#indiewebcamp 2014-05-01

2014-05-01 UTC
kbs, KevinMarks_, emmak, saurik, tantek and KartikPrabhu joined the channel
#
tantek Anyone here play with avatars.io to show icons for things from silos?
#
tantek E.g. this "just works" to redirect to the image: http://avatars.io/twitter/t
#
tantek as in you can put that in an <img src>
dybskiy joined the channel
#
KartikPrabhu tantek: is there a good reason to do that?
#
tantek KartikPrabhu: for those of us who are not yet reading/parsing tweet permalink URLs, it gives a way to show an avatar icon purely by extracting a twitter username from the tweet permalink URL
#
KartikPrabhu tantek: oh i see. Right now the only silo interaction I do is through bridgy which just gives me the avatar. Would be useful when I parse tweets myself
#
tantek KartikPrabhu: right. Currently I'm not even handling bridgy webmentions yet (or any), however I am showing minimal reply contexts (just URL).
#
tantek so I might use it as a lazy small improvement in my reply-contexts - that's the specific use case, so I thought I'd share
#
KartikPrabhu yup. i should do reply-contexts and this would be useful...
#
tantek I like to do the lazy small improvements to set an example that it's ok to do so :)
#
tantek KartikPrabhu: even just showing the URL and noting that your post is a reply is useful, e.g. http://indiewebcamp.com/reply-context-examples#Tantek
#
KartikPrabhu tantek: I do have that :)
#
KartikPrabhu see for instance: http://kartikprabhu.com/notes/disappearing-ny-book
#
benwerd so avatars.io is interesting, although I wish it was a JS library rather than a centralized service
#
benwerd but for lazy developers like me, A++ idea
#
tantek KartikPrabhu: Great! Take a screenshot, upload to the wiki, and add yourself to the end of: http://indiewebcamp.com/reply-context-examples#Indieweb_Examples
#
tantek benwerd, see the bottom of avatars.io home page - I think much of it is on github so you can DIY on your own server
#
tantek kind of like Bridgy. hosted service, or deploy on your own server.
#
tantek which is a good pattern. does that have a name? would like to document examples of that.
#
benwerd I don't know, but it's a pattern I have every intention of contributing to
#
tantek KartikPrabhu: that's a very nice reply example btw - showing both a reply-context and a follow-up reply from Twitter.
#
benwerd not sure if it has a name
#
benwerd (interesting that it comes from the Chute folks)
#
tantek benwerd - feel free to make up a name :)
#
KartikPrabhu tantek... thanks that's the one I'll add then :)
#
tantek also it's interesting that you're able to display and style the *follow-up* from Twitter so nicely, yet not the original reply-context. Because technically they're the same right? They're just both tweet permalinks.
#
KartikPrabhu tantek: the follow-up is due to bridgy sending mentions! I'm planning to adapt some of the bridgy code to do reply-contexts ;)
#
kartikprabhu.com uploaded /File:KP-reply-context.jpg "Reply contexts on kartikprabhu.com"
#
tantek KartikPrabhu: interesting - I wonder if there is a way to just use Bridgy to retrieve the bits of a tweet like that
#
tantek ^^^ snarfed
#
KartikPrabhu tantek: not directly, but one could adapt the activity-streams code to generate microformats version of a tweet
#
tantek aaronpk heads-up, check your old permashortlinks, e.g. http://aaron.pk/2DX
#
tantek KartikPrabhu: yeah - something like that
#
KartikPrabhu that is my plan :)
#
tantek maybe we need an equivalent of avatars.io
#
tantek like hentry.io :D
#
KartikPrabhu ha! that would be nice...
#
aaronpk tantek: oops! thanks
#
KartikPrabhu .io is expensive though...
#
tantek snarfed - what do you think of breaking out the hentrification code from Bridgy / AS to a service like hentry.(pick-a-tld)
#
tantek parallel to avatars.io
#
tantek where you could simply put the permalink as a path like hentry.io/twitter.com/craigmod/status/428681469402169344 and have it return a minimal hentry the same way Bridgy does?
#
kartikprabhu.com edited /reply-context-examples (+235) "/* Indieweb Examples */ added me-self" (view diff)
#
tantek use-case: easier reply-contexts for silos
benwerd joined the channel
#
KartikPrabhu tantek: hentri.es ?
#
aaronpk hm I let neverusethisfont.com expire about 2 years after returning 301 redirects for all the URLs, but apparently forgot about all the shortlinks!
#
tantek KartikPrabhu: nice
#
tantek and somehow my "Recent Articles" box broke recently. drat.
#
aaronpk the best part about fragmentions is even if the browser / server /whatever doesn't support it, or if there's a bug, I still can figure out what the heck the link is mentioning
#
tantek aaronpk - yeah, the manual human-readable fallback is quite nice
#
tantek it's like escalators
#
aaronpk ha yeah
#
tantek work as stairs even if the power is off
#
KartikPrabhu that is my fav example to explain "progressive enhancement" :)
lukebrooker joined the channel
#
aaronpk kbs: not sure if you saw my note from last night, but I'm pretty sure there's no good reason to use self-encoded tokens for the authorization code
#
aaronpk because you end up needing to make an HTTP request anyway in order to fetch a key
#
aaronpk so you may as well use that HTTP request to verify the auth code and just be done with it
#
kbs aaronpk: oh, didn't see it -- reading..
