Scott M. Stolz
I am an entrepreneur, small business owner, author, and researcher. I am also working on an open source project called Neuhub.

I am posting from Hubzilla with Neuhub via ActivityPub.
2025-06-30
@FenTiger I updated MagicSignOn.org with use cases and added a brief comparison between OAuth and OpenWebAuth.

Use Cases: #^https://magicsignon.org/page/openwebauth/uses

New Home Page: #^https://magicsignon.org/page/openwebauth/home
2025-06-27
@FenTiger It sounds like a sensible approach to me, but @Mario Vavti and @Mike Macgirvin 🖥️ would be the ones implementing it, so it depends on what they think.
2025-06-27
@Mario Vavti That's what I thought. We should probably mention that in the spec.
2025-06-27
@Scott M. Stolz
Speaking of which, if OWA does not send profile information, such as display name and avatar, maybe it should. Because we can't assume that other platforms will use the same protocols for communication.

Maybe we can provide a way of including the display name and avatar of the authenticated user as part of the OWA authentication process. Make it optional, and state that as a fallback, you would use other methods to get this information (and provide a list of the fallback methods). That way the protocol remains backwards compatible, while providing additional information for those who want to utilize it.
2025-06-27
@FenTiger
A "compare and contrast" with OAuth sounds great, too, but might give people the impression that they have to pick one or the other - which I don't think is necessarily true, though I haven't fully explored the implications of merging them.

I think it is more a situation where each has a different use case.

OWA allows someone@example.social to log into example.com as someone@example.social, and example.com determines what someone@example.social can do on example.com. Example.com cannot impersonate support@example.social, nor can example.com control example.social on behalf of the user.

Whereas with OAuth, you can set it up so that example.com becomes an agent for someone@example.social and depending on how you set it up, example.com can manipulate example.social on behalf of the user.

Or at least that is the layman's explanation of it. In that sense, OWA is simpler to set up, and also purposefully limits the scope of power example.com has in relation to example.social.
2025-06-27
Speaking of which, if OWA does not send profile information, such as display name and avatar, maybe it should. Because we can't assume that other platforms will use the same protocols for communication. Will an ActivityPub only platform be able to get the display name and avatar and profile of a Zot only user, for example?

How would such a situation be handled?
2025-06-27
@FenTiger I was also thinking of making some other changes too. When I talk to people about it, they seem to think it works like OAuth and don't understand the use cases OWA addresses. So adding a section on use cases might help people understand.

I can start writing a use cases section for inclusion.

And we might want to mention certain activities, like how to get someone's profile and avatar, since that is a question that came up. We could even point to other FEPs or the ActivityPub specs to explain how it is done, since I don't think OWA includes the full profile information.

Basically, explain some of their next options after they authenticate the user, emphasizing that OWA was meant to be flexible and work with multiple protocols, such as ActivityPub, Zot6, and Nomad.
2025-06-27
@FenTiger They did calm down when I said Hubzilla invented OpenWebAuth in 2017, and then quoted what you said above. I think it was a case where they thought I was just some random person who did not know what he was talking about. It was heated but respectful.
2025-06-27
@FenTiger It was pretty heated. They said I was gaslighting. I told them we literally invented OpenWebAuth, so I think we would know.
2025-06-27
@FenTiger That is what I thought it means. I just had an argument with someone that claims that OWA does not authenticate individual users because the spec says "but may not be the exact same user."
2025-06-27
There is some confusion over a specific paragraph in the OpenWebAuth spec. Some are interpreting it to mean that OWA does not authenticate a specific user, but simply says someone on the home instance logged in, but we don't know which one, therefore it is impossible to tell which user is authenticated.

That is obviously not how Hubzilla works since Hubzilla knows which user authenticated, but that is how people are interpreting this paragraph in the FEP.  

Does anyone know what this paragraph is supposed to mean?

When the OpenWebAuth flow succeeds, the owt= query parameter will identify the user who is logged in to the home instance. This will be a user from the domain in the original zid= parameter, but may not be the exact same user.

#^https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/fep-61cf.md#3-target-instance-provides-a-token
2025-06-27
@RandalZ And even if you have people who don't operate based on principles, you can still count on "what's in it for me" as long as the principles at play lift them up too. Most people are concerned about their own well-being and the well-being of people they care about. If you build a system that allows them to prosper and be happy, they are less likely to be jealous of other groups, which reduces conflict within society.

As long as the system is set up so that everyone can benefit, it does not matter if everyone believes in the principles or not. They will follow the principles because they benefit from it.
2025-06-27
@RandalZ It does seem to be a dying art, but there are more of us than you think.

For example, we did pass the The Civil Rights Act of 1875, the Civil Rights Act of 1957 and the Civil Rights Act of 1964, and those were all based on principles. A lot of people resisted their passage, and still resist it today, but that is the law. President Dwight D. Eisenhower even mobilized the National Guard to force Arkansas to desegregate the schools, which they were refusing to do. And a lot of us today still think that racism, prejudice, bigotry, and discrimination is wrong.

