85 comments

[ 4.7 ms ] story [ 155 ms ] thread
"With Elon Musk’s takeover of Twitter, I began to question if transferring ownership of a centralized platform to another is really the solution to true freedom of speech. Mastodon was a platform that came to mind where each instance is run individually by a person or an organization and each instance gets to decide how they want to moderate it.

Although users get to choose which instance to join depending on their tastes, they have to sign up for a new account each time on each instance and potentially lose their followers if their account get’s banned in any of these instances.

So I’ve decided to build Soul, which is an external OAuth-based identity provider built specifically for social media in mind. It comes with several user management and user connections management features that can allow one’s “digital soul” to exist in various platforms as long as they integrate with Soul.

Soul is still in a really early stage of development but it is open source and constantly looking for new opportunities to improve. Please give it a shot and try building a social media platform on top of Soul to tap on it’s existing users (though not a lot at the moment, but I hope it’ll grow)."

Check out our site here: https://www.soul-network.com/ and main Github repo here: https://github.com/soul-project/soul

Doesn't that just change the point of failure? Can't soul still ban an account?
That's a really good question, yes it can but we can remain impartial as we have no visibility to content or anything our users do. Platforms can still ban users on their side or through our API but that would not limit our users from joining other platforms or creating their own.
What this really means is that the mob will need to pressure Soul into cancelling undesirable account holders through 3rd party site communication.
Not to mention oauth is very hard to get right.. it’s a huge undertaking with pentesting, fraud detection etc.

I leave it to the big guys do auth.

And if Soul doesn't cave to the mob they will go for their ISP. Look no further than what happened to Kiwifarms if you piss off the mob.
It is a challenging position to be in for sure but I want to fight for freedom of speech and democratizing social media. If no one does anything nothing would change. Its takes 100 failures to make a pivotal change may soul could be that trigger for change
I applaud your efforts and wish you much success. A lot of people talk, few take action.
Lots of similar sites start up the same way, I know from experience. Let individual communities self-govern, and stay out of it.

Then you get spambots attacking your service, so you set up checks on your end to alleviate the burden your individual community moderators have to undertake.

Then people sending illegal/shocking content. More changes on your end.

Then your government sends you notice that copyrighted content is being shared on your platform. Oops, gotta moderate that, too.

Death threats, alternate accounts, you name it, these are the things that will either make your community moderators & users leave (thus no service), or things you have to crack down on yourself.

Before long, you have a full-time team dedicated to moderating content.

Not saying this to just discourage you or belittle you, but, if you tell communities that you will be "impartial" 100% of the time, then that might come back to bite you later when you have to take action.

Either you could please users or you could please platforms. If 99% of your users are bots, do you think any platform will accept your users?
We'll need to have better validation in place for sure, that's a good suggestion though. It's tricky to moderate for bots while not limiting a user's freedom of expression. Maybe in the future, we can have some kind of voting system where if more than x number of verified platforms voted against a Soul account for bot activity, we will ban that user entirely from Soul.
Unless you already have a partnership with some platform using it, i think its a hard sell.
Why should I trust some arbitrary third-party OAuth provider? Why?

Either I don't need this single point of failure and create an account on each and every service independently. Each and every service then stands for its own. If someone is able to infiltrate a service, it is impossible to infiltrate my whole personalty.

That is different with a single third-party OAuth provide. First it needs a lot of trust, especially in terms of (cyber) security. Second: Kus why?

Is there already a Fediverse mechanism to let people log into 3rd party sites? Like "Log in with Twitter/Google/Facebook" but "Log in with ActivityPub"? That would be pretty cool.

I like the aspect of ActivityPub that you can own your identity to the same degree to which you can own a domain.

It would be cool if it would be possible to log in to third parties as @you@yourdomain.com via the ActivityPub protocol.

Thinking about how to implement it technically .. one simple way would be to just send a magic link to @you@yourdomain.com via DM.

Hmm... that could actually work. Your username on - say - Hacker News would then simply be your Fediverse handle: @you@yourdomain.com

The same would work with emails of course. Most people don't want their email publicly visible though. But they would probably not mind using their Fediverse handle as their username.

In my humble opinion the double asperand is a visually atrocious abomination and wholly redundant. I hope this pattern dies quickly.
needs to be differntiated from email (or maybe not, i would prefer it if SMTP was just extended to be social)

what would be a better format?

I had the same reaction at first.

But after some contemplation, I changed my mind. It's not so easy to say if there is a better alternative.

