#indiewebcamp 2014-04-29

2014-04-29 UTC
#
kbs GWG: kylewm has figured out a way to customize the link to the originating site - details at http://indiewebcamp.com/Twitter_Cards
#
GWG Ok
caseorganic, j12t, aaronpk, caseorga_, paulcp, KartikPrabhu, tilgovi, gRegor`, gRegor`_, paulcp_, snarfed and tantek joined the channel
#
@LongHandPixels But it is not that simple. At least not if you want to building something modular that works for the long term. #indieweb (twitter.com/_/status/460957521147338753)
hallettj_, tilgovi, KartikPrabhu and kbs joined the channel
#
kbs Would someone here with webmentions implemented be able to give me a page that I can use for testing (likely filled with spam mentions)? I'm testing a rudimentary 'check-your-webmention-implementation-and-for-xss' sort of thing
#
kbs so while it gets sorted out, probably will send a some testing mentions to that page :) so something that you can hide away etc would be awesome...
#
kbs *"send a lot of"
#
aaronpk hmm maybe you could use webmention.io for that?
#
kbs oh - didn't realize I could do that - let me look...
#
aaronpk i'm trying to think
#
kbs (hope to hosting this service on appengine - and login with indieauth so people can test their own sites after login)
#
aaronpk so you could do this: curly http://webmention.io/indiewebcamp/webmention -d source=http://example.com/ -d target=http://indiewebcamp.com/spam-mentions
#
kbs that's perfect - thanks much!
#
aaronpk and then retrieve them with http://webmention.io/api/links?target=http://indiewebcamp.com/spam-mentions
#
kbs *nod* nice - thanks!
#
aaronpk cool
#
kbs marches off to dinner and post-prandial coding *wave*
snarfed joined the channel
#
emmak aaronpk: does ownyourgram send the bearer token in an http header?
#
@oalgar IndieWeb - Good reminder to work with but politely disobey the "corporate-owned" Internet. Hele Türkiye'de. http://algarithms.com/post/84186816735/why-the-indie-web-movement-is-so-important#_=_ (twitter.com/_/status/460969361868865537)
#
emmak my provider is running php scripts as fastcgi, and i'm not sure how to get access to request headers
#
aaronpk emmak: yes
#
aaronpk usually you can see it in $_SERVER
#
aaronpk like $_SERVER['HTTP_AUTHORIZATION']
#
emmak its not showing up there
#
aaronpk interesting! what host?
#
emmak dreamhost
#
aaronpk i have a dreamhost acct, one sec
tilgovi joined the channel
#
aaronpk aha http://wiki.dreamhost.com/WordPress_Troubleshooting#Atom_Publishing_Protocol
#
aaronpk yup that works
#
aaronpk add those two lines to your .htaccess file
#
emmak thanks!
#
aaronpk sneaky
#
aaronpk also I *just now* realized the parallel naming scheme of atompub and micropub
#
aaronpk or maybe i had originally thought of that when I called it micropub and just forgot until now
fmarier joined the channel
#
bear :)
#
aaronpk I just had a great idea
#
bear \o/
#
aaronpk so, for anyone who doesn't yet want to build a token endpoint, I want to make indieauth.com able to issue access tokens for you
#
bear ohhhhh
#
aaronpk the problem is then I need to either provide you an API you can use to verify access tokens
#
aaronpk (adding one request to every request to your site)
#
aaronpk or, use an encrypted token so that you can just decrypt it when you get it and verify it
#
aaronpk but that usually requires a shared secret, and I don't want to require any sort of signup and would really rather not store secrets anyway
#
aaronpk so! I thought that at the time I encrypt a token for you, I can use a public key that's on your home page to encrypt it!
#
bear was just typing that
#
bear you should be able to search for a "here is my pgp stuff" link
#
aaronpk that makes sense, right?
#
bear it does to me
#
bear but i'm also not a crypto type
#
bear it seems sane because that's why I publish my pgp public key
#
bear for people to send me messages
#
bear so it should be the same for indieauth
#
aaronpk oh wait
#
aaronpk you need some way to know that the token was actually generated by indieauth.com and not someone else
benwerd joined the channel
#
bear you would sign it with indieauth's key
#
bear which I would get via https GET request
#
aaronpk oh man
#
aaronpk right that totally works
#
bear https only because we should be trusting your cert and verifying it
#
bear you could also have a one time "register" function for an api key that can be revoked
#
aaronpk (in generaly this stuff really only makes sense over https anyway)
#
bear as part of the payload you delivery with the signing package
#
bear nods
#
aaronpk hm yeah that might be easier
#
bear then the person visits indieauth and signs-in
#
bear you generate an api token and present it
#
bear it's a variation on shared secret
#
bear or it is a …
#
aaronpk it's a shared secret, but not used for encryption
#
bear stops as he realizes he is stepping into crypto territory
#
aaronpk where is kbs when you need him
#
bear LOL
#
bear implement it as a test and then point him at it
#
aaronpk ha yeah
#
aaronpk oh hmm I can actually make a token endpoint as a totally separate project from indieauth.com
#
aaronpk it doesn't even have to be written in the same language as indieauth.com
#
bear api tokens as a service
#
bear using indieauth as the auth tool
#
aaronpk i kind of like the idea of making it completely separate too, just to demonstrate that they aren't actually tied together
#
bear +1
#
aaronpk funny thing is all the work that went into the oauth 2 spec is for exactly this purpose, although mostly people expected all the endpoints to be within the same company
#
aaronpk the spec is designed so that the auth server, token endpoint, and actual API share as little state as possible so that it can "scale" in an enterprise environment
#
bear it's a hard problem to solve behind a firewall - and gets hairy with parts distributed
#
aaronpk seems pretty straightforward to me :)
#
bear plus shared or stored state is a security issue
#
bear you've taken the hits mentally getting indieauth in place
#
aaronpk heh
#
KartikPrabhu is there a way to find my first appearance on the IRC?
#
aaronpk i can grep my logs
#
KartikPrabhu aaronpk: a date would be awesome!
#
aaronpk huh it didn't grep them in filename order
#
aaronpk http://indiewebcamp.com/irc/2013-11-28#t1385702200
#
aaronpk although you joined the channel the previous day but didn't say anything
#
KartikPrabhu that works :) thanks
tantek, _6a68 and snarfed joined the channel
#
aaronpk ugh that's enough server ops for one night
#
aaronpk i mean technically it's not enough cause i'm not done
#
bear ops work is never done (serously) - you merely move the marker a bit between "running" and "OMG BROKE"
#
bear entropy is king and we are all playing the fool
#
bear wanders away from his own ops work to see if anything is left of dinner
#
emmak aaronpk: ownyourgram doesn't pass "scope" to my token endpoint, is that intended?
#
GWG So, what is everyone excited about?
#
emmak also, it expects the micropub link to be rel="micropub" and not rel="micropub_endpoint"
#
aaronpk emmak: hmmm yes it should?
#
aaronpk also "micropub" is the correct rel, where does it say "micropub_endpoint"?
#
aaronpk wait no ownyourgram doesn't know about the scope
#
aaronpk you should get back the scope that was requested when you are verifying the auth code with indieauth.com
#
Loqi I agree
#
aaronpk (i found the bad reference to "micropub_endpoint")
#
emmak indieauth only returns a "me" parameter on success, right?
#
aaronpk when using it in this context, you'll get more data
#
aaronpk http://ownyourgram.com/creating-a-token-endpoint
#
aaronpk you'll get back something like "me=http%3A%2F%2Faaronparecki.com&scope=post"
#
emmak i thought indieauth returns json?
#
emmak from the verify endpoint
#
aaronpk ah yeah this is a little confusing because reasons
#
aaronpk so if aaronparecki.com says its authorization endpoint is "https://indieauth.com/auth" then that is the *only* URL on indieauth.com that anything needs to care about
#
aaronpk which means the user will be directed to indieauth.com making a GET request there, and the *same* route will be used to verify auth codes as a POST request
#
aaronpk in this case, it returns a form-encoded reply
#
emmak so i don't need to use indieauth.com/verify?
