why don't you think this would work? Technically this is basically "the (SP) site trusts another (IDP) site to sign/encrypt a JWT containing some custom assertions". The user would go to the SP, get a signed blob (session nonce / expiry / whatever), take that to the IDP, log in there, IDP creates a JWT with the original blob plus any assertion you allow, you post the JWT back to the SP, SP decrypts the IDP packet, gets its own nonce, ties you to the session, done.There are also obviously better ways (https://blog.cloudflare.com/privacy-pass-standard/ possibly some variation of zero knowledge proofs) but technically this seems like a solvable problem. Money wise the IDP or in general verifier can charge users for an account and/or generated assertions.
pier25|6 months ago