#
kbs I see, okay. Typically though, the public key requests are cached for some duration, usually specified by the provider of the public key
#
tantek a-ha! found it. teaches me to use an & in a blog post (article) title. ahem.
#
aaronpk kbs: yes, although in practice most of the time logins may be from domains you havent ever seen before
#
aaronpk so caching will have a marginal effect
#
kbs would the public key be issued by the authorization service, rather than the login itself?
#
kbs thinks for a bit
#
tantek and fixed! Recent Articles box back. :)
#
aaronpk so i realized this after trying to implement a token endpoint as a standalone project
#
GWG tantek: It was missing?
#
kbs aaronpk: at any rate - dunno if you saw the other blather I put on the page. Thought there might be a simplification of the authorization endpoint possibly
#
kbs which would also simplify the token endpoint
#
tantek GWG yeah I broke it with a blog post this past Sunday
#
aaronpk oh yeah, hmm let me read that again
#
GWG tantek: Did anyone ever post the pictures from Saturday?
#
tantek and *just* noticed it was missing. ahem. yay for instrumenting code with debugging to help track this kind of stuff down.
#
Loqi giggles
#
KartikPrabhu question: is there some way/recommendation for having paginated h-feed?
#
aaronpk rel=next and rel=previous?
#
aaronpk kbs: hm i'm not really sure I follow that, especially cause the example is with a mobile app
#
KartikPrabhu aaronpk: I guess that works!
#
aaronpk also I'm trying to (re)invent as little as possible, just building on top of OAuth
#
tantek.com moved /File:saturday.jpg to /File:indie-web-camp-nyc-2014-116.jpg "Let's pick a more specific name"
#
kbs aaronpk: ah - you can substitute mobile-app for web-app - the mechanics are identical
#
tantek.com moved /File:sunday.jpg to /File:indie-web-camp-nyc-2014-117.jpg "more specific name"
#
aaronpk "user installs these keys on their mobile device" <- seems a little hand-wavey here?
#
kbs with google authenticator
#
aaronpk what if you don't have a mobile device
#
kbs then it doesn't work
#
@kid_OYO on forking code: http://epeus.blogspot.com/2013/04/forking-spooning-or-knifing.html #indieweb (twitter.com/_/status/461695224746504192)
#
tantek.com edited /2014/SF (+184) "add photo, move TOC down" (view diff)
#
aaronpk ok then that seems like something else then, or maybe an optimization on top of everything else
#
aaronpk I *am* a fan of TOTP (I have a bunch of TOTP secrets on my pebble watch which makes for great demos on stage!)
#
GWG aaronpk: I am nervous about having it on my Pebble
#
aaronpk GWG: cause you might lose the pebble?
#
kbs sure, it's one of many approaches :) lack of a mobile device for people hosting indiewebsites didn't seem too problematic, and the rest of the flow is pretty simple - but anyway -- it's a thought
#
GWG aaronpk: The software, actually
#
aaronpk kbs: at least the nice thing about TOTP is it doesn't require an active internet connction, so you can still use the code generator when traveling w/o data or in bad network conditions
#
aaronpk GWG: the software? how so?
#
tantek.com edited /2014/NYC (+276) "add photos, move toc down" (view diff)
#
GWG The 1.0 to 2.0 transition was a bit rocky
#
kbs (aaronpk: I guess to actually _use_ the code you'll need a connection of some kind :)
#
aaronpk GWG: oh yeah.. i haven't updated to 2.0 yet
#
aaronpk tantek: i'll add my remote participation photos!
#
tantek.com edited /2014/NYC (+0) "move TOC up" (view diff)
#
kbs btw, the other thought there is (I think) likely many interesting third-party posting opportinuties sit on mobile devices
#
kbs so there might be something there as well
#
tantek GWG - photos added to http://indiewebcamp.com/2014/NYC
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:indie-web-camp-nyc-2014-117-remote.jpg]]""
#
aaronparecki.com edited /2014/NYC (+180) "add remote participants screenshot" (view diff)
#
KartikPrabhu holy #$@! that is an awesome bear-d!
#
kbs (also, mobile device is only needed during the initial app setup - it's functionally exactly what the remote authorization endpoint does.) Anyway :) I'll toss it up there and see if maybe some parts of it look useful
#
aaronpk kbs: ok cool. bonus points if you can point to some existing implementation / spec that does that
#
aaronpk i'm trying to (re)invent as little as possible and just build on top of OAuth 2.0
#
tantek aaronpk - nice talky.io shot!
#
kbs *nod* - nope - this would be closer in spirit to what google did, rather than strictly following the oauth spec, where all the endpoints are strictly located remotely
#
aaronpk tantek: thanks!
#
aaronpk kbs: well if google shipped it, that's a plus
#
tantek.com edited /2014/NYC (+0) "push TOC down" (view diff)
#
kbs closer in spirit :) but I have a feeling the constraints you're working with don't match well with this idea :)
#
kbs back to drawing board, etc
#
tantek.com edited /2014/NYC (+162) "move TOC down even further, note IRC archives for more info" (view diff)
#
tantek lunchtime here in Melbourne. bbiab.
#
GWG Melbourne?
#
GWG Florida?
#
KartikPrabhu GWG: lunchtime would indicate Melbourne, Australia
#
GWG He was just here.
#
GWG Is this a...where in the world is tantek situation?
#
tantek pretty much
#
GWG Then why does your site say...current city, San Francisco?
#
GWG Shouldn't it say Melbourne?
#
KartikPrabhu man tantek! you got called out!!
#
kbs http://www.geoiptool.com/en/?IP=101.173.170.169
#
kbs naturally, ip addresses don't lie :)
#
GWG I wasn't aware I should be checking the IP addresses of people I chat with
#
KartikPrabhu how the F did you track his ip?
#
kbs sorry :) just making a rather poor joke
#
kbs oh, just /whois
#
KartikPrabhu aah! of course :)
#
aaronpk connects through a bouncer so it just looks like i'm always in fremont
#
kbs ^^ :-)
#
GWG aaronpk: Mine is in Buffalo.
#
kbs (and then there are those who mess with their ip address just to tee off everyone else :)
#
tantek GWG - because that bit of static content on my home page is not yet updated automatically with say the last city I checked into ;)
#
tantek and all my posts are still in Pacific Time even though I'm in Melbourne
#
GWG I thought it was dynamic.
#
GWG Sorry.
#
GWG tantek: So...you were in NYC on Sunday. Where did you go after that?
#
tantek GWG Monday was NYC->SFO->Auckland->Melbourne and then it was Wednesday. I didn't experience Tuesday.
#
GWG Air New Zealand?
#
aaronpk "I didn't experience Tuesday" <- LOL awesome
#
aaronpk oh man what am I going to do about revoking tokens
#
aaronpk with self-encoded tokens really the only way to be able to revoke tokens is to issue short-lived tokens that have to be refreshed often
#
kbs fun to complicate things :)
#
kbs do you think it might be simpler to have tokens revoked directly by the resource endpoint itself?
#
aaronpk like the resource endpoint is responsible for blacklisting tokens basically?
#
kbs yea, also for showing its activity, tracking etc
#
aaronpk possibly yes
#
aaronpk looking at this another way, what are the common reason for revoking tokens?
#
aaronpk 1) user "uninstalls" an app and wants to make sure it can't post ever again (actually blacklisting all tokens from the app in that case)
#
aaronpk 2) user sees suspicious tokens in their history and wants to clean up the list of active tokens to only known ones
#
aaronpk for #1 i'm thinking of the facebook example where you can click on a post on your wall and click "hide post" and then it asks "do you also want to stop this app from posting?"
#
aaronpk for #2 i'm thinking of Github https://github.com/settings/security
#
aaronpk "This is a list of devices that have logged into your account. Revoke any sessions that you do not recognize."
#
aaronpk jeez you know that's actually a pretty good argument for having API-based verification of access tokens, so that the token endpoint can do cool stuff like that and provide tools for you to manage your active sessions
#
kbs *waves* gotto run, will continue to follow aaronpk's authorization adventures :)
#
aaronpk screenshot for posterity https://farm8.staticflickr.com/7377/13891653200_3fd907587d_b.jpg
#
aaronpk ( unrelated, but uh-oh: http://www.allenpike.com/2014/burying-the-url/ )
j12t joined the channel
#
Loqi [mention] http://bavatuesdays.com/the-many-faces-of-domain/ linked to http://indiewebcamp.com/Get_Started (pingback)
tantek, dybskiy and j12t joined the channel
#
kartikprabhu.com edited /reply-context (+193) "/* IndieWeb Examples */ added me :)" (view diff)
#
kartikprabhu.com edited /reply-context-examples (+174) "/* Twitter home page */ agree with barnabaywalters on twitter time direction switch" (view diff)
#
aaronparecki.com edited /File:example-reply-to-photo-showing-context.png (+45) (view diff)
#
KartikPrabhu Jonnybarnes: sent an update mention to https://jonnybarnes.net/note/52 seems to be working nicely! good work
fmarier joined the channel
#
KevinMarks Aaron that is bothersome, especially with the editable fragmention use case
#
aaronpk might be time to actually implement this... one year later http://indiewebcamp.com/File:example-reply-to-photo-showing-context.png
#
aaronpk KevinMarks: yeah and people are guessing the real reason is to drive more search traffic to google
#
KevinMarks Google has a tradition of really crap URLs
Kopfstein and gRegor` joined the channel
#
KevinMarks This will force all python programmers to move to Paraguay
#
KartikPrabhu turns out G+ does not update embed context on edits: https://plus.google.com/+KartikPrabhu/posts/BxkZaaTNJBp note the updated original url and the embed!
#
KartikPrabhu also that post url sucks
#
KartikPrabhu also interesting to see my first #indieweb thoughts... didn't know of indieweb then :) https://plus.google.com/117114060857732496623/posts/UzKErSbfmHq
#
aaronpk "Why is there this expectation that every website should be a forum? No website has any obligation to provide a space for your rants. Use your own space on the web to do that."
#
aaronpk yay!
#
Loqi yay!
#
KartikPrabhu aaronpk: :D
#
KartikPrabhu that was about the time I decided to switch off comments
#
KartikPrabhu is going through his G+ stream and adding syndication links to own site!