If you think racism is wrong, you have principles. If you think greed and exploitation is wrong, you have principles. If you are surrounded by people who don't have those principles, then it is probably wise to find some new friends and associates.
2025-06-24
@RandalZ By creating and enforcing a fair playing field, one built on principles, not factions fighting one another. There are a lot of moving parts that need to be addressed, but the main ingredients include protecting people's rights, helping people who are struggling financially become financially independent, and putting systems into place that prevent abuses. This includes enforcing the rules uniformly, not based on minority status or privileged classes. If we don't move to a system that is fair for everyone, all we will be left with is squabbling and conflict.
2025-06-20
Playing favorites just creates winners, losers, and resentment. Instead, we need to move everyone to a healthier and happier existence and coexistence.
2025-06-20
This is a very insightful article on Toxicity and Masculinity. It talks about how we handle the fact that many men are struggling in a world where so many other groups, such as woman and minorities, are also struggling.

#^https://nonzerosum.games/masculinity.html

@James
BUT CAN WE FOCUS ON EVERYONE?

I actually had some trouble reconciling this idea. Because the question immediately occurred to me—if we focus on men as well as all the traditionally vulnerable groups: minorities, women, the poor, children, the LGBTQ community, aren't we then just focusing on everyone? And therefore not actually focusing on anyone?


Scott M. Stolz wrote the following post Fri, 20 Jun 2025 06:01:43 -0500 @James The solution is simple. Instead of focusing only on specific groups, help the people who need help.

There is this fallacy that ALL people of a disadvantaged group or demographic need help. That is not true. In any group of a significant size, you will always find successful people and struggling people. For example, there are rich, middle class, and poor black people.

A person living in poverty needs assistance. A person with a mansion and a private jet does not need the same assistance. Their skin color should not be the determining factor here.

Likewise, a person's sex, gender, or genitalia should not be the determining factor on whether someone gets the help they need or not.

Help the people who need help. We can create customized care for each group, but we should not be neglecting one group over another. Playing favorites just creates winners, losers, and resentment. Instead, we need to move everyone to a healthier and happier existence and coexistence.
2025-06-07
Had a really great Day 3 of @FediForum. I was able to attend some great sessions, including identity in the fediverse and data & account portability. I was able to talk about Hubzilla, Streams, Forte, and Mitra which have implemented various technologies, such as nomadic identity (which includes account & data portability). I was even able to do a quick overview and demo in a session.

And there is a lot of work being done in ActivityPub and various platforms to try to make these concepts the norm rather than the exception. There are a lot of opportunities for collaboration and interoperability. I am excited to see the fediverse move in this direction.

#fediforum #fediforum2025 #fediforumattendee
2025-06-07
Sometimes we have to deal with bad behavior and harassment in our online communities or in real life. It can be a challenge to do that when they provoke you and are trying to upset you on purpose.

For me, what I have found is that taking a breath, calming down, and taking the high road is usually the most effective way to deal with trolls and bad actors. How I deal with it depends on the situation, but basically I try to hold myself to a higher standard than they are currently demonstrating.

In many situations, they assume you are going to be a jerk or hostile based on some assumption or stereotype. When you don't act that way, it often disarms and confuses them. These are the people who now have to rethink their assumptions since you challenged their preconceived notions. These are the people who typically apologize and change their minds when they realize they were the jerks in the situation, not you. They may even become an ally.

And if they are trying to provoke you, they win if you let them provoke you. They are trying to make you look bad by getting you to do something. Then they point at that and use that against you. So, you instead be nice and make it look like they are harassing an innocent victim (which they are). It backfires on them. These are the ones who get pissed off. They were trying to make you look bad, but you flipped it and made them look bad instead.

And sometimes you have to call people out, publicly or privately. Instead of attacking them personally, you call out specific behaviors and tell them that it is not appropriate here, and that they may be asked to leave (or in the case of a community, banned). No name calling. No personal attacks. No gross generalizations. No negative stereotypes. Just "your behavior is inappropriate and you will comply or there will be consequences."

It is hard for them to argue with you when you don't make it personal, especially when you can point to community rules that they agreed to when they joined. And, in the end, they will often respect you even if they disagree with you because you did not make it personal. Plus when it becomes personal, that is when people get really nasty. And that can become a headache really fast. Avoiding making it personal deescalates the situation, whereas making it personal escalates the situation.

There are many tactics for dealing with harassment and misbehavior. Holding yourself to a higher standard than they do is an effective way to beat them. And the fact that they wind up looking bad is a good deterrent for others.

Remember, some of these people are trying to trip you up on purpose. Don't fall for it.
2025-06-06
I attended FediForum earlier today and it was really nice to meet our fellow creators of the fediverse. Some great discussions and great demos.

@FediForum  #fediforum2025 #fediforum
2025-06-06
Andrea Junker :verified: wrote the following post Fri, 30 May 2025 14:35:18 -0500 Been saying this for awhile, but will repeat it for emphasis: If you love freedom but don’t care if it applies to everyone, what you actually love is privilege.

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst