| 9 Mar 2024 |
 raitobezarius | Sure, but, well, that's a completely valid usecase and there's others | 01:49:36 |
 hexa | the only reasonable deployment I've seen is for universities | 01:50:06 |
| raitobezarius | Well, governments or so-called dataspaces need this sort of stuff too | 01:50:21 |
| hexa | makes sense | 01:50:28 |
| raitobezarius | Even in the same organization, when there's multiple authorities with separated infrastructure, federation makes a bunch of political stuff easier | 01:50:53 |
| raitobezarius | Because you don't get to enforce / assert LDAP ownership | 01:51:04 |
| raitobezarius | First party native application login via OIDC is being removed in https://oauth.net/2.1/ | 01:51:34 |
| raitobezarius | Which means that you always have to pop up that web page when logging in via OIDC in any native app | 01:51:49 |
| raitobezarius | How to log out users in OIDC is very interesting (again a consequence of authorization protocol being used for auth) | 01:52:25 |
| raitobezarius | so there's this spec https://openid.net/specs/openid-connect-frontchannel-1_0.html | 01:52:29 |
| raitobezarius | which almost no one implement | 01:52:32 |
| raitobezarius | which means that for example if you login to circleci via github, log out from github, you are still logged in in circleci | 01:52:44 |
| raitobezarius | Auth0 who handles a lot of stuff for you has very fun documentation on it: https://auth0.com/docs/manage-users/sessions/session-layers#session-logout | 01:53:05 |
| raitobezarius | They have always 3 sessions to manage this sort of stuff | 01:53:15 |
| hexa | yeah, that is a can of worms, agreed | 01:53:25 |