#
kylewm aaronpk: can I change Twitter to 'up' on http://indiewebcamp.com/IndieAuth ? it seems to always work now
#
aaronpk oh yeah sure! moving to the new server helped
tantek joined the channel
#
aaronpk once we get to the point of sending event invites from our own domains rather than just posting events, this thread will be an interesting use case reference:
#
aaronpk https://twitter.com/ReinH/status/461731365822541824
#
@ReinH @davystevenson @1337807 @aaronpk @amerine @MilanLoveless @davidcelis @parndt @kenichi_pdx @zenhob @ungoldman @halorgium @caseorganic UNSUBSC (twitter.com/_/status/461731365822541824)
#
aaronpk start of the thread: https://twitter.com/davystevenson/status/461609701294100480
#
@davystevenson MT @MilanLoveless: Ć°Åøā€™Ā§Ć°Åøā€¢ā€¢ thurs? @kenichi_pdx @ReinH @mattly @1337807 @zenhob @rejennarate @ungoldman @parndt @halorgium @aaronpk (twitter.com/_/status/461609701294100480)
#
aaronpk note the multiple "thumbsup" RSVP yes
#
kylewm.com edited /Template:indieauth-status (-47) "Changed twitter to 'up', yay aaronpk!" (view diff)
#
aaronpk also note the change in venue: https://twitter.com/davystevenson/status/461637337282121728
#
@davystevenson @parndt @MilanLoveless @kenichi_pdx @ReinH @mattly @1337807 @zenhob @ungoldman @halorgium @aaronpk @amerine Stormbreaker instead bc patio? (twitter.com/_/status/461637337282121728)
#
aaronpk one RSVP "no" with request to not get more updates from the thread https://twitter.com/mattly/status/461666261902966784
#
@mattly @ReinH @1337807 @parndt @davystevenson @MilanLoveless @kenichi_pdx @zenhob @ungoldman @halorgium @aaronpk @amerine pls remove me, canā€™t go (twitter.com/_/status/461666261902966784)
#
aaronpk the occasional comment after an RSVP yes: https://twitter.com/MilanLoveless/status/461666366563438592
#
@MilanLoveless @ReinH @kenichi_pdx @parndt @1337807 @aaronpk @amerine No one got my Pokemon joke and I'm not sure we can be friends now lol (twitter.com/_/status/461666366563438592)
#
tantek wow that's. just. wow.
#
aaronpk oh and then there's my tweet where I added someone to the thread https://twitter.com/aaronpk/status/461722073547550721
#
@aaronpk @amerine @davystevenson @MilanLoveless @ReinH @davidcelis @1337807 @parndt @kenichi_pdx @zenhob @ungoldman @halorgium @caseorganic Ć°ÅøĀĀŗĆ°Åøā„¢Ā (twitter.com/_/status/461722073547550721)
#
kylewm did you use the prayer emoji for a high five?
#
aaronpk no that's a high five emoji
#
aaronpk also if you view the IRC logs in safari you see all the emoji :D
#
kylewm http://www.iemoji.com/view/emoji/70/smileys/pray
#
kylewm :)
#
aaronpk ha! i coulda sworn that was a high five
#
kylewm apparently there is lively debate on the internet
#
aaronpk ok now it's just getting to be meta humor https://farm8.staticflickr.com/7374/14055582936_10ee316429_o.png
#
kylewm i definitely would've thought high five if the mouseover hadn't said praying hands
#
aaronpk good thing there is no mouseover on mobile
#
GWG sighs
#
aaronpk kylewm: davy says "Ps prayer hands have totally been co-opted for high five in emoji land"
#
kylewm aaronpk: lol, they are a whole lot more useful that way
snarfed and davy_ joined the channel
#
GWG Does a webpage need a clock?
#
aaronpk ?
#
GWG I was thinking of incorporating the time onto my page
#
GWG aaronpk: Your page has the local time
#
aaronpk yeah
#
aaronpk local to me
#
GWG Yes
#
kylewm sort of reminds me of MS DOS programs that included a clock because there was not one on the screen otherwise
#
tantek would that go before or after the hit counter? ;)
#
GWG tantek: People still have hit counters?
#
tantek GWG: http://dhtmlconf.com/
#
aaronpk :D
#
@chrisamccoy Bypassed #F8 today for critical work. Looked fun but also kind of meh. Facebook should rebuild HTML5 from the ground-up #indieweb (twitter.com/_/status/461737111549259776)
#
kylewm before the hit counter, but after relevant webrings
#
GWG The reason to have the time is to help people relate my time zone to theirs.
#
GWG Is there a good reason to do that?
#
KartikPrabhu tantek: about dhtmlconf.com "my eyeee, my eeeyyeeee"
#
aaronpk GWG: i have yet to hear someone use it from my site, so I don't know
davy__ joined the channel
#
GWG It is under consideration because I considered switching from absolute to relative time displays.
#
KartikPrabhu is there some hidden write-up on the facepile UI?
#
kylewm I like the idea in the context of mobile personal comms stuff, where you'd see what time it was before messaging the person
#
GWG KartikPrabhu: What?
#
KartikPrabhu I was wondering how to markup facepiles and what to show in alt text and titles
#
GWG KartikPrabhu: Is there a standard for that?
#
KartikPrabhu facepile = showing a bunch of avatars for instance for mentions and likes of a post
#
KartikPrabhu GWG: for instance: http://kartikprabhu.com/notes/hipster-blanket-term
#
GWG KartikPrabhu: I have facepiles of my own
#
GWG kylewm appears in them
#
kylewm I'm in all the facepiles
#
KartikPrabhu GWG: yeah I was wondering how to mark it up. and some best practice of what to show on mouseover and the like
#
KartikPrabhu hey kylewm nice face!