We need way to say "This is a Fediverse users. Their instance is xyz.com and their username is abc". A way that easy to grok visually and also by software.

    abc@xyz.com - is alread taken for emails.

    xyz.com/abc - would be a link

    xyz.com@abc - is the wrong way round.

    abc*xyz.com - would work. But is it good? Hmm...
These are definitely better:

  @xyz.com/abc

  @abc.xyz.com
I'm not sure. I don't like @abc.xyz.com at all.

@xyz.com/abc has the nice benefit that it is like https://xyz.com/abc with only the https:// part is changed.

But "Written by @joe@someinstance.com" reads much nicer than "Written by @someinstance.com/joe".

Those are significantly worse, because they do not ambiguously state what @user@site does. This is such a minor thing to be up in arms about, aesthetically it looks fine and immediately communicates what it is.
I think this portion of the discussion on the ampersand satisfies the definition of "bike shedding", right? :-)
@xyz.com/abc is the best I've seen so far.

I think inverting this is also a sweet spot. It lets you drop context if on a locally federated node:

@abc/xyz.com

@abc[/xyz.com]

@abc

The username first prioritizes the human, and the host instance lookup can be added with tooling [1].

We should weigh ergonomics, visual distinguishability, ease of parsing from plaintext (important), ease of typing, visual aesthetics, simplicity, and extensibility.

We should collect dozens of candidate formats and weigh them on these (and more) dimensions.

[1] (eg. autocomplete that doesn't change the previous buffer, unlike, for instance, Google Docs chips).

There's really no reason not to use email addresses for this use case.

Consider,

http://username:password@www.example.com/path?query=1#hash

Reduced to the parts that would actually matter (because username and path are redundant for this use case, and no one seriously embeds passwords in URLs),

scheme://username@www.example.com

So it seems that the design challenge is baking the scheme into zero or one glyphs.

username@www.example.com

Hey, that looks like an email address! A URL is an extended email address, an email address is a URL with default values.

> There's really no reason not to use email addresses for this use case.

As elegant as that would be, confusion could arise.

Email and federated identities might be intersecting sets, but not are not guaranteed to be either subsets or supersets of one another.

The ambiguity of this seems problematic.

I disagree, I think we should demand that `username@domain.com` (coupled with a digital signature) be the one true way (TM) that services treat identity. Whether domain.com supports an email service, an HTTP service, or a social service is secondary. Standardized representation of the principal is the primary concern.

Twitter and Facebook represent the principal using their own alternative formats to assert ownership over the domain, not because they're good formats (@foo, fb.com/you). They've normalized the idea that the textual representation of the principal should be different between different services, but there's no fundamental reason it should be so.

Given decades of ~abc for a home directory and xyz.com/~abc/ URLs, perhaps the tilde could be put to use yet again:

    ~abc@xyz.com
It isn't as easy to type as @. In fact, my keyboard doesn't even feature a tilde written on any of the keys, so I make it appear solely from muscle memory.
abc@xyz.com is definitely not taken for email. It works as a HTTP url, or SSH logins and it can very well work for ActivityPub.
(comment deleted)
Mastodon can work as an oAuth Provider, I believe.

But the interest thing is that I'd like to do the opposite: I'd like to be able to use my own id (openID, public key, DNS record, whatever) and use it as my identity on any activitypub server. Then the servers would be truly a simple hosting provider.

Using oAuth would only allow users in who use an ActivityPub instance that supports oAuth.

I for example will probably use something much simpler than Mastodon. As I will actively look for an ActivityPub software that is lean and does one thing well: ActivitiyPub.

Microblogpub looks promising:

https://microblog.pub/

Pleroma is what you are looking for, then.
Not sure. The code and the interface of Pleroma are way more complex than microblogpub.

I tried a Pleroma instance and the UI had sticky elements. Sticky elements make me scream and run.

I really like the HN interface. My ActivityPub node should have a similar interface. Plain HTML, rendered serverside, reload to update.

Sorry, now I am just realizing that we are talking about totally different things. What does the frontend of Pleroma have to do with how authentication is done on a ActivityPub server?
Pleroma is compatible with the Mastodon client-server API.
Using Pleroma will make lots of homeservers block you because the main developers and some major users of the platform are right wing (like KiwiFarms) so lots of Mastodon homeservers consider it to be Nazi software and will block you outright just for using it

This is incidentally why I'm not developing an Activity Pub homeserver myself -- I have no interest in having users doxx my politics simply because I'm interested in social networking protocols.

Personally, my hobby is no longer computers, and it definitely isn't FOSS -- I'm not trying to be the next guy blackballed from the industry for having the wrong thought about the current thing. That's also why I have a throwaway account here. Political activists working inside the tech sphere are savage and have no mercy, and I wish to have nothing to do with them. For me that mostly means: no ActivityPub, no Twitter.