#
aaronpk and you can ignore any previous docs about the /verify route since that's kind of a special case for the non-authorization version of indieauth
#
aaronpk (eventually with the new indieauth sign-in service i'm making that will be unnecessary and i'll remove it from the docs)
#
aaronpk (i'm literally working on that right now :)
snarfed and realzies joined the channel
#
aaronparecki.com edited /micropub (+584) "/* Verification */ add stub verification section" (view diff)
#
aaronpk emmak: i'm out for the night. good luck with everythign and let me know if you have more questions!
#
@celisdelafuente #IndieWeb Camps create tools for a new Internet. - http://www.slate.com/blogs/future_tense/2014/04/25/indiewebcamps_create_tools_for_a_new_internet.html (twitter.com/_/status/461011399812976640)
#
@TGThomas1701 RT @indieporch: Judy Davis at the premiere of web series 'Enlightens' and 'Chronicles of a Profiler' #indieweb http://indieporch.com/post/80 http:… (twitter.com/_/status/461013242677321729)
benwerd, cweiske, squeakytoy, erikmaarten, voxpelli and brainTrain joined the channel
#
@johnjohnston Reading more about indieweb and POSSE all good stuff http://indiewebcamp.com/POSSE (twitter.com/_/status/461042694954180609)
tobiastom, LauraJ and eschnou joined the channel
#
Loqi [mention] https://checkmention.appspot.com/content/145ac7428e4/f9e5c66ef8ab7cfbf851fe93ed1dfb164d5da080/success linked to http://indiewebcamp.com/spam-mentions (webmention)
jonnybarnes, friedcell, voxpelli, LauraJ, v0 and carlo_au joined the channel
#
@patetikk @t @andyet @indiewebcamp @jeremyzilar @mozilla @nytimes (twitter.com/_/status/461080356406312961)
ttepasse joined the channel
#
Loqi [mention] https://brid-gy.appspot.com/comment/twitter/kyle_wm/458673554335490048/461092116421427200 linked to http://indiewebcamp.com/POSSE (webmention)
voxpelli, LauraJ, ttepasse, jonnybarnes and barnabywalters joined the channel
#
GWG Trying to figure out...if I switched to Bridgy for publishing, not just backfeed, how I'd get the syndication URL back
KevinMarks and j12t joined the channel
#
Loqi [mention] http://david.shanske.com/articles/2014/04/29/design-obsession/ linked to http://indiewebcamp.com/Selfdogfood (pingback)
friedcell, carlo_au and gRegor` joined the channel
#
ben_thatmustbeme quiet morning
#
gRegor` shh
#
@kevinmarks "@MitchWagner: A partial explanation why I started a @Wordpress blog Friday http://t.co/x9ElI1qigX" #indieweb do install the plugins Dan did (twitter.com/_/status/461163155826024448)
eschnou joined the channel
#
@localherodotbiz @LegendaryPKMN stop spamming the indieweb hashtag (twitter.com/_/status/461167313366966274)
KevinMarks and KartikPrabhu joined the channel
#
jonnybarnes I can receive twitter webmentions via bridgy, wonderful.
#
jonnybarnes still not sure about double mentions? https://jonnybarnes.net/note/54
#
aaronpk jonnybarnes: you should be able to de-dupe the mentions
#
aaronpk i haven't done it yet so i'm still showing double comments for people who also posse their comment
#
KartikPrabhu same here
#
aaronpk but the information is all there to be able to detect "oh this comment is actually a syndicated version of this other one" and not show it
#
aaronpk or maybe show an "also posted on" for the comment!
#
jonnybarnes cool, I though it'd be something that needs sorting out our end
#
jonnybarnes as oppose to bridgy
KevinMarks, npdoty, LauraJ, brainTrain, snarfed and _6a68 joined the channel
#
snarfed just indieweb-rsvped to a facebook event with bridgy publish
#
snarfed feels good :P
#
barnabywalters snarfed: awesome!
heath, benwerd and KartikPrabhu joined the channel
#
kylewm jonnybarnes: if you add class="u-syndication" to your twitter link, it will help bridgy and others find the connection
paulcp joined the channel
#
KartikPrabhu kylewm: does bridgy look at usyndication?
#
kylewm KartikPrabhu: yep
#
KartikPrabhu aah didn't know that... should use that to fiddle with webmention duplicates
#
snarfed KartikPrabhu: that was all kylewm's contribution, just recently
#
jonnybarnes like so? https://jonnybarnes.net/notes/
#
snarfed we should add it to the docs
#
kylewm ask and ye shall receive!
#
kylewm that looks good jonnybarnes
#
kylewm snarfed: yes! still have updating the bridgy docs on my todo
#
snarfed oh np! didn't mean to harass you
#
kylewm ha, didn't take it that way
#
KartikPrabhu kylewm++ cool!
#
Loqi kylewm has 8 karma
#
kylewm woo!
#
barnabywalters KartikPrabhu: /original-post-discovert also uses u-syndication or rel=syndication and can be tested here: http://waterpigs.co.uk/services/original-post/
#
barnabywalters if you put a POSSE tweet URL into the in-reply-to field on http://waterpigs.co.uk/notes/new, it’ll automatically discover the original post
#
kylewm jonnybarnes: I got a 500 response trying to send you a webmention just now (I tried a couple times, sorry if it's blowing up your log)
#
kylewm barnabywalters: I love that your post ui is public
#
barnabywalters kylewm: thanks — it’s a micropub client, so if your site supports micropub you can use my UI to post to your site!
#
kylewm whoa really! that's friggin awesome
#
barnabywalters but yeah I’d encourage everyone to make their publishing UIs public
#
kylewm mine would definitely be less embarrassingly ugly if I weren't the only one having to look at it :)
#
barnabywalters as well as exchanging ideas more easily, it’s effective motication to clean it up!
#
barnabywalters s/motication/motivation
#
Loqi barnabywalters meant to say: as well as exchanging ideas more easily, it’s effective motivation to clean it up!
#
jonnybarnes yeah, looking at my log now, never seen the error message before :/
#
kylewm jonnybarnes: sorry if you already know this, you can see the error on Bridgy's side too if you click on recent responses: https://www.brid.gy/log?start_time=1398789956&key=aglzfmJyaWQtZ3lyNQsSCFJlc3BvbnNlIid0YWc6dHdpdHRlci5jb20sMjAxMzo0NjExODI3MzkxMjc4ODU4MjQM
#
jonnybarnes getting this: http://laravel.io/bin/NmJYV
#
snarfed (warms my heart to see bridgy log urls passed around. yay debuggability!)
#
KartikPrabhu barnabywalters: why is it not working with my post http://waterpigs.co.uk/services/original-post/?url=https://twitter.com/kartik_prabhu/status/449032538476929024 here is the original post with syndication http://pin13.net/mf2/?url=http%3A%2F%2Fkartikprabhu.com%2Farticle%2Findieweb-love-blog##syndication
#
@kartik_prabhu The #indieweb or: how I learnt to stop worrying and love the #blog. Comes about a year since I went indie (http://kartikprabhu.com/article/indieweb-love-blog) (twitter.com/_/status/449032538476929024)
#
KartikPrabhu eh Loqi! stop regexing everything!
#
Loqi woot!
#
kylewm jonnybarnes: my guess is that in-reply-to is a "u-in-reply-to" and not a "p-in-reply-to h-cite".
