Is there a way to determine if an account is currently logged in to the browser?

[jghiloni]

I’m not trying to get permission to post or anything, but I have an app I’m working on that will let users select regions of the country they’re interested in, then present a feed of national weather service alerts for that set of regions.

I’d like a widget to get the DID of the logged in user, if it exists, or present a log in screen to get the DID to save with those preferences. Does such a widget or API endpoint exist? I know OAuth is on the roadmap but a) I don’t know if it’s in yet or b) using Bluesky as an IDP is part of that roadmap.

Any suggestions are welcome!

[bnewbold]

If I understand correctly, you are looking to build a website or app, and want to have the option of users "logging in" with their atproto/Bluesky identity, to provide more personalized content or content in that service.

On the web platform, there isn't really a concept of being "logged in" to the browser or session in general, that is per-web-domain, so users would need to explicitly do a login flow. There would also be privacy concerns if other websites/domains could identify atproto/Bluesky users without an explicit flow/consent.

We are indeed working on OAuth, which would make this kind of flow much smoother. That is probably still a few weeks away from being live in production, though we are hoping to get early sandbox/developer access going a bit earlier (TBD). You can read our proposed plan here:
https://github.com/bluesky-social/proposals/tree/main/0004-oauth

In the meanwhile, it is possible to use "app passwords" and the existing auth/session system to do logins to arbitrary services. These have a bit less scope of permission and security concern (eg, can't delete account), but can still create and delete repository records (aka, post and delete posts).

The second component of all this is whether you just want to use atproto/Bluesky for IDP, and store the preference/location info in your own service, or whether you want to persist that info in the user's public repository or private settings. The later would potentially require more auth scope when using OAuth.

[jghiloni]

Thanks for all that info. It’s very useful, but I’m not sure I phrased my question well.

I explicitly do not want to act on any user’s behalf. I simply want to streamline a user’s experience to get their DID, which I will then compare against the auth token provided when rendering a feed.

If the answer to that is “log in to save” I’m cool with that. If a bsky-provided widget becomes available I’ll switch to it as I want to ensure the highest levels of trust

[jghiloni]

I’d be happy to investigate/contribute a design/solution for such an endpoint that provides nothing but the current user’s DID, as a community member (or someone could look at the backend engineer application I sent in a week or two ago 😉 )

[jghiloni]

On second thought that’s a dumb idea as it’s just a duplicate effort of oauth.

The second part isn’t dumb tho 😁

[jghiloni]

The more I think about it, the fact is because my app will never act on a user’s behalf, it’s not dangerous to use the rrsolveHandle atproto method and just have the user attest that they are who they say they are as it’s just a record of their did

[jghiloni]

Ok last reply: on further consideration, I remembered something I wanted to do from the jump that did not require auth—I will just give a string to paste into their profile which I will parse and use at feed generation time. If oauth adds another way to do this in the future, I’ll tackle that then!