expecting signing request from 3rd-parties, other than oidc.namebase.io?id.namebase.ioalso asks its users to add the_idmanagerDNS record?