#
kylewm which means properties['in-reply-to'][0] is a string, not a dict
#
barnabywalters KartikPrabhu: good question! I’ll look into it
caseorganic and iangreenleaf joined the channel
#
barnabywalters KartikPrabhu: looks like indieweb/original-post-discovery is parsing the URL in the tweet wrong
#
barnabywalters with a space and ellipsis
#
aaronpk in-reply-to items may be strings or objects, so you have to check for both
caseorganic joined the channel
#
kylewm.com uploaded /Special:Log/upload "uploaded "[[File:kwm-posting-interface-2014-04-29.png]]""
#
kylewm.com edited /Red_Wind (+1924) "Filestore implementation details and updated screenshot" (view diff)
#
kylewm.com edited /Red_Wind (+30) "/* Filestore */" (view diff)
#
Loqi [mention] https://checkmention.appspot.com/content/145ae79771d/6349aff51bcfe538800f87ca18799408bdb6fcc7/success linked to http://indiewebcamp.com/spam-mentions (webmention)
#
kylewm.com edited /Red_Wind (+2) "/* Screenshots */ formatting" (view diff)
kbs joined the channel
#
snarfed aaronpk: thanks (again) for making indiewebify.me so accessible
#
kbs ah, sorry - just realized my little webmention experiment here probably will cause Loqi to become spammy
#
snarfed i keep needing to link the word 'webmention' somewhere, and neither webmention.org nor http://indiewebcamp.com/webmention are approachable enough
#
snarfed but http://indiewebify.me/#send-webmentions is perfect
#
snarfed kbs: it's a rite of passage
#
aaronpk snarfed: that's barnaby and bnvk, not me!
#
snarfed aaronpk: oh? the text, or the whole site?
#
kbs snarfed: okay then :)
#
aaronpk i haven't done much with it at all!
#
barnabywalters snarfed: thanks!
#
snarfed ah ok. thanks barnabywalters and bnvk!
#
aaronpk it would be great to make http://indiewebcamp.com/webmention more accessible too
emmak joined the channel
#
bnvk snarfed: the idea was mine, I threw up the initial flow after chatting with barnabywalters, but he's done the code that makes it useful :)
#
barnabywalters IIRC bnvk stubbed most of the text, then I copy-edited it a bit
#
bnvk yah
#
snarfed it's great. nice work all
#
barnabywalters there’s a growing list of to-dos in GH issues I really need to take a chunk out of soon…
#
snarfed kbs: after i added event rsvps to bridgy, a big event linked to the wiki and invited a bunch of people, and bridgy made loqi flood the channel with thousands of "invited" webmention notifs
#
snarfed no (big) harm done but i still felt bad
#
snarfed barnabywalters: i know the feeling
#
snarfed at least they're in issues! encourages other people to help
#
kbs snarfed: well, am in good company then :)
#
kylewm is it possible to rename files uploaded to the wiki?
#
aaronpk yeah just "move" them
#
kylewm I think I must not have that permission?
#
kylewm is there a move link on http://indiewebcamp.com/File:PostingInterface.png#file
#
aaronpk it's in the nav bar at the top
#
kylewm not on mine, I don't think
#
aaronpk does this work? http://indiewebcamp.com/Special:MovePage/File:PostingInterface.png
#
gRegor` Same here. Think it's admin-only
KartikPrabhu joined the channel
#
gRegor` "You do not have permission to move files."
#
kylewm ah yeah, permission errors
#
aaronpk crazy I had no idea
#
gRegor` Same for moving pages, I believe.
#
gRegor` Which... is probably ok
#
kylewm ha, yes
#
gRegor` Hey, KartikPrabhu
#
aaronpk nah you can "move" pages by copy/pasting content and adding the #REDIRECT tag anyway
#
kylewm it would be lovely if someone would move that image to kwm-posting-interface-2014-03-24.png
#
KartikPrabhu hey gregor`
#
KevinMarks So, what can people on WordPress.com do to connect to indieweb?
#
KartikPrabhu barnabywalters: so it expects there to be an untruncated url?
#
kylewm and by someone, I guess I mean aaronpk ;)
#
gRegor` focuses his thoughts really hard on moving the image
#
barnabywalters KevinMarks: http://indiewebcamp.com/WordPress
#
barnabywalters KartikPrabhu: nope, it’s doing weird things because there’s a non-breaking space in the URL
#
kylewm KevinMarks: I'm curious to hear what snarfed will say, I think he has been thinking about that
#
barnabywalters it’s all coming back now
#
barnabywalters the hours I spent debugging and fixing this problem
#
gRegor` On WordPress dot com, not much. Unless there is an mf2 theme.
#
gRegor` Don't think you can install any plugins either. Or it's a very limited, approved selection
#
snarfed kylewm, KevinMarks: great timing
#
snarfed i'm working on adding webmention support (both directions) to wp.com, tumblr, and blogger right now
#
snarfed through their apis
#
aaronpk kylewm: can you test that Special:MovePage link again? i'm testing out permissions
#
gRegor` Ooh, nice
#
snarfed code is in bridgy master, wp.com and blogger are working, tumblr + disqus should work by tonight
#
KevinMarks Aha. That's neat
#
kylewm aaronpk: still same permission error
#
gRegor` I still get the permission error, aaronpk
#
gRegor` Wonder if we need to re-login to refresh permissions?
#
kylewm whoa!
#
kylewm snarfed++
#
Loqi snarfed has 12 karma
#
@kevinmarks @MitchWagner @WordPress only approved ones AFAIK have a look at http://indiewebcamp.com/WordPress for guidance (twitter.com/_/status/461194402744913921)
#
aaronpk oh there's a special file one
#
snarfed thanks kylewm! feel free to review, more eyes always helps
#
KevinMarks So is there a process to get plugins approved for wp.com?
#
gRegor` The tabindex on the wiki login is weird.
#
kylewm snarfed: I saw you mentioned a “blogs” branch the other day, thought maaaaybe that's what that was :)
#
KevinMarks I can test blogger for you
#
snarfed yup!
#
snarfed merged into master now
#
snarfed KevinMarks: great! i still have some polishing to do, but hoping to announce/launch at hwc next week
#
aaronpk gRegor`: do you see the move page for hte file now?
#
gRegor` I can access the move file special page now, aaronpk kylewm
#
aaronpk yay!
#
Loqi giggles
#
kylewm me too!
#
gRegor` w00t!
#
snarfed KevinMarks: re wp.com plugins, http://en.support.wordpress.com/plugins/
#
Loqi giggles
#
kylewm thanks aaronpk
#
aaronpk wow there's all sorts of permissions http://www.mediawiki.org/wiki/Manual:User_rights
#
gRegor` Yeah. MW is a beast.
#
kylewm.com moved /File:PostingInterface.png to /File:kwm-posting-interface-2014-03-24.png "better, much more specific name to avoid collisions"
#
Loqi [mention] https://snarfed.org/2014-02-11_re-encrypted-webmentions-with-indieauth-besser-als-garnichts linked to http://indiewebcamp.com/indieweb-messaging (webmention)
#
snarfed is testing the webmention form at http://indiewebify.me/#send-webmentions
#
kylewm.com edited /Red_Wind (+16) "/* Screenshots */ update 1st screenshot to new name" (view diff)
iangreenleaf joined the channel
#
snarfed aha, it does work after all, just slow, and i rarely (never?) get a response back
#
snarfed cc barnabywalters, bnvk
#
aaronpk snarfed: is that page a reply to something?
#
barnabywalters snarfed: yep that’s a known bug
#
snarfed aaronpk: one reply url, one mentioned url
#
snarfed barnabywalters: cool
#
aaronpk the page doesn't indicate at all that it's a reply
#
aaronpk the only indication I had was that it starts with "definitely!"
