How to confirm ownership of a Bluesky account? #2544
-
Hey, Most of our current integrations are based on OAuth (which I know is not part of Bluesky yet). I have also seen some conversations about support AFAIK the only way to do this would be to ask for username/password to the users and then use atprotocol to confirm those. For security/privacy concerns we don't want to do that. Is there any other way? Thanks in advance. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 15 replies
-
Hey, this sounds great! I love gravatar, thanks for working on it. If OAuth is an established pattern for you, i'd probably recommend waiting for that. We don't commit to specific timelines publicly, but we have done a lot of work on it and it is finally coming together, will hopefully be rolling out in stages in the next few weeks. If you don't want to wait, the "app password" system is designed as a stop-gap until OAuth is ready, and you could do that today. It isn't super ergonomic though. We have also been meaning to support |
Beta Was this translation helpful? Give feedback.
-
This topic more broadly ("how do you confirm ownership of a Bluesky account?") has come up constantly the last few days as more of the British media and political classes join the platform. I'm divided between thinking the DNS-based verification is sufficient and effective for verifying account authenticity (indeed, I use this to great effect for the News feed), and realising that the vast majority of users have never built a website, and won't ever build a website, and at this point see the open Internet mostly as a pre-mobile relic, so are unaware of the challenges of building authenticity mechanisms in a decentralised space and have little motivation to engage with those challenges. Edit: This post by retr0id makes the point well. An idea I have that Bluesky could implement without an excessive amount of development effort (at least, I suspect as much when compared to recently added features like DMs and 3rd party labellers):
I've long thought about building a singular independent platform that provides this functionality in a cross-platform capacity but I honestly have way too much on right now to even consider building such a thing myself. The advantage to this being a first-party capability on Bluesky is that UI affordances similar to the "blue tick" system could be added to the client, allowing for users to quickly ascertain whether an account posting is the same account from another site, without having to rely on a separate verification provider. Another upside is this would enable users to login to Bluesky using familiar SSO credentials from other platforms. Prior art I'm contemplating for this is mainly Keybase; at one point I ran a Mastodon instance for journalists that leveraged Keybase to verify all the users on the instance were in fact the journalists they said they were (it's really a shame Keybase got acqui-hired by Zoom, they were doing such cool stuff). Edit: Discord's "Connections" system is pretty much exactly what I'm suggesting here in many ways. Downsides I can think of:
Alternatives I can think of:
|
Beta Was this translation helpful? Give feedback.
Hey, this sounds great! I love gravatar, thanks for working on it.
If OAuth is an established pattern for you, i'd probably recommend waiting for that. We don't commit to specific timelines publicly, but we have done a lot of work on it and it is finally coming together, will hopefully be rolling out in stages in the next few weeks.
If you don't want to wait, the "app password" system is designed as a stop-gap until OAuth is ready, and you could do that today. It isn't super ergonomic though.
We have also been meaning to support
rel=me
and similar account inter-linkage for a while now, and just haven't gotten around to it quite yet. I don't have a timeline for that, sorry. An independent …