Giving everyone in the world their own HTTP REST endpoint for granting information access to 3rd parties isn't a bad idea on the surface, but I think the implementation here might be a bit too convoluted. I would make an extension to DNS and flow everything based on e-mail address alone, similar to how MX works:
- Your e-mail address is your unique identifier. Just as most sites already use today.
- To participate, domains expose a new DNS record of type, let's say "IX" (information exchange)
- An IX record on domain.com points to an IX server endpoint... which is nothing more than a REST/WebSocket protocol defined by some spec.
The user's experience for logging in to a 3rd party website becomes:
Email: [ Enter your email ]
[ Login ]
User hits Login. The 3rd party does a DNS IX lookup on "domain.com", redirects the user accordingly. By convention:
front-part-of-email@domain.com routes to whatever-ix-dns-record.domain.com/front-part-of-email
With GET params ?scope=[attributes]&callback_url=[3rd party url with state information]. Not too dissimilar to OAuth2.
User is now on their personal "IX portal" and can login and grant the 3rd party access to
the requested attributes or data stores (predefine /photos, /music, /ical, /mail etc with configurable RWX rights.)
Upon grant, the callback url is hit with access token information and the 3rd party can do whatever with the user's data.