Potential project: decoupling internet auth from web browsers

I made this comment on Hacker News today. It’s a project I’ve thought for a while now would be fun to dig into. I’ll copy the text below:

Something I’ve been thinking about lately is how browsers have essentially become a dependency for any sort of auth on the internet. Pretty much everything uses OAuth2, which requires you to be able to render HTML and CSS, and in many implementations JavaScript.

That’s ~20M (Firefox) to ~30M (Chromium) lines of code as a dependency for your application, just for auth. This applies even if you have a slick CLI app like rclone. If you want to connect it to Google drive you still need a browser to do the OAuth2 flow. All of this just so we have a safe, known location to stash auth cookies.

It would be sweet if there was a lightweight protocol where you could lay out a basic consent UI (maybe with a simple JSON format) that can be rendered outside the browser. Then you need a way to connect to a central trusted cookie store. You could still redirect to a separate app, but it wouldn’t need to be nearly as complicated as a browser.

I wonder if this app could work with existing browser cookie stores. Do Firefox or Chromium encrypt their cookies in any way? If not what’s stopping any native app from grabbing login cookies and using them to generate access tokens?