Some thoughts around an independent identity management service to support the next gen of oauth and plc.

"Decoupling Authentication, Authorization, and Data Hosting"

• replace plc

• separate oauth from pds

  • store different collections on different PDS?

• key management and delegation

  • app specific / device specific?

• permissions?

• PDS should not be handling ... it should be minimal

  • oauth
  • emails
  • rate limiting
  • permissions

• We can use an AuthNZ component or proxy in ATProto to handle this

  • the effect is the same, we just shuffle around some code and responsibilities
  • can leverage battle tested tools instead of reimplmenting
  • standards...? pds can make a well-known permission check format (sub, action, target, context) (like service-service comms?)
  • app views need a way to express different authorization schemes