#
aaronpk there's no visible link to the thing you're replying to
#
snarfed aaronpk: true! my reply, like, etc rendering is weak
#
snarfed hence i don't advertise those pages much
#
snarfed it's gotten better since that post, but the improvements haven't all backfilled
#
aaronpk ah ok
#
jonnybarnes kylewm: you're POSSEd reply is now on my site: https://jonnybarnes.net/note/54
#
jonnybarnes I'm not grabbing the url correctly though
#
kylewm jonnybarnes: sweet, resending the original
#
snarfed aaronpk: some of the more recent ones on https://snarfed.org/responses are better, e.g. https://snarfed.org/2014-04-29_twitter-nelson-going-to-dropbox-to-look-at , but only some
#
snarfed (reply contexts iz hard, let's go shopping)
#
aaronpk even just an "in reply to _______" line at the top would be fine
#
barnabywalters snarfed: thanks for the issue comments! really helps us prioritize
#
snarfed barnabywalters: np!
#
snarfed aaronpk: yup. the difficulty is that it'd be inside the e-content, and so most recipients would include it with the comment, which i don't want. moving it outside e-content requires nontrivial wordpress hacking, which i avoid a bit :/
#
aaronpk ah
#
aaronpk right i keep forgetting this is wordpress :)
#
snarfed nothing's ever easy :/
#
kylewm snarfed: you could render the reply-context client side :)
#
snarfed kylewm: huh, interesting. horrible wonderful idea
#
kylewm haha, yes it's pretty vile
#
snarfed i already do that with the fb and twitter embeds, so why not
#
aaronpk ha yeah
paulcp_, caseorganic and brianloveswords joined the channel
#
snarfed caseorganic: just fyi, looks like bridgy's facebook access expired for you. you can click the pause button to renew it: https://www.brid.gy/facebook/31600719
#
snarfed not urgent, but let me know if you saw an fb notification about it from bridgy. hopefully that's still working
#
Loqi [mention] https://checkmention.appspot.com/content/145aeacfd2f/77434b112535b58752d0dd809e163cbc3ee53956/success linked to http://indiewebcamp.com/spam-mentions (webmention)
#
aaronpk how come there aren't tons of implementations of diffie hellman on rubygems or packagist?
#
snarfed checkmention!
#
kbs are you coding raw crypto primitives? :)
#
kbs snarfed: oh - yea - just got the plumbing in place, now to add some actual tests
#
snarfed kbs: exciting! should i try it yet?
#
kbs snarfed: sure, though it doesn't actually run any interesting tests yet.
#
aaronpk kbs: I'm thinking about a token endpoint as a service https://github.com/aaronpk/IndieAuth/issues/50
#
snarfed kbs: np. also consider replacing "domain" with "url" in the indieauth form, since http vs https is significant
#
kbs snarfed: excellent, thanks
#
aaronpk kbs: do you know of a technique for arriving at a shared secret given two sets of public/private keys? (like diffie hellman but with keys)
#
aaronpk oh I guess DH is usually implemented with public/private keys
#
kbs aaronpk: looks like a neat idea :) have to look at it more carefully before too much blabbing. Vis-a-vis shared-secrets (in the context of PGP I assume) hm.. Usually people just encrypt with the other's public key (and possibly their own), as that serves the same functional purpose - but I have a feeling you're looking for some other purpose
gavinc joined the channel
#
kbs would generally avoid using raw primitives - that tends to get into the domain of inventing a new security protocol, which is filled with here-be-dragons territory :)
#
aaronpk kbs: I could accomplish prety much the same thing using PGP to encrypt then sign the message, or even just signing it and leaving it unencrypted
#
aaronpk maybe that's good enough
#
caseorganic snarfed: ok i think i refreshed it
#
caseorganic snarfed: thanks!
#
kbs aaronpk: I'll read your discussion and note more carefully first :) have a feeling I need to understand it a bit more.
#
snarfed caseorganic: you did! np. sad that fb expires it every 2 mos
#
aaronpk i need to do a better writeup
#
caseorganic snarfed: wow yeah!
#
aaronpk kbs: how familiar are you with oauth2?
#
snarfed caseorganic: any chance you saw something from bridgy in your facebook notifications?
#
kbs aaronpk: reasonably well - I've suffered with both ends (provider and client) from oauth 1.a :)
#
caseorganic snarfed: let me look
#
snarfed caseorganic: it should post something when it expires. hoping that still works
#
snarfed caseorganic: thanks
#
caseorganic my OSBridge talk on IndieWeb was accepted!!!
#
snarfed caseorganic: woot congrats!
#
aaronpk ok cool. well oauth 2 dropped all the crypto stuff so it's way easier now, and also allows better separation of auth server, token endpoint and API which is where i'm going with this
#
kbs aaronpk: *nod* oauth2 was a quantum reduction in suffering. I'm trying to come up to speed on your thinking about the indieauth end of it, will ping you again once I do that (or ask some naive questions, mor elikely :)
#
aaronpk cool, would be great to have someone else to bounce ideas off of
#
kbs fwiw, this is tangential, but android has an interesting idea about oauth2 - which is not documented, but which I managed to reverse - http://kbsriram.com/2014/01/inside-the-android-play-services-magic-oauth-flow.html - the've rolled the logic right inside the play service
#
kbs I dunno if this might make any sense should there ever be a 'standard' android client, but that's way way off I suppose...
#
kbs the big take-away I really have is - don't use your personal google account on a rooted android phone :)
#
kbs stops blabbing about android and gets back to work
#
aaronpk i should probably not read that until after I am at all familiar with the concept of the google play services library obtaining access tokens. i don't even know what that is for right now.
#
Loqi yea!
#
snarfed kbs: great writeup! facebook actually does basically the same thing
#
snarfed e.g. our quip app asks the fb app for oauth authorization and a token instead of web
KevinMarks joined the channel
#
kbs snarfed: oh interesting. The last time I looked (a year or so back) it was a bit less overt (ie, the scope-grant logic was still controlled by the server, not pushed into the client)
#
snarfed oh fair point, that part may still be true
#
kbs yea. I think the interesting thing g+ does is mostly that the scope logic is no longer on the server (for all practical purposes) - the client directly decides on what scope to grant, and it has the ability to give anything...
#
kbs ah, ok
#
snarfed i wonder if twitter does anything similar
#
snarfed (or anyone else)
#
kbs dunno - I'm sure both these folks are reversing each other's ideas to see what makes sense :) maybe fb has "caught up" (!) to g+ :)
#
aaronpk wow that's crazy
#
kbs I'm not a big fan of a super-token sitting on the phone
#
snarfed yeah, understandable. devices are temporary
#
snarfed unrelated, but kbs: woot! https://checkmention.appspot.com/log/145aec11631/cdae5f9c4468f76c7ef228deb44209429a33e9a5
#
Loqi does a happy dance!
#
snarfed fun
#
kbs snarfed: :)
legastero, j12t, KevinMarks_ and kbs joined the channel
#
KevinMarks_ irc archive is giving me a 504
#
kbs me too
#
aaronpk crap
#
Loqi lolz
#
kbs joys of ops :/
#
aaronpk i don't understand why this keeps happening
LauraJ joined the channel
#
aaronpk what, now sudo is hanging trying to do anything
#
kylewm sudo sudo make me a sandwich?
#
aaronpk oh that was the classic hostname issue
paulcp joined the channel
#
aaronpk oh weird, it forgot how to dns
#
aaronpk linode's dns servers are not responding for me
#
aaronpk http://status.linode.com/2014/04/fremont-connectivity-issues.html
#
aaronpk "We've identified the connectivity issue to be a network attack on our resolvers in the Fremont datacenter."
#
KevinMarks_ ouch
#
aaronpk ok switched to google's DNS and the site's back up
#
KevinMarks_ http://xkcd.com/1361/
#
kbs haha
#
kbs actually wonders where g+ is heading
#
KevinMarks_ google secretly DDoSing other DNS servers...
#
KevinMarks_ maybe now it gets a leader who doesn't hate APIs
#
kbs aaronpk: don't want to bug you in the middle of your op'sing - but (sadly) need a bit of hand-holding on micropub
#
kbs and how indieauth wants to fit in. I'll check when you have some time
#
aaronpk i think it's ok for now
#
kbs ah, finally got the irc logs too - let me read that first as well...
