Usernames can be represented as whatever, but they're not the user IDs.
Peertube implements ActivityPub and uses username@server instead of @username@server, and so does Pixelfed. Funkwhale uses https://hostname.tld/federation/actors/Alice as their ActivityPub identifier (they support multiple federation protocols) and doesn't have a clear representation of user + domain as far as I can tell.
There is no mention of "identities" or "identity" in the spec either.
So if a person is available via ActivityPub, how do they reference their "identity"? When you want to say "Follow me via ActivityPub: ..." - what is "..."? The most common form I see is @username@hostname. Is there a more universal form? How does a Pixelfed user do it?
The most common form is @username@hostname, sure, because it's convenient, and also because doing a webfinger lookup of that is more generic - a webfinger response can include far more than AcrivityPub endpoints.
But specifically for ActivityPub the URL works just fine (try pasting it in the Mastodon search box, for example, and up pops the user details exactly as if you'd used @user@host)
You say "the url works" as if there is a clearly defined url for every Fediverse user. But the way I read the specs, that is not the case.
Some servers link you to hostname/users/username, some use hostname/@username, some use hostname/username when you look up a user via webfinger.
And the way I read the specs, those don't have to be permanent. A server could change their scheme from hostname/users/username to hostname/u/username and would not violate the protocol. Because the way to identify the user is via a webfinger lookup.
Maybe the only way to say who you are on the Fediverse is "I am <username> on <hostname>. Look me up through Webfinger"?
> You say "the url works" as if there is a clearly defined url for every Fediverse user. But the way I read the specs, that is not the case.
There is a clearly defined URL for every Fediverse user, but not in the sense you mean (there isn't a static or predictable mapping from user@host to URL). The Fediverse is a graph of Person actor urls, not @user@host ids. The Webfinger lookup functionality is used because it makes things more flexible for users and because webfinger allows for a single identity to refer to multiple different types of services and resources, but my followers servers and the servers of those I'm following knows me as https://m.galaxybound.com/users/vidar even though @vidar@galaxybound.com is what I use.
> And the way I read the specs, those don't have to be permanent. A server could change their scheme from hostname/users/username to hostname/u/username and would not violate the protocol. Because the way to identify the user is via a webfinger lookup.
See my other comment. A user is identified via a webfinger lookup when trying to determine which Person Actor @mg@masto.ai refers to. But in almost every other context the only thing that is stored is the URI of the Person actor. If that changes without using the (not in ActivityPub; new) move functionality, you're effectively creating a new identity, and quite a few servers do not yet support the move functionality, so while you can change @mg@masto.ai at a whim and nothing will break, changing the URL is what you need to be careful about (too careful, as I've noted elsewhere; the better support for migrating your data is pretty much the only thing I like about Bluesky)
Since more people are trying to prove you wrong, I’d argue it can’t be too late for Mastodon to fix that username scheme used in the frontend app. And agreed that double @ is stupid.
Mastodon supports URI's in the UI, and resolves @user@host names to profile URI's when you post as it is, so the use of webfinger is almost entirely a presentation/convenience issue anyway. I also dislike the double "@", but I get the thinking that starting "@" has to some extent become a signifier that what follows is a social handle.
That is one of the aliases. The same holds true for ...
https://masto.ai/users/mg
https://masto.ai/@mg
... and the server could povide as many aliases as it wants to.
I wouldn't call those "identities". As the server could just change the aliases and the handle "@mg@masto.ai" would still work. Because it resolves to whatever aliases the server provides via the webfinger endpoint.
I have not seen anything in the specs that says the aliases are identities or should stay the same over time.
Notice the people you are following are referenced by URL. If you try /followers instead, and look up the following URLs of some of your followers, you'll find that they follow you by the URL
@mg@masto.ai can change and nothing will happen (even old mentions should still work, as at least Mastodon resolves the mentions to the Actor url and includes a mapping in the post). But if the https://masto.ai/users/mg URL changes, you will need to trigger a move, or you'll lose your followers, because from their servers point of view, that URL is your identity or in ActivityPub speak it's the identity of your Person Actor and for most purposes that's all ActivityPub cares about.