So, because you think you will be blocked by some group (which will become less relevant as AP grows) you decide to do their job for them and silence yourself?

The only way to end this insanity is by having more normies running pleroma/soapbox/rebased, not by self-censoring from fear of the woke-mob.

The controversial site you mentioned is currently being blackholed by one of the major transit providers in the US, who are supposed to be neutral when it comes to internet traffic. This is the level of political interference from certain identity groups, disrupting the internet in a way that would usually only get done via the courts.
Best to remain neutral IMO and focus on building the tools for both sides irregardless of your own personal political stance. I really like the approach taken by instant messaging platforms, particularly Signal's approach of being e2e encrypted. That makes them not liable in most cases even in court to withholding information because they physically can't lol. It also means they'll have no way of deciding if they should censor right wingers / left wingers.

In a way this was also what inspired me to build Soul, though I get the appeal of being decentralized and all, I think we can still remain impartial by being an external provider with no access to any other information (e.g. user posts) besides user accounts and relationships.

ActivityPub doesn't really offer a mechanism for it, but I am planning on building a service which will combine fediverse handles with OpenID authentication which I hope will work very similarly to what you want.
Is there a need for an additional mechanism?

Sending a magic link to @user@domain results in a 3 actions login:

1: User types "@user@domain" into the login form and hits enter.

2: User switches to their fediverse inbox

3: User clicks on the link in the DM

I have the vague feeling that this is the shortes possible path. Or does your solution make it shorter?

I think the shortest path would be to implement an industry standard federated authorization mechanism as OpenID.

But to be honest I don't fully understand your proposal, maybe I'm just missing how it's simpler. :)

Feels like an opportunity to just collect emails...
(comment deleted)
I run three services (Mastodon, Pixelfed, WriteFreely) and would like to have my community use one set of credentials on all three (and any other service they would like to) - is this what I'm understanding is the intent here? I want to run more services but I simply cannot stomach yet more credentials.
That is right :) one credential / account for all instances, we function as third party OAuth provider, it's possible to integrate as long as your platform can integrate allows authenticating through OAuth. We offer a few other features as well but they're not readily supported by Mastodon yet atm, ideally we'd love to centralize user relationships as well so that you won't have to rebuild your friends and followers list on every platform.
Centralizing the decentralized... what's old is new again?

Seems like the centralization of relationships and credentials ought to be client-side, or a portable protocol all its own, so we don't repeat the mistake of centralizing the most-important data.

> Centralizing the decentralized... what's old is new again?

haha you're not wrong, but imo this is a critical part to centralize though. I haven't seen an easy to use (wallet not required) and trusted solution yet for decentralizing auth. Maybe it's underway and I'd be happy to adopt that once it's good.

IndieAuth[1] is a slick DNS-based approach. Maybe offering that as a service would be a nice alternative. I point my DNS to you, and you handle authentication for everything that uses IndieAuth. If you go away or I don't like what you're doing then I can point my DNS to someone else offering that service and I retain the same DNS identity, and ability to use it to login anywhere I've set it up as my identity.

IndieAuth.com[2] sort of does this already, but it delegates to a "social" login (Facebook/Twitter/Github/Google/etc).

[1]: https://indieweb.org/IndieAuth

[2]: https://indieauth.com/

One can readily argue that it is simultaneously the most-important part to decentralize. Identity and personal-network are essential to a person's function in modern society.
do you plan on a paid white label option?
Hmm not sure if I'm getting this right, do you mean white labelling Soul's authentication? To allow for rebranding?
yep, I'd like to offer your service @mydomain
That might be a possibility (it's not supported now though, we're still really really early stage) but I'm not opposed to that suggestion. This would work well if your network is pretty established already and folks trust your platform instead of trusting the authenticator first.
it's around 16,ooo (and growing thanks to the twitter kerfuffle) - very trusted in a small niche
Maybe this helps:

- https://solidproject.org/TR/protocol#identity

- https://solidproject.org/faqs#webid

- https://solidproject.org/faqs#fewer_passwords

> Does Solid mean we won’t need so many passwords?

> Yes. When you use Solid, you only need to login to your Identity Provider. You can then use applications that interact with your Pod without logging in each of them individually, which is (in our opinion) simpler than having to create accounts on each and every service. However, you will still have to manage what data you would like to share with each application.

> Yes. When you use Solid, you only need to login to your Identity Provider.

Maybe I'm not understanding your direction here, but I'm specifically looking for an Identity Provider service to auth ActivityPub service users.

What happened to OpenID — Haven't we already been through this?
(comment deleted)
(comment deleted)
(comment deleted)
The vast majority of people don't want to deal with multiple platforms. They want to be on the same platform as their friends, and the content creators that they like. That's it.