#
GWG kylewm: It is only a matter of changing a code to change. Right now I have the full EDT timecode
#
GWG KartikPrabhu: On mine, if you hover over the image it shows the person's name. Below that, I have the action. Example: Liked.
#
GWG If you hover over the action, you get where it was liked.
#
KartikPrabhu in this post http://kartikprabhu.com/article/indieweb-love-blog#responses I show "post title" on mouseover for mentions but "author name" for likes and reposts
#
KartikPrabhu but a mf-parser would not know that
#
GWG KartikPrabhu: You separate them by category. I call them all mentions and put the action below.
#
KartikPrabhu aah example link?
#
GWG http://david.shanske.com/articles/2014/04/10/ive-joined-indieweb-movement/
#
KartikPrabhu GWG: that is a good approach. We should document these diff. facepiles
#
aaronpk ok my rudimentary token endpoint is running: https://tokens.oauth.net/
#
GWG KartikPrabhu: Is there a Facepile page on the wiki?
#
aaronpk but I *think* have enough built out that I can switch aaronparecki.com to use it
#
KartikPrabhu GWG: nope... but once I get some definition of facepile in my head I'll start one. or you could if you have it
#
GWG I'll add one
#
tantek hopes to see /facepile appear :)
#
GWG Writing now
#
tantek any IndieWeb Examples besides aaronpk?
#
GWG Yes. Many
#
aaronpk i'm sure I wasn't the first
#
KartikPrabhu GWG: the anonymous mention is a little above the rest. any reason or funky CSS behaviour
#
KartikPrabhu tantek: GWG and I use it
#
tantek GWG *IndieWeb* Examples. Who else?
#
tantek oh - hmm - since?
#
GWG KartikPrabhu: I'm honestly not sure. I saw it, but I haven't looked into why
davy_ joined the channel
#
gRegor` GWG: Need vertical-align: top
#
gRegor` on the <li>s
#
GWG gRegor`: I'm not sure why some aren't aligning when others are. I just haven't played with it. I may try an align.
#
GWG I forget if I put one in
#
gRegor` There isn't one. I just did it in Chrome inspector and it works
#
kylewm 2014-03-13 for me (re: facepiles)
#
GWG gRegor`: Will add in a moment.
#
KartikPrabhu GWG: also if you put a text as "Liked" in the correct spot it re-aligns. but gregor`'s solution works too
#
GWG Well, the text is imported from the metadata
#
GWG If it is blank, it means I messed something else up.
#
david.shanske.com created /facepile (+331) "Created page with "The Facepile is a design element popularized by Facebook. == Description == It consists of a row or rows of profile photos of individuals who have all completed a webaction inv..."" (view diff)
#
GWG Just a start
#
KartikPrabhu tantek: I use it since I fixed up mention-parsing I could track it down... and I'll add it to the newly minted page. thnks GWG
#
gRegor` For events spanning more than one day, I'm wondering if we need the end date displayed in a bubble? Not liking anything I'm coming up with so far: http://indiewebcamp.com/User:Gregorlove.com/sandbox
#
gRegor` "26-27" will fit - it's snug. But then of course what about events that span months.
#
gRegor` Since it's for a reusable template, don't want to make it super complicated.
#
gRegor` I'm thinking calling attention to the start date is sufficient. The full date will always be listed in the details, right under the event name.
#
GWG I just found a tag that wasn't closed in the Facepile code
#
GWG That discussion did help
#
kylewm.com uploaded /Special:Log/upload "uploaded "[[File:kwm-facepile-2014-04-30.png]]""
#
kylewm.com edited /facepile (+210) "/* Examples */ added myself" (view diff)
dybskiy joined the channel
#
aaronpk okaayyyy well aaronparecki.com now delegates access tokens to tokens.oauth.net
#
aaronpk and that's a little server that sits there and dishes out access tokens all day long
#
aaronpk (after validating the request with the appropriate authorization server)
#
aaronpk bret: so you can go ahead and use it now if you want :D
tantek and LauraJ joined the channel
#
@notenoughneon Instagram photos now appear on my blog thanks to http://t.co/DmOpZAjNYt. #indieweb (http://notenoughneon.com/p/201404302319) (twitter.com/_/status/461753133207519233)
KevinMarks joined the channel
#
aaronpk emmak: omg you did it!! congrats!
#
emmak aaronpk: thanks!
#
aaronpk did ownyourgram.com give you enough tools to debug the process while developing?
#
emmak yes, but i felt the documentation was a bit confusing
#
aaronpk I would love to hear which parts
#
emmak implementing the token endpoint
#
aaronpk ah
#
emmak i used indieauth, but read half of the documentation on the indieauth website, so i ended up using the json api
#
aaronpk ooh yeah I can see how that would be confusing
#
aaronpk i've been making progress on that over the weekend
#
aaronparecki.com edited /auth-brainstorming (+0) "update to live(!) example of a token endpoint" (view diff)
#
aaronpk http://indiewebcamp.com/auth-brainstorming
#
KartikPrabhu plans to put value-class-parsing in mf2py to finally have lazy-loading avatars :)
#
aaronpk specifically the Authorization Endpoint and Token Endpoint sections
#
emmak i didn't realize ownyourgram's "create a token endpoint" was explaining how to using indieauth specifically
#
aaronpk hm it shouldn't be
#
aaronpk it should work with any authorization endpoint
#
aaronpk on http://ownyourgram.com/creating-a-token-endpoint it says "The authorization endpoint can be used to verify these values. However you will first need to determine which authorization server this user delegates to. This is done by looking for a rel="authorization_endpoint" link on the user's home page"
#
emmak oh, is that POST request to validate a code part of the oauth2 spec?