#
kbs to ask the first (of many no doubt!) baby questions - by 'token endpoint' - does that mean an OAuth2 provider? Ie, the desire to behave like an OAuth2 provider for a client that wants to publish something on an indieweb site?
#
aaronpk "OAuth 2 provider" is kind of a broad term that is not very useful
#
aaronpk oauth 2 splits things up into the authorization endpoint, the token endpoint, and the resource server
#
KevinMarks_ I was trying to make noterlive a micropub client, then I broke it completely. I really should go fix that
#
aaronpk an "OAuth 2 provider" probably includes all three of those things
#
kbs okay, I see - you want indieauth to specifically be in just the token endpoint piece of it
#
kbs *indieauth.com
#
aaronpk indieauth.com is actually just the authorization endpoint
LauraJ joined the channel
#
aaronpk currently you need to build your own token endpoint that issues access tokens (although I'm figuring out the best way to create that as a service too)
#
kbs aaah
caseorganic joined the channel
#
kbs okay - think I'm seeing how the pieces are fitting
#
kbs let me think for a bit
#
@dougmckown Here’s a great intro to the #indieweb and why it’s important. h/t @jeremyzilar http://kartikprabhu.com/article/indieweb-love-blog (twitter.com/_/status/461225563932205056)
#
aaronpk i drew a diagram on the board the other day for bret and emmak, let me post that somewhere
#
aaronpk need a wiki page for these scratch notes so I don't have to put them on /indieauth or /oauth
#
KevinMarks_ how about /auth-brainstorming
#
aaronpk great
#
@wraithgar Well I finally got gitlab running, wasn’t easy for me, should be easier for you http://danger.computer/2014/04/28/gitlab-part-one #indieweb (twitter.com/_/status/461213887967158272)
#
kbs pulls up rfc6749 in the meantime
#
aaronpk also see http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified for a potentially easier to read version
#
KartikPrabhu snarfed: bridgy showing some HTML code "No <a href="http://indiewebify.me/#send-webmentions">webmention</a> support:"
#
aaronpk also wtf happened with that comment on my site
#
KevinMarks_ oauth2 violates the IETF's own rules...
#
aaronpk ?
#
aaronpk what rule?
#
snarfed KartikPrabhu: argh thanks
#
kbs (so normally the site handling the authorization endpoint also drives the token endpoint - hence my initial confusion... *continues reading*)
#
aaronpk "normally" yes, and in oauth 1 it was pretty much required
#
kbs nods
#
KevinMarks_ "IETF standards exist so that people will use them to write Internet programs that interoperate." http://tools.ietf.org/rfcmarkup?doc=fyi17
#
aaronpk oh lol yeah
#
kbs btw - the oauth client flow on android at least is horribly broken security-wise
#
KevinMarks_ "OAuth 2.0 provides a rich authorization framework with well-defined security properties. However, as a rich and highly extensible framework with many optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations."
#
KevinMarks_ http://tools.ietf.org/html/rfc6749#section-1.8
#
aaronpk one of eran's "parting gifts" to rfc6749 was adding in section 1.8
#
kylewm KartikPrabhu: I got another author name=”Author” from David’s page. can you see if you get it too? http://david.shanske.com/articles/2014/04/29/design-obsession/
#
KevinMarks_ it is an accurate summary
#
KevinMarks_ sadly
#
aaronpk it's true
#
kbs so to ask the dumb question - is the current expectation that the 'protocol' for micropub clients is still evolving (or is it cast in stone, etc?)
#
KartikPrabhu kylewm: I get "David Shanske" correctly for that h-entry. Are you sure you are using the updated mf2py?
#
KevinMarks_ so OAuth2 is unlikely to get from proposed to draft
#
aaronpk kbs: definitely still evolving, see all the "stub" notes here http://indiewebcamp.com/micropub
#
aaronpk although I'm reasonably happy with it as far as creating new posts
#
kylewm arrrgh, sorry KartikPrabhu you’re right
#
kbs aaronpk: gotcha. The reason was mostly
#
kbs if you do end up looking at PGP and so forth, I was just wondering whether all that was needed was for a client app to simply sign its messages
#
KartikPrabhu kylewm: np! :)
#
kbs the indieweb-user's server could then simply have a white-listed set of client-apps that were allowed to post to it
#
aaronpk ah, well i'm trying to keep the crypto stuff out of the core, like how oauth 2 did
#
aaronpk in favor of bearer tokens and https
#
kbs are the bearer token ideas considerd not....
#
kbs :-)
#
aaronpk bearer tokens != crypto
#
aaronpk that said, it is entirely possible to have a bearer token that happens to be an encrypted string. but that's only important to the things issuing and verifying the tokens, not the things using them
#
KevinMarks_ that was part of the oauth2 debate, iirc.
#
aaronpk much of it
#
kbs so at some stage (I think, esp for mobile-apps) they have to verify their app-identity reliably - fwiw, android has gone down the route of using their pubkey signatures as providing this proof. It happens to be implicit on android, simply because the platform was set up this way...
#
aaronpk ah yeah, that's kind of a problem with mobile apps in general right now
#
aaronpk not even in the context of indieweb
sdboyer joined the channel
#
kbs do you have the url to your picture handy? :) I think I'm slowly beginning to appreciate the constraints you're using - sorry, pretty slow here :)
#
aaronpk let me give it a URL :)
#
kbs the goal is very much to continue to work within the OAuth2 framework for micropub clients - is that a fair way to state it?
#
KevinMarks_ that kbs android post is interesting
#
kbs KevinMarks_: yea - it was pretty fun to see how they cracked that particular issue on android
#
KevinMarks_ aaronpk, have you considered coming to IIW?
legastero joined the channel
#
KevinMarks_ benwerd and I will be going, and intend to pitch indieweb and indieauth
#
aaronpk I would more say that authentication should not be tied to micropub, so it should be possible to keep the core of micropub and swap out the auth part if needed later
#
aaronpk and for now, use the most common parts of OAuth 2 since that's what we've got
#
kbs aaronpk: ah, I see - gotcha, thank you :)
#
aaronpk i'm a big fan of modularity in case you can't tell
#
@kevinmarks "Inside the Android Play Service's Magic OAuth Flow" http:///2014/01/inside-the-android-play-services-magic-oauth-flow.html #indieweb (twitter.com/_/status/461231070629728257)
#
@abraham RT @kevinmarks: "Inside the Android Play Service's Magic OAuth Flow" http:///2014/01/inside-the-android-play-services-magic-oauth-flow.html #indieweb (twitter.com/_/status/461231180432433152)
#
kbs cool :)
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:20140423-indieauth-micropub.jpg]]""
#
kbs thanks aaronpk - looking...
#
aaronparecki.com created /auth-brainstorming (+373) "stub with some notes and sketch" (view diff)
#
kbs I see what you mean about modularity, nice :)
#
kbs so you're thinking of using (in effect) bearer tokens to communicate signed statements of granted privileges between the three endpoints in question?
#
aaronpk maybe?
#
aaronpk ok i have a better writeup on my whiteboard now
#
bret rad!
#
bret my photo of that turned out terribly
#
bret aaronpk what did you use to process that?
#
aaronpk turboscan on iphone!
#
aaronpk it's like magic
#
bret writing a token endpoint doesnt look that hard after peeking at https://github.com/notenoughneon/neonblog/blob/master/token.php
#
bret but conceptually, having JUST the micropub endpoint to deal with would make it easier to explain I think
#
bret ie if indieauth can generate tokens
#
aaronpk cool! yep it isn't hard, but one less thing to think about if you can just use a service
#
aaronpk the goal of course is you can swap it out with your own at any point if you want to, and nobody needs to care
#
kartikprabhu.com uploaded /File:link-frag.svg "based on icon design for fragmentions by Kevin Marks. [[File:highlink.svg]]"
#
KartikPrabhu KevinMarks_: I attempted an icon for fragmentions based on yours: http://indiewebcamp.com/File:link-frag.svg
#
KevinMarks_ that's probably more usable where JonathanNeal wanted it
#
kbs aaronpk: so I'm not totally confused here :) I'm looking at http://tools.ietf.org/html/rfc6750#section-1.3 and is there some slight terminology mismatch between the names you use?