So while you can introduce aliases in webfinger, and for the purposes of webinger your id is mg@masto.ai, if the primary ID of the ActivityPub Person actor changes, you need a "movedTo" element to point to the new one, an "alsoKnownAs" to point to the old one, and trigger notifications to the servers of your followers and following for things not to break horribly. See e.g.:
This is not in the ActivityPub spec - it was added as an extension as people started to want to be able to move more smoothly.
(I personally don't like this dependency on the old server in the move process, and so one of the few things I actually like about BlueSky is the ability for a user to take their data to a new server unilaterally; that could be fixed for the Fediverse without an entirely new protocol, however - it just needs a mechanism similar to the recovery key mechanism of BlueSky to let users prove who they are on a new server)
In effect, you have two identities in the Fediverse:
Changing the former, or adding more of them (you can even just add a redirect on your own domain and user@yourowndomain will work and resolve to your https://masto.ai/users/mg identity; this is how my Mastodon is on m.galaxybound.com but my preferred Mastodon handle is @vidar@galaxybound.com without the "m."), is easy. Changing the latter is complex (more than it should be).
curl -H "Accept: application/json" https://masto.ai/users/mg/following?page=1 | jq .
Notice the people you are following are referenced by URL.
That we can see entries of the form hostname/users/username in the output of a that specific curl command is proof that it is the identity of a user as defined by the ActivityPub protocol?
Shouldn't we be able to look at the ActivityPub specs and see how the identity of a users is defined?
'In ActivityPub, a user is represented by "actors" via the user's accounts on servers.'
and:
'All Objects in [ActivityStreams] should have unique global identifiers. ActivityPub extends this requirement; all objects distributed by the ActivityPub protocol MUST have unique global identifiers, unless they are intentionally transient (short lived activities that are not intended to be able to be looked up, such as some kinds of chat messages or game notifications). These identifiers must fall into one of the following groups:
1. Publicly dereferencable URIs, such as HTTPS URIs, with their authority belonging to that of their originating server. (Publicly facing content SHOULD use HTTPS URIs).
2. An ID explicitly specified as the JSON null object, which implies an anonymous object (a part of its parent context)'
and:
'All objects have the following properties:
id
The object's unique global identifier (unless the object is transient, in which case the id MAY be omitted).'
So a user is represented by an Actor, an Actor must have a global identifier, and that global identifier is the "id" field in the JSON. https://masto.ai/users/mg in your case.
(You may also search the ActivityPub spec for "webfinger"; it is not mentioned - it's a convenience offered by implementations like Mastodon, and not required by the ActivityPub spec at all; your interop with Mastodon will be harmed if you don't support it, but it'll work - users just need to input your url instead)
EDIT: to further underline the relationship of Webfinger to ActivityPub, look at the section for Actor's [1], and how the use of webfinger lookups violate the spec ("otherwise, the entered value should be considered invalid") - it's an extension/change used by things like Mastodon for user convenience, and not part of ActivityPub itself at all.
That's pretty cool. So the ID of an ActivityPub actor is simply a url.
That is great.
I think Mastodon should have made it so that the url for their users is hostname/username and that is their ID as well. That would have prevented a ton of confusion.
I think there'd have been confusion either way, with people expecting to put the URLs into a browser rather than a social app, especially as there's no uniform way of recognising that they're Fediverse-related without visiting the URL first, so I think having an indicator of that there is worth it, but e.g. the masto.ai/@mg style URL are a lot better than the masto.ai/users/mg.
The webfinger support also potentially enables some cool functionality by letting users use the same handle for multiple services. That said, I'd love to see someone set up a webfinger service that 1) lets people bring their own custom domains, 2) shows a linktree style UI if you hit host/username, 3) optionally redirects or transparently caches certain settings, 4) offer to transparently redirect requests to the user page a given resource based on Accept: header where possible (e.g. ActivityPub/ActivityStreams technically expect 'application/ld+json; profile="https://www.w3.org/ns/activitystreams" ' with the caveat that the "profile" bit is likely to be left out by a lot of clients)
My handle is @mg@masto.ai
What is my "AP identity" in your interpretation of the AP protocol?