#
aaronpk it's part of the handwavey part of the oauth2 spec
#
emmak i guess when i first read the spec, i assumed both auth and token endpoints would be on the same server, and validating the code would happen internally
#
aaronpk the part that says "communication between the token endpoint and authorization endpoint is out of scope" :D
#
aaronpk yeah most implementations they are in the same codebase, but in most enterprise environments they are on separate servers often
#
aaronpk so the job of the IndieAuth spec is to take these holes in OAuth 2.0 and fill them with the things we need for it to work for us
#
aaronpk I'm hoping to have this stuff well documented this weekend before IIW
#
aaronpk so I may ping you later to review new docs :)
#
KartikPrabhu emmak: are those photos in the stream through ownyourgram ?
#
emmak KartikPrabhu: yes
#
KartikPrabhu cool! awesome stuff!
#
aaronpk also side note: the *very first* thing I wanted to do after launching the change to my token endpoint is see a list of all current apps i've authorized so I can go re log in to all of them
#
aaronpk which is another good motivator for me to make a nice web interface for the token endpoint that can show stuff like that
#
emmak aaronpk: i'd be glad to help review your new docs
#
aaronpk yay!
#
Loqi :D
#
aaronpk ok well that was a bigger project than expected (mostly due to thinking things through) but it's done!
#
aaronpk maybe it shoudl live at tokens.indieauth.com
#
aaronpk anyway, good night all!
#
Loqi ciao
dybskiy, KartikPrabhu, KevinMarks, KevinMarks2, krendil, erikmaarten, eschnou, fmarier, squeakytoy and bnvk joined the channel
#
@terrellrussell Business. RT @kevinmarks #f8 FB is trying to shut down the web and replace it with mobile apps that route through it's datacenters #indieweb (twitter.com/_/status/461819422291025920)
bnvk joined the channel
#
pdurbin its
carlo_au, erikmaarten, scor and tantek joined the channel
#
@terrellrussell Also, bad. RT @kevinmarks: #f8 FB is trying to shut down the web & replace it with mobile apps that route through it's datacenters #indieweb (twitter.com/_/status/461849321944932353)
#
david.shanske.com edited /WordPress (+91) "/* People using WordPress */" (view diff)
#
david.shanske.com edited /WordPress (+124) "/* Working On */" (view diff)
ttepasse and chloeweil joined the channel
#
david.shanske.com edited /User:David.shanske.com (+182) "/* Current Progress */" (view diff)
#
david.shanske.com edited /User:David.shanske.com (-3) "/* Features in Development */" (view diff)
#
tommorris I just wrote a thing about Facebook. It might be of interest to indiewebsters. :) http://tommorris.org/posts/8903
#
bnvk tommorris: nice roundup, thanks ;)
scor joined the channel
#
jonnybarnes good post tommorris, would this affect someone wanting to make it so their website can POSSE to facebook?
#
jonnybarnes presumably that'd mean setting up an app that request the ability to post to ones timeline, which would then need to be reviewed.
#
tommorris jonnybarnes: possibly. If you are just doing it for yourself, it might not be a big problem because youā€™d be an admin/developer on the app
#
tommorris and you can always implement it using the sharing panel so you just have to pop open a share panel and click post.
#
tommorris that said, I think Facebook probably wonā€™t care too much about people POSSEing their own blog posts in
#
GWG So, it might affect Bridgy?
fungoat joined the channel
#
tommorris GWG: might do. Existing apps have a yearā€™s grace period, so getting approval for a V2 app key should be fairly easy to do.
snarfed, gRegor`, glennjones, v0, wraithgar, voxpelli, tahnok, brainTrain, KevinMarks, kevinbae, iangreenleaf and tilgovi joined the channel
#
@gRegorLove This looks good. What Comes Next is the Future, a documentary about the web https://www.kickstarter.com/projects/bearded/what-comes-next-is-the-future #indieweb (twitter.com/_/status/461902298789060609)
KevinMarks, snarfed, _6a68, ttepasse, brianloveswords and paulcp joined the channel
#
@tomstandage Late to this, but glad to learn from @dangillmor of IndieWeb, which aims to "re-decentralise the web": http://dangillmor.com/2014/04/25/indie-web-important/ (twitter.com/_/status/461912512485949440)
#
@samharrelson RT @tomstandage: Late to this, but glad to learn from @dangillmor of IndieWeb, which aims to "re-decentralise the web": http://t.co/HP3HSxuā€¦ (twitter.com/_/status/461912633386754048)
dybskiy, glennjones_, eschnou and kbs joined the channel
#
kbs aaronpk: very nice on the implementation - played with it briefly :)
#
aaronpk oh great!
#
aaronpk you had success?