Does Soul abstract away the platforms entirely, and make it feel like you're only on one?

It kinda does actually, I'd say this gives you an experience close to having a Facebook with groups but each of these groups are self managed and self hosted in whatever way you want. You still end up having a single account at the end of the day and a single friend's list.

You don't really have to deal with multiple platforms if you don't want to, but if you have to, it'll be as seamless as something like a "login with Google".

It might also be good for content creators cause you'll be able to follow them across different platforms (e.g. instagram, tiktok, twitter, youtube) without actually having to sign up on every single one of them. And content creators won't have to lose their subscribers / followers on new platforms.

> The vast majority of people don't want to deal with multiple platforms. They want to be on the same platform as their friends, and the content creators that they like. That's it.

Statements like this make me feel like I'm living on another planet. I socialize with my friends almost entirely over IM (iMessages, SMS, Signal, etc.). Social media is just the huge content pile that we sometimes discuss and link. In that sense there are already few barriers to switching platforms because "engaging" with any content on social media seems like a foreign concept.

Same, but: how do you know what to link on social media? You have to browse one first. I'm fairly online, so I do end up browsing several different social media sites, but most people aren't. They have the one or two that they like, and they use those. Nobody wants to manage ten different platforms, a successful solution has to make it seem like you're only on one.
The past few days' discussion of federated social networking have really brought out the... I don't know how to describe them, KPI-brained people? If you've worked in social networking UX for the past decade your entire professional experience & perception of norms have been geared toward funneling people into the optimal mould to which to sell advertisers the right to manipulate them. That's it! All the frictionless stuff isn't about making peoples' lives better, or "delighting" them, or whatever. It's to ensure as many people as possible are available as grist for the manipulation mill. Myopic, this makes the UX actually very bad. I don't need to rant about all the consent-disregarding stuff we've all seen ("Do you want to enable bad thing? Yes/Ask me later") but fundamentally I don't think we should care about the opinions of anyone applying their corporate UX reasoning skills against the idea of federation, appealing to some prescriptive sense of what people care about.
Here's a recent BBC article about Mastodon: https://www.bbc.com/news/technology-63534240

Notice how much trouble it has trying to explaining it, going as far as to include a tweet making a joke about how complicated it is. Mastodon is more often than not just described as Twitter, but more complicated.

I would posit that both Twitter and Mastodon have terrible UX. But everyone understands Twitter. This is a real problem that federated platforms need to solve before they can be seen as viable alternatives to centralized social media. One of the biggest concerns about Twitter right now is consistent content moderation, but Mastodon proudly claims that it has none. Why should people switch?

Peoples' understanding grows and changes over time. There was a time when the concept of signing up for an interactive website was unknown to the entire world (the advent of this understanding was called Web 2.0). You can find similar BBC articles from that era. I'm not going to argue why people "should" switch to Mastodon because that's up to them. It's there if they finally get frustrated enough being abused by twitter to look up how to switch. It seems like quite a lot of people are feeling that lately, which is why we're having these discussions. It's also untrue that mastodon "proudly has no" content moderation, and I'm sure you know this.
Mastodon is in trouble if it still has a communication problem in late-2022. It's had 6 years to refine its experience, and apparently is still unable to capitalize on Twitter's missteps.
I don't know how 30% overnight growth means it is in trouble. I don't know how a service that isn't geared toward profit is in trouble from a lot more people using it and learning about it. I really, honestly don't know what you mean by that.
Basically, Mastodon still can't explain in layman's terms how users should think about its federated model, or why they should care. This 30% bump is driven entirely by short-term drama around Twitter. I bet you that in the next few months, you will see Mastodon's DAU's drop back to around what it was before this whole mess.

The biggest reason for this is that, as you yourself said, Twitter's UX is terrible but Mastodon is almost identical. So why switch?

Thankfully laypeople will always continually excel beyond your professional opinion that they can't understand how to log into one of several websites.
Again, why should users switch to Mastodon if the UI is identical? You made some good points about Twitter's UX being terrible due to their focus on advertisers, but it looks like Mastodon is literally trying to be a Twitter knock-off. What's the benefit?
The issue is why would a social media platform choose to use this? They jealously guard their user count and engagement, and would not want to share.
Truly democratizing social media would mean getting rid of social media completely. The only reason we need Facebook, Twitter, Reddit, etc. is because they store our conversations for us and help us find each other. The problem is, they have to (want to) monetize their position as the middleman and end up mediating our conversations, even when we ask them not to.
My least favorite corporate tech buzzword: democratizing something