Surprise ending: a favorable review of OpenID. With the introduction of a dystopian video game and the description of confusing, tortuous rules, I never expected this to be a sub rosa advertisement for OpenID's simple, flexible, and versatile authentication!! So, tie me to the rack and poke me with the soft cushions.
if OpenID stops at embracing webauthn and making it a common login method, allowing people to use their own separate webauthn implementations, that's fantastic. they can make it easy mode for normal users, while letting companies and security conscious individuals use whatever webauthn client they want.
Those two are fundamentally/conceptually incompatible, aren't they? Webauthn is about user having ownership of their own identity (as proven by them holding the keypair(s)), while OpenID (and OpenID Connect) is about identity never being owned but always provided by a third party (even if this third party is technically the same person).
One thing to mention about this is the integration breaks when GitHub updates their SSL certificate and the thumbprint changes. It's a simple fix to update the thumbprint in AWS IAM, but something that bites you yearly. So if you can't get credentials about a month before November 7, 2023, check the thumbprint.
