Connect the Social Web with Magic Sign On
OpenWebAuth (OWA) is a federated remote authentication protocol. It can be used alongside protocols such as ActivityPub and Zot to add single sign-on to the Fediverse or to other "social web" projects such as blogs, forums, content websites, membership websites, web applications, communities, and more.
It also can be used to implement your own Single Sign On (SSO) system, allowing your users to sign onto your own websites without users having to create a separate local account on each one.
Light Weight and Versatile
A Flexible Federated Authentication Protocol
Social Web Identity
Single Sign On (SSO)
Access Control
OpenWebAuth (OWA)
also known as Magic Sign On, Remote Authentication, or rMagic
Allows you to sign onto websites, social media sites, and forums using your social identity.
There are two components: identity providers and websites. An identity provider, such as Hubzilla or Friendica, provides you with a social identity, while a website allows you to authenticate (i.e. sign on) with your social identity.
Identity Providers
The following platforms currently issue social web identities that can be used to sign onto other servers and websites:
- Hubzilla
- (streams)
- Forte
- Friendica
- FedIAM
Support for Pixelfed and Mastodon has been proposed.
Destinations (Servers / Websites)
You can use your OpenWebAuth social web identity to sign on (remotely authenticate) on the following platforms:
- Hubzilla
- (streams)
- Forte
- FedIAM
Support for Bridgy Fed and Great Ape has been proposed.
How to Remotely Authenticate
Using remote authentication is easy. In many cases, it is automatic.
- Log into your home hub or instance on this device (and stay logged in).
- Enter your channel address on the sign on page and press the "authenticate" button.
The website will check and see if you are logged into your home hub or instance on this device, and if you are, it will remotely authenticate you.
If you try to authenticate and it returns you back to the authentication page, you are either not logged into your home hub, or you typed your channel name incorrectly.
OpenWebAuth vs. OAuth
Authentication Protocol vs. Authorization Protocol
One of the key differentiators between OpenWebAuth and OAuth is that OpenWebAuth is specifically for authenticating a user, whereas OAuth is primarily an authorization protocol.
With OpenWebAuth, you can issue social web identities to your users, allowing them to sign onto other servers. Since OpenWebAuth is not an authorization protocol (like OAuth), you are not granting the remote server any privileges on your server. You simply provide a user identity that can be used for federated single sign on.
For example, OpenWebAuth allows someone@example.social
to log into example.com
as someone@example.social
, and example.com
determines what someone@example.social
can do on example.com
. But example.com
cannot impersonate support@example.social
, nor can example.com
control example.social
on behalf of the user.
Whereas with OAuth (an authorization protocol), you can set it up so that example.com
becomes an agent for someone@example.social
and depending on how you set it up, example.com
can manipulate example.social
on behalf of the user.
OpenWebAuth purposefully limits the scope of power example.com
has in relation to example.social
. If you need authorization in addition to authentication, you can implement OAuth alongside OpenWebAuth.