HTTP auth is not an authentication system, it only describes how credentials should be passed from the client to the server and how the server should respond to them.
No, specifically not. I don't want to store your username and passwords in a database (and then deal with account recovery, password rotation, etc) - I want identity.
The browser should be able to vend me an (opaque, anonymous) token that identifies you as an individual. If your mobile and desktop browser vend the same token, then the website sees you as having the same identity on both platforms.
The privacy implications of this are a deep and toxic swamp into which every previous attempt has sunk. Right now, control over an email account is the best we've got.
> Right now, control over an email account is the best we've got.
And it's a poor enough solution that we have to build extra layers around it (for example, Apple's auth "login with Apple ID", which lets you hide your real email address behind an anonymous relay)
You could, but it's at the behest of the client, so browsers would have to implement that for it to be useful. If browsers are going to implement something, might as well come up with a decent standard.
HTTP auth is not an authentication system, it only describes how credentials should be passed from the client to the server and how the server should respond to them.
No, specifically not. I don't want to store your username and passwords in a database (and then deal with account recovery, password rotation, etc) - I want identity.
The browser should be able to vend me an (opaque, anonymous) token that identifies you as an individual. If your mobile and desktop browser vend the same token, then the website sees you as having the same identity on both platforms.
The privacy implications of this are a deep and toxic swamp into which every previous attempt has sunk. Right now, control over an email account is the best we've got.
> Right now, control over an email account is the best we've got.
And it's a poor enough solution that we have to build extra layers around it (for example, Apple's auth "login with Apple ID", which lets you hide your real email address behind an anonymous relay)
Could you put a token in a http auth username? Leave the password blank?
You could, but it's at the behest of the client, so browsers would have to implement that for it to be useful. If browsers are going to implement something, might as well come up with a decent standard.