#
kbs in that I was able to obtain an access token, yes
emmak joined the channel
#
kbs couple of thoughts *gathers them* :)
#
aaronpk sweet! not bad for no docs ;)
#
@objectivec Manton: Snippets: Right after publishing yesterdayā€™s post on mirroring content, I added a link to IndieWebCamp... http://www.manton.org/2014/05/snippets.html?utm_source=twitterfeed&utm_medium=twitter (twitter.com/_/status/461917473697050625)
#
kbs aaronpk: curl -i https://tokens.oauth.net/token -d me=https://aaronparecki.com .... etc -> this returns an access token for an authorization token for me=http://kbsriram
#
kbs this is not a big deal, as you also validate it (I think) in your micropub endpoint
#
kbs but possibly could be rejected right here
#
kbs ah, hope that made sense? :) sorry, haven't had my caffeine yet
#
kbs ie - the signed token still contains me=<the-bad-guy> -- so it can eventually be verified that I can't impersonate a different person
#
kbs but it could possibly be detected and recjected earlier. (minor thing, basically)
#
aaronpk ah yeah
#
aaronpk actually that was next up on my sanity check
#
kbs oh, ok
#
aaronpk cause I'm wondering if it ever makes sense for my site to accept access tokens from others
#
kbs It struck me that in this case as well, it might be better for the token-exchanging-endpoint to cross-check parameters - there's just a mismatch there more than anything else
#
kbs but anyway - minor thing. That's the only thing I saw in my quick test - very nicely done :)
#
kbs the other thought was more philosophical I think - given that client-authentication doesn't exist -- I can sign-in with client-app == https://google.com which shows up at the auth endpoint
#
kbs it's a nifty implementation, albeit with a lot of moving parts :) great you've managed to hook all of them together
#
aaronpk ah yeah I need to add redirect URI validation at indieauth.com, so that the client ID URL must point to the redirect URI, that'll fix that
#
kbs is the token passed from the auth endpoint to the token-exchange endpoint is just the signature alone?
paulcp_ joined the channel
#
kbs It doesn't seem to be a jwt token (or, it seems like just the signed bits)
#
aaronpk the auth codes indieauth.com generates right now are just random strings
#
kbs oh!
#
kbs ok, I see
#
aaronpk I didn't actually change anything about indieauth.com to make this work
#
kbs nods
#
aaronpk if I do switch to signed tokens from the auth endpoint, it'll be an implementation detail of the auth endpoint and still opaque to the clients
KevinMarks joined the channel
#
kbs yep - mostly was just taking a quick look at the nature of the tokens being exchanged, was curious. Fully appreciate this is all iterative
#
kbs So currently the jwt-access-tokens don't have an expiry date
#
kbs I'm sure already have some idea in mind to potentially add this as needed
#
aaronpk yeah, was pondering that last night
#
kbs *thinking* would it be useful to include the target site in the JWT token? As it stands, the JWT token can be used anywhere
#
aaronpk target site?
#
kbs this token is only valid for _this_ site
#
kbs otherwise, could me (as an 3rd-party-app in possession of such a token) reuse that token on a different site? Or, does it matter, I guess
#
aaronpk I think I need some example URLs to follow this
#
kbs here's the JWT token I currently have
#
kbs { "me": "http://kbsriram.com", "scope": "post", "date_issued": "2014-05-01 17:10:38", "nonce": 1025026397, "client_id": "https://google.com" }
#
kbs When I went to indieauth.com, I see a screen that says (roughly)
#
kbs google.com wants to have posting access to your site at kbsriram.com
#
kbs now the 3rd-party-app going by the name of google.com gets hold of the token above
#
kbs later, (let's say) aaronparecki.com decides it's ok for user kbsriram.com to post on his site
#
kbs there's no further authorization needed (as it stands) for the app to begin posting on aaronparecki.com
#
kbs Ie - the token is scoped for the user, but not the sites where it may be used
#
aaronpk ah great ok
#
aaronpk I think that's the "audience" in the official JWT spec
#
kbs oh, okay :) thanks for that tip
#
aaronpk probably does make sense to encode that too
#
aaronpk or default to audience = me if not specified, and micropub endpoints should verify it
#
aaronpk so if a micropub endpoint gets a request with no audience specified, it should assume the audience is the same as "me"
#
kbs that could work too, right.
#
aaronpk and micropub endpoints should only accept tokens with an audience that matches themselves
#
kbs all in all, looks neat aaronpk :) - will continue to watch from the peanut gallery...
#
aaronpk here's what JWT says about audience http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.1.5
#
aaronpk kbs: thanks! the feedback is useful!
#
aaronpk i'm hoping to wrap up a lot of this this weekend and write good docs
#
aaronpk so that people going to IIW next week have good stuff to point to
#
kbs whoever wrote that spec must be a fellow-dinosaur from the bad old C days (with all the 3-letter values :)
#
aaronpk heh
#
aaronpk well I think another reason for the 3-letter values is because it makes the resulting token shorter too
#
aaronpk marginally
#
kbs ah! okay - that makes more sense, thanks :)
#
kbs thanks god they didn't decide to further huffman encode it
#
aaronpk ha
#
kbs (context is openpgp is filled with many micro-space-optimizations like this which just makes implementations more complicated and bug-ridden)
caseorganic, bnvk, caseorga_, caseorg__, j12t, eschnou, brianloveswords and benwerd joined the channel
#
benwerd So, uh, what on earth is going on here? http://werd.io/2014/im-thinking-about-adding-comments-what-do-you-like-indieweb#comments cc snarfed
#
snarfed wow, seriously
#
snarfed any chance you can find the webmentions in your logs and see where they're coming from?
