@dansup This is almost what I was hoping for. I'd suggest though making the auth hub it's own identity/service so that it could more easily be stood up by site builders who are looking for SSO to multiple services on the same domain, ie: I'd like to sso pixelfed.domain.tld/firefish.domain.tld/friendica.domain.tld and have something like passport.domain.tld

Ideally the account itself should be portable to another auth instance as well, say someone is going offline.