#
aaronpk i don't usually call it "Resource Server" but that's about it
#
@ddewaele RT @kevinmarks: "Inside the Android Play Service's Magic OAuth Flow" http:///2014/01/inside-the-android-play-services-magic-oauth-flow.html #indieweb (twitter.com/_/status/461235434526625792)
#
kbs so in my state of confusion, I interpret the box "authorization server" in the rfc as performing the task done by your box that says "token endpoint" what important thing am I missing? :)
#
KevinMarks_ aaronpk: if I want to post a long article, will form encoding cope?
#
kbs I think the distinctions between "authentication" and "authorization" are a bit fuzzy to me right now (in terms of its intended semantics in various contexts, I mean) -- continuing to try and grok this...
#
aaronpk kbs: the rfc's 'authorization server' should be the same as mine :)
#
aaronpk although in my diagram it's labeled 'authorization endpoint'
scor joined the channel
#
kbs oh, hm... back to the drawing board :)
#
aaronpk haha ok
#
aaronpk i'm going back to my drawing board too, literally
caseorganic joined the channel
#
aaronpk KevinMarks_: form encoding *should* be able to handle it just fine, but there's always multipart encoding so you could send actual HTML
caseorga_ joined the channel
#
aaronpk (basically like uploading an html file)
kevinbae joined the channel
#
@mapkyca Feeling an ever growing love for #indieweb microformats: http://microformats.org/ makes some stuff I want to do suddenly very easy! (twitter.com/_/status/461238300129640448)
#
kbs the rfcs are confusing aaronpk :) http://tools.ietf.org/html/rfc6749#section-3 says "token endpoint - exchanges authorization grant for access grant" - which is how I read your diagram as well. http://tools.ietf.org/html/rfc6750#section-1.3 has the "authorization server" host the "token endpoint"
j12t joined the channel
#
aaronpk oh now I see the confusion
#
tommorris https://www.wikidata.org/wiki/Q16738478 - microformats.org now has a page on Wikidata.
#
aaronpk kbs: the RFC is calling it the "authorization server" and it does both the actual authorization as well as issuing access tokens
#
aaronpk I for some reason thought they had separated those
#
kbs aaronpk: then I don't understand what the A/B steps in rfc6750 mean :)
#
aaronpk oh wait there are two rfc's i'm reading :)
#
kbs yep
#
aaronpk oook one sec
#
aaronpk let me catch up
#
aaronpk rfc6750 is newer to me
#
aaronpk ok yeah OAuth 2 says very clearly that there is an authorization endpoint and a token endpoint http://tools.ietf.org/html/rfc6749#section-3
friedcell joined the channel
#
kbs yep - there's some terminology confusion between 6750 and 6749, and you're using 6749 I assume. In rfc6750 A/B corresponds to your diagram's "authorization server", and the C/D steps correspond to your diagram's "token endpoint". rfc6750 calls the first "resource owner" and the second "authorization server" :)
#
kbs swirls around and muddies the water even more
#
aaronpk yeah the bearer token doc (6750) is lumping everythign together into an "Authorization Server" rather than explicitly talking about the two endpoints
#
kbs hm :)
#
kbs so I think I begin to get what 6750 wants to do, in terms of being modular between the authorization and token-access steps (ie, the A/B vs the C/D)
#
aaronpk i'm writing up a simpler version on the brainstorming page
#
kbs ok
#
aaronpk hopefully it makes things clearer
KevinMarks, paulcp_ and krendil joined the channel
#
aaronpk with concrete examples
#
kbs (I think this is just some nomenclature confusion - both rfcs use the same diagram it seems)
#
aaronparecki.com created /OwnYourGram (+239) "Created page with "{{stub}} '''[http://ownyourgram.com OwnYourGram.com]''' is a service which streams your [[Instagram]] photos to your own site in real-time. After signing in with [[IndieAuth]], ..."" (view diff)
#
aaronpk (needed that for the examples, haha)
j12t joined the channel
#
KevinMarks_ aaronpk: so multipart is supported too? that wasn't clear from the page
#
aaronpk yeah I should add that because ownyourgram actually already has implemented it
#
aaronpk it sends your instagram photos as file uploads to the micropub endpoint
#
aaronpk I didn't expect to need it when I first drafted that page but then of course the first implementation I did required it :)
#
aaronparecki.com edited /auth-brainstorming (+1715) "add "examples" section and document the role of the authorization endpoint" (view diff)
LauraJ and j12t joined the channel
#
kbs aaronpk: thanks - makes sense. I think the confusion (such as it is) is that the nomenclature within the rfc is confusing - probably because it subconsciously wants to both those endpoints within an 'authorization server'
#
kbs *wants to host
#
kbs so for what it's worth - android/google is a big fan of using http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-09 for transporting signed tokens
#
aaronpk I kinda like JWT too just as a signing mechanism
#
aaronpk I should probably look at the actual JWT properties and see if that makes sense here too
#
Loqi fo sho
#
kbs I assume you're planning to mandate the nature of the tokens passed between the three endpoints? Otherwise, be hard to interoperate I guess :)
#
aaronpk hopefully won't need to mandate much
j12t joined the channel
#
aaronparecki.com edited /auth-brainstorming (+1172) "add token endpoint docs" (view diff)
#
aaronparecki.com edited /auth-brainstorming (+24) "/* Request */" (view diff)
#
kbs so to a first approximation, I *think* your idea is that the authorization-endpoint to return a token that asserts: [app=someid, user=someid]-signed-by-authorization-endpoint. This is passed to the token-end-point, which then returns [user=someid, scope=this-permission]-signed-by-token-end-point. Both are finally passed to the micropub endpoint, which can decide whether to honor these assertions
#
kbs the 'mandating' part of it essentially would be the format of these assertions, (perhaps JWT)
#
aaronpk ah yes
#
aaronpk alternately drop any notion of signing and mandating a format and provide APIs to verify them
#
aaronpk currently indieauth.com can be used to verify an auth code as well, see the ownyourgram docs: http://ownyourgram.com/creating-a-token-endpoint##authorization+endpoint+can+be+used
#
aaronpk (also note the real-world use of the fragmention!)
#
kbs :-)
#
kbs so I think I'm finally somewhat vaguely in the same county as your ideas and thoughts on this, sorry took so long :) still digesting ideas to a large extent
#
aaronpk no problem!
#
kbs the one practical thought that strikes me, is that underneath all this is still just two things, which is proving that a user foo is really foo, and that client-app-bar is really client-app-bar - things that are to some extent "put-under-the-rug" by the authorization endpoint
#
aaronpk assuming we do pass around JWT tokens, the question is what value is used to sign them
#
gRegor` client-ackbar? It's a trap!
brianloveswords joined the channel
#
kbs so if I were to put on my pgp hat (which has sadly skewed my thinking too much) there would be well-known endpoints for locating public keys of the user/site, app, and the endpoint services. Something analagous to grabbing it from rel=key links of the user's site
#
aaronpk well it just so happens that every ID here is also a URL that is assumed to have HTML on it, which means a public key could be discoverable that way
#
kbs is that the case for the client-app itself?
#
aaronpk why not!
#
aaronpk client_id=https://ownyourgram.com/
#
aaronpk makes sense to me
#
kbs nods - yep
#
aaronparecki.com edited /auth-brainstorming (+552) "add micropub endpoint details" (view diff)
#
aaronpk ok! so that page has what I want on it now
#
aaronpk it should clearly show the three endpoints and indicate the inputs and outputs of each
#
snarfed kylewm: huh. you're ahead of the curve on https://www.brid.gy/wordpress/kylewm.wordpress.com . :P hopefully the signup buttons were hidden on the front page. did you unhide them so you could sign up?
