Reimagine user auth, "Follow" flow, and the concept of "login" and "users"

[gabek]

Share your bug report, feature request, or comment.

This topic came up in the discussion around the embed design (#2917). And while it's not directly connected, it tangentially is.

Currently, there's no such thing as "logging in" to anything on Owncast, with regard to frontend, end user functionality. There are only features that you can authenticate against. And while to some that might feel like the same thing, they are very different.

Logging in means you authenticate, and then the web application knows who you are, and certain things change state, reflecting the fact that you are who you are throughout the entirety of the application. This is how every web site with accounts works.

What we do now is different. We have a set of functionality that you can authenticate to use. The web application doesn't know who you are. Once that action is independently taken (FediAuth, IndieAuth, Follow), that's it.

One feature that would be difficult to build currently is Follower-only Chat (#3428). While we do know who our followers are, and who has authenticated against chat, they are decoupled. We'd be asking a chat participant to perform two entirely different actions (follow via the fediverse and then authenticate via the fediverse) to make it work. This makes little sense.

What does this mean? For example, here's how the "Follow" flow works now:

1. You press "Follow"
2. You successfully go through the Follow flow
3. You leave the Owncast page
4. You come back another time
5. It doesn't say "Unfollow" or "Already followed". Instead, it again says "Follow" because there's no way for it to know that you've already followed. There's no global user state to reflect this.

There are a couple of different reasons why it currently is the way that it is.

• For chat authentication some servers have two auth methods (FediAuth, IndieAuth), only one of them, or none of them.
• Not all servers have "Follow" support because they don't have Fediverse support enabled.
• Originally, the features that support authentication didn't exist, so they exist as standalone functionality.

Consolidating FediAuth functionality

People really like the "FediAuth" functionality that we built into Owncast, and I think it's worth doubling down on it. Right now, you perform a FediAuth action to authenticate with chat, it's just for chat. It impacts nothing else, and most people don't understand what benefits they get out of the action.

Benefits

• We'd be able to show "Unfollow" if you've already followed
• We'd be able to connect you the Fediverse user and you the Owncast Chat user.

An alternative example of user flow would look like this:

1. User presses "Login"
2. User goes through "FediAuth" flow
3. The user is now "Logged into the site" (a concept that doesn't currently exist). "Login" turns to "Logout"
4. The user decides they want to follow this server
5. They press "Follow"
6. Instead of typing in their account like they do now, they automatically get redirected to their Fediverse server to verify the follow.
7. User validates it
8. User gets redirected back to the Owncast page
9. "Follow" button turns to "Unfollow" button

Important clarification

To clarify, I still have no interest in traditional "accounts" where people have to create a username and password to chat or view the video. We have always had "accounts" internal to Owncast, and this hasn't changed, and still won't change, from how they are represented. But if it makes sense, we may change how a user can access them.

Questions that need to be answered

• All of this would be tightly coupled with the ActivityPub support built into Owncast. The downside, of course, is if a server chooses not to have ActivityPub support enabled. Then none of this functionality would be available to them at all. I'm not sure if that's ok.
• We currently offer IndieAuth and FediAuth for chat authentication. This makes complete sense for chat. But it doesn't make sense in this alternative use case, since there's no "Follow" equivalent for IndieAuth. It also wouldn't make sense to allow FediAuth login for the site as a whole, but allow IndieAuth just for chat. So I'm not sure where we land on all of this.
• I'm not sure if there is actually a standard for "Remote Unfollow" like there is for "Remote Follow". So while we could show an "Unfollow" button, I'm not sure offhand what it would do.
• Since there's no way to combine a "Login" and "Follow", I guess we'd probably want to optimize for "Follow" as the primary action. You press "Login", and if you hadn't previously followed, you'd be redirected to follow. If you had previously followed, you'd go to FediAuth.