#
KevinMarks_ I've noticed that once you have fragmentions, using them is very natural
#
snarfed also, i haven't implemented sending wms yet, just receiving them
#
aaronpk KevinMarks_: totally
#
kylewm snarfed: ;) sorry couldn’t help myself. I just put in the urls
#
snarfed np!
paulcp joined the channel
#
aaronpk i love the chrome extension to right click and make them
#
kylewm snarfed: it’s not possible to add microformats2 to a wordpress.com blog is it?
#
snarfed kylewm: no? i assumed you could author html...?
#
KevinMarks_ I want it to copy them too. Maybe that should be 'Copy as fragmention"
#
snarfed kylewm: looks ok: http://en.support.wordpress.com/using-html/ . i assume classes are allowed but i haven't tried yet
#
KevinMarks_ you'd need a template they approved, maybe?
#
kbs aaronpk: if the tokens being passed between endpoints are signed assertions - basic idea makes sense to me :)
#
KevinMarks_ oh, you mean adding rels to links?
#
snarfed KevinMarks: well, classes
#
kylewm snarfed: that is talking about adding HTML inside your posts right? as opposed to adding them to them theme?
#
aaronpk kbs: so what i've got there handwaves a bunch of stuff if these are actually three separate systems
#
snarfed ah, to advertise the webmention endpoint
#
snarfed yeah, i think i checked a while back and you could do that to
#
KevinMarks_ I think you cna add some html, but it sanitizes fiercely, so check
#
kylewm so I sent a pingback from my wordpress.com blog to my real site, and it has a u-in-reply-to but it doesn’t do anything because there’s no h-entry
#
snarfed to a degree
#
snarfed yeah
#
aaronpk e.g. "The token endpoint verifies the authorization code"
#
kbs aaronpk: *nod* I _think_ I get the drift of where you're headed with passing signed assertions as tokens. There's a bit of trickiness with validating public keys themselves, but that's a whole 'nother can of worms
#
snarfed kylewm, KevinMarks: yup, i haven't done much (anything) on the sending side yet. needs research
#
kylewm not sure you need to… wp.com sends pingbacks, and webmention.io can proxy them into webmentions
#
snarfed aha, that's nice. i wonder if blogger and tumblr do too
#
snarfed i was planning to use superfeedr, which will hit a webhook when new posts are created/updated (and send the content w/useful metadata). much easier than polling. but webmention.io sounds great if it will work
#
kylewm i see, my wordpress.com has microformats1
#
kylewm theme^
#
aaronpk snarfed: yeah webmention.io can just forward pingbacks to webmentions
paulcp_ joined the channel
#
kylewm wait that means when mf2py gets backcompatbility, I’ll be able to receive replies from unmodified wordpress.com blogs
#
kylewm that’s pretty awesome
#
snarfed aaronpk: not sure i follow. it looks like webmention.io lets you translate incoming pingbacks to webmentions, ie you advertise w.io as your pingback endpoint and it will send them to you as webmentions
#
snarfed is that right?
#
aaronpk yep
#
Loqi [mention] http://kylewm.wordpress.com/2014/04/29/41/ linked to http://indiewebcamp.com/spam-mentions-kwm (pingback)
#
kylewm oh wow, that worked
#
kbs aaronpk: one heads-up is that I think you might need a separate little dance to prove that some app talking to you is really using a specific client-app's pubkey.
#
snarfed right, ok. i misunderstood kylewm. so kylewm, sounds like you meant, since wp.com sends pingbacks, other sites can accept them if they use webmention.io's proxy
#
snarfed ?
#
kylewm snarfed: exactly
#
aaronpk kbs: so one of the criticisms of OAuth 2 is that it doesn't actually do any sort of client verification because all you need is a bearer token, and bearer tokens can be shared around all day long if you want
#
aaronpk is that related to whaty ou mean?
#
snarfed kylewm: ok. sounds like they'd be complementary. i'd like wp.com (etc) blogs to be able to send normal webmentions too, so recipients get them even if they don't use the proxy
#
kbs aaronpk: more about something before bearer tokens are even issued I guess. So as an authorization endpoint, I get a call that says client_id=https://ownyourgram.com - how can I tell that it's really the ownyourgram client calling me, and not someone else.
#
aaronpk oh gotcha
#
kbs knowing the ownyourgram.com public key doesn't help (directly) because unless I ask it to sign the request, there's no way to do this
#
aaronpk you don't really
caseorga_ joined the channel
#
aaronpk i was thinknig about requiring apps to publish their valid redirect URIs on the home page
#
Loqi [mention] http://kylewm.wordpress.com/2014/04/29/41/ linked to http://indiewebcamp.com/spam-mentions-kwm (pingback)
#
aaronpk so client_id=https://ownyourgram.com would whitelist its redirect uri as a rel value there
#
aaronpk that way at least the auth server won't redirect to a malicious app pretending to be another
#
kbs thinks a bit more
#
kbs I wonder how it might work for mobile-app clients?
#
aaronpk verifying redirect URIs on mobile clients is not really possible right now, cause any app can register the "facebook://" scheme unless the facebok app is installed
#
KevinMarks_ that's a good way to avoid pre-registering the callback URL
grantmacken joined the channel
#
aaronpk KevinMarks_: exactly! avoiding pre-registration is a goal here
caseorga_ joined the channel
#
KevinMarks_ on android, you'd get to choose. On iOS you can install an app witht hat scheme and behavior is undefined
#
snarfed kylewm: plenty of work on this left to do, lmk if you're interested!
caseorg__ joined the channel
#
KevinMarks_ https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html##no+process+for+determining+which+app+will+be+given+that+scheme.
#
KevinMarks_ https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/AdvancedAppTricks/AdvancedAppTricks.html#//apple_ref/doc/uid/TP40007072-CH7-SW18
#
kbs does ios provide a way to get (at runtime) the signature of the currently running app?
#
KevinMarks_ hm, they have evil URLs there
#
KevinMarks_ does break fragmentions
#
kbs is clueless about ios :)
#
kbs but I did like the android approach of leveraging the code-signature to authenticate client apps, if there's something similar for ios it might be one random thought
#
aaronpk huh interesting
#
KevinMarks_ from within a webview, you mean?
#
aaronpk none of this can happen within a webview
#
kbs right. On android at least, if I'm a 'trusted' app - other apps can ask me to make a request to (say) an authorization endpoint on their behalf
#
aaronpk hm what's this https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html
#
kbs when I make such a request, I can pick up the signature of the calling app, which then becomes a clear way to identify the app that's makeing the request
#
kbs of course - this relies on there being such a 'trusted' app - which would (conceptually) be similar to relying on indieauth.com as a trusted service
npdoty joined the channel
#
aaronpk apple being the trusted app seems fine
#
kbs :-)
#
aaronpk i still don't think this is required for this to work
#
kbs oh - I think you've got a pretty neat idea :)
#
aaronpk especially cause worst case we are in no worse a situation than every other ios app right now
#
kbs *nod* I've been mostly in too deep in mobile/android apps for a bit
#
kbs hence rather too skewed to looking at it in that context
#
kbs Having the app url register callbacks at a well-known location is a cool idea - neatly sidesteps a lot of the awkwardness
caseorganic joined the channel
#
aaronpk yep and if a mobile app also publishes its redirect URI on its *web* home page then at least there's that
fmarier, legastero and j12t joined the channel
#
kbs KevinMarks_: sorry, late response to webview question - wasn't thinking about that (and I have a whole 'nother rant about apps that use webview to do OAuth on android, but never mind :)
#
KevinMarks_ yes, thats sketchy
#
KevinMarks_ throwing to the OS makes more sense
#
KevinMarks_ though that only works for OAuth to google endpoints, right?
#
kbs yep. But, I really like that google has made it possible to use web-tokens to enable that for non-google endpoints. Tim Bray wrote about this a while back, it's nifty
#
aaronpk any sort of oauth with an embedded web view is not safe
#
kbs looks...
#
kbs http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
#
kbs it still ties in to some degree with google (ie, a google account gets used) but it lets additional endpoints be reliably (== also client-app verified) accessed
#
kbs It basically exposes the same trick (ie, using the play-services app as the 'trusted' app that pulls out the calling app's signature) to mediate access to other endpoints
#
kbs takes back the web-token bit
#
kbs oh, actually - yes. It does use webtokens
#
kbs takes back the takeback ;)
tilgovi joined the channel
#
KevinMarks_ oh, I see, it's a kind of 2-legged OAuth
#
KevinMarks_ neat
#
KevinMarks_ timbray++
#
Loqi timbray has 1 karma
caseorganic, pauloppenheim, caseorga_ and j12t joined the channel
#
aaronparecki.com edited /auth-brainstorming (+375) (view diff)
#
kbs aaronpk++
#
Loqi aaronpk has 437 karma
#
kbs great discussion aaronpk - thanks for bearing with questions and hope to stay abreast of ongoing developments :)
#
KevinMarks_ in which aaron persuades 4 servers he owns to talk to each other as if they were starangers
#
kbs haha :)
#
aaronpk KevinMarks_: :)
#
aaronpk exactly
#
kbs KevinMarks_++ for the usual succinct commentary :) always fun
#
Loqi KevinMarks has 27 karma
scor joined the channel
#
aaronpk yep that's pretty much what's going on with that page, lol
#
KevinMarks_ are they all on the same VPS? that would be even funnier
#
KevinMarks_ the call was coming from inside the house
#
aaronpk lol
#
aaronpk well they are 2 different VPSs, but in the same datacenter
#
JonathanNeal KartikPrabhu, KevinMarks_, that icon is great!
#
KevinMarks_ JonathanNeal: could "make fragmention" copy the URL to the clipboard? Or should that be another menuitem
#
JonathanNeal We could change it to copy fragmention. I might prefer that.
#
KevinMarks_ putting it in the menubar to force it to locate is good, I think, but the use case is almost always "copy this next"
lukebrooker joined the channel
#
Loqi [mention] https://checkmention.appspot.com/content/145af9f7d55/d349bf68f02ff56d898a64c7923bcea272b4df72/success linked to http://indiewebcamp.com/spam-mentions (webmention)
#
Loqi [mention] https://checkmention.appspot.com/content/145af9f7d55/d349bf68f02ff56d898a64c7923bcea272b4df72/xss linked to http://indiewebcamp.com/spam-mentions (webmention)
dybskiy joined the channel
#
JonathanNeal I completely agree.
#
kbs well. Added one test case :) I'll add some more and stick things on github as well - so anyone can continue adding tests. https://checkmention.appspot.com
#
aaronpk nice!
#
KevinMarks_ aaronpk was just saying how natural using fragmentions is now
brianloveswords joined the channel
#
aaronpk so I think I'm going to write up a doc saying "if you are making an auth server, then generate your auth codes like this using JWT so that they can be verified out of band"
#
aaronpk and the same for token endpoints
#
KevinMarks_ invites aaronpk to IIW again
#
aaronpk and then also suggest that both the auth endpoint and token endpoint be an API for verifying their own tokens so people have the option of checking the JWT or just using an API cause that's easier
#
aaronpk looks at when IIW is
#
aaronpk argh next week?
#
KevinMarks_ may 6-8
#
aaronpk bad timing
#
KevinMarks_ ah. well, benwerd and I will be there, we can irc or webcam you in
#
KevinMarks_ where are you?
#
KevinMarks_ (where are you those days I mean)
#
aaronpk I'll be in Portland, I could totally join via webcam
#
KevinMarks_ OK, the net cna be a bti flaky there, but we'll add you in. I think serverl of them will grok indieauth
#
aaronpk cool, and I'll try to get these docs in better shape too
#
aaronpk with diagrams
j12t joined the channel
#
aaronpk hmm i'm annoyed that JWT basically re-named everything
#
aaronpk and the 3-char abbreviations, while small, are not very readable
KevinMarks joined the channel
#
aaronpk and what happened to the "scope" value?
#
KartikPrabhu JonathanNeal: re: icon thanks! Also I'm failing at making a javascript fragmention copier :( Latest here: http://kartikprabhu.com/static/demo/fragmention.html but it fails miserably on mobile.
caseorganic joined the channel
#
GWG kylewm, knew about display none. I was thinking about the aesthetics. I St
#
GWG ill think I need a different picture
#
kbsriram.com edited /xss (+551) "pointer to checkmention.appspot.com and github link" (view diff)
#
kbs snarfed: if you're awake - there's one (1) test on https://checkmention.appspot.com - :) please do let me know about better copy, etc. It was cooked in the throes of insomnia last night, so probably have done a bunch of things screwy.
#
snarfed kbs: hey, sure! trying now
#
snarfed kbs: looks good…? https://checkmention.appspot.com/log/145afbfeab2/61a5357c6239a623b15f5462a50635ddd53de367
#
kbs snarfed++ - cool :) and thanks for testing
#
Loqi snarfed has 13 karma
#
aaronpk crap now i'm confusing myself
brianloveswords joined the channel
#
aaronpk that usually means it's time to go for a walk. brb.
brianloveswords, brianlov_ and caseorganic joined the channel
#
snarfed kbs: ok the tests are pretty damn cool. and they even have appropriate icons!
#
snarfed kbs++ for polish
#
Loqi kbs has 3 karma
#
kbs heh
#
snarfed i want to keep those two comments on at least one of my pages. not sure which
#
kbs There's a little vestige of the javascript:alert('foo') on the a href link
#
snarfed yeah, true
#
snarfed meh
#
kbs I wonder if I should also add javascript:javascript:alert('foo') just to cover that extra case
#
kbs assumes snarfed will not be caughtout by this of course :)
#
snarfed heh, nope, and it's on my head anyway. i clicked on something on the internet :P
#
kbs :)
#
kbs (Be happy to add more tests if someone has any to throw my way. https://github.com/kbsriram/checkmention etc.)
KevinMarks_ joined the channel
#
JonathanNeal whoa, what’s a checkmenion?
#
kbs oh, my little last-night-coding-spree to test XSS within webmentions
#
kylewm kbs: maybe javajavascript:script:alert()
#
kbs kylewm: haha - you have a devious mind :)
#
kbs adds
#
kylewm hehe
gRegor`_ joined the channel
#
snarfed btw kbs feel free to run new tests on my site yourself. (i know it's nice to have test cases.) i'll see them come in, so i can clean them up later
#
kbs snarfed: ah, great - thank you much. Is there a particular page I could use? One of the urls you've already used?
#
snarfed anywhere!
#
kbs oh, okay :)
gRegor` joined the channel
#
aaronpk the checkmention log shows my own webmention status URLs :D https://checkmention.appspot.com/log/145afda7a31/c605693431cb9d9670518ce1104ea2bc591430a9
#
aaronpk https://aaronparecki.com/webmention/vg9sXQ9X
#
kbs oh, how interesting
#
kbs and, handy :)
#
kbs hm, wonder why it failed to detect the link
#
kbs looks long and hard at https://checkmention.appspot.com/content/145afda7a31/c605693431cb9d9670518ce1104ea2bc591430a9/success
#
kbs not seeing an obvious (to me :) markup issue there - would sure like to know why that one didn't show up
#
aaronpk is it the line break in the href?
#
kbs yea, that's what I was thinking too
#
kbs legal, but probably parsers would find that ticklish?
#
kbs fixes method called cheapTrick() ;-)
mko, scor and npdoty joined the channel