#
snarfed the source pages obviously don't link to that page
#
snarfed cc kylewm
#
kbs there was something they were mentioning - http://indiewebcamp.com/irc/2014-04-30/line/1398890569
#
KartikPrabhu snarfed: benwerd: I think kylewm sent a mention from his feeds page which had one article linking to the post but all of them got picked up.
#
kbs ^^
#
KartikPrabhu kbs: good find! I was wondering how to look for that line :)
#
snarfed aha. so maybe an idno bug when the source is a feed
#
KartikPrabhu i suspect idno uses all h-entries on a page but it should be using only the first
#
kbs (KartikPrabhu: ah, no clever idea here :/ just searched by-hand. The corresponding google-site search doesn't seem that useful)
#
KartikPrabhu snarfed: benwerd: http://indiewebcamp.com/comments-presentation##only+use+the+first+h-entry+if+there%27s+more+than+one
#
benwerd gotcha. thanks
bnvk joined the channel
#
@caseorganic ADP Innovation Labs hiring an anthropologist w/ UX/research background. #privacy #ownyourdata #ethnography #ux. @masieror can tell you more! (twitter.com/_/status/461940425809342464)
#
@masieror RT @caseorganic: ADP Innovation Labs hiring an anthropologist w/ UX/research background. #privacy #ownyourdata #ethnography #ux. @masieror ā€¦ (twitter.com/_/status/461940689509814274)
grantmacken, hallettj_, LauraJ, voxpelli and brianloveswords joined the channel
#
kylewm benwerd: sorry about that, curiosity got the better of me.
eschnou joined the channel
#
@UXJobs247Posts RT @caseorganic: ADP Innovation Labs hiring an anthropologist w/ UX/research background. #privacy #ownyourdata #ethnography #ux.... (twitter.com/_/status/461946100556242944)
brianloveswords, glennjones and KartikPrabhu joined the channel
#
kylewm benwerd: I tried deleting my comments by returning a 410 for kylewm.com/everything, but that (unsurprisingly) didnā€™t work
caseorganic joined the channel
#
bret aaronpk: sweet!
#
bret i have been ultra busy with school :/
jonnybarnes, KartikPrabhu and mgarrido joined the channel
#
benwerd kylewm: well, quite a bit is broken at my end, then, because that should be working
#
benwerd (wait, did you re-webmention them?)
#
@benatkin #ownyourdata #indieweb lower your standards for blogging. there's no reason small stuff needs to be restricted to closed platforms. (twitter.com/_/status/461958756285157376)
krendil, tilgovi and paulcp joined the channel
#
kylewm benwerd: I resent the webmention with source=http://kylewm.com/everything, not with each of the individual posts
#
benwerd gotcha
#
kylewm and I wasnā€™t trying to be malicious, just testing to see if thatā€™s how all barnabyā€™s posts got there :)
brianloveswords and barnabywalters joined the channel
#
Loqi barnabywalters: benwerd left you a message 1 day ago: Any thoughts about what happened here? http://werd.io/2014/im-thinking-about-adding-comments-what-do-you-like-indieweb
#
benwerd sorry barnabywalters, that's out of date now
#
benwerd we figured it out
#
barnabywalters benwerd: ha ha ha
#
barnabywalters looks like excess h-entry parsing :)
#
benwerd quite so.
#
barnabywalters I also had some problems with it
#
barnabywalters e.g. all posts shown on my homepage now have an extra comment
hallettj_ joined the channel
#
barnabywalters apparently my mention registering code resolves the target URL, but doesnā€™t resolve the in-reply-to URL (if any)
#
barnabywalters apparently that is a good thing to do
bnvk and pauloppenheim joined the channel
#
bret aaronpk/anyone is rel="indieauth" in use?
brianloveswords and paulcp_ joined the channel
#
aaronpk i don't think so
#
aaronpk there's not a reason for it really
#
aaronpk unless the openid conenct people get mad at me using their "authorization_endpoint" rel value
#
bret lol why would they do that?
#
aaronpk I dunno, cause indieauth != openid connect?
#
aaronpk we'll see
#
aaronpk I seem to be getting empty GET requests to my token endpoint from browsers
#
KartikPrabhu apparently CSS now has a module to indicate future change of a property: http://www.w3.org/TR/css-will-change-1/
#
aaronpk it must be browsers pre-fetching URLs they find on the page
#
bret aaronpk: did a rough draft omnigraffle chart https://www.dropbox.com/sh/x2nvnao30pp0j1u/Y_c9-te08e
#
aaronpk oh nice!
kbs and _6a68 joined the channel
#
kbs aaronpk: one minor question - were you planning to map your current jwt key names back to the reserved values defined in http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.1 ? [eg: "iat" and an IntDate rather than "date_issued", "pri" rather than "me" and so on?]
#
aaronpk i was considering it, only if I actually expect clients to decode the JWT
#
aaronpk currently I'm only using JWT as a convenient form of signing for internal use
#
aaronpk cause there are good libraries
#
aaronpk I really don't like the 3-char names tho :/
#
kbs oh, hm :) wouldn't a micropub endpoint need to understand the JWT token, assuming it comes from a service like indieauth+token.net?
#
aaronpk currently my micropub endpoint makes an API request to the token endpoint to verify the token, so it doesn't need to know how to decode it
#
aaronpk of course it does need well-known property names for the values
#
kbs okay, I see
#
aaronpk I find the 3-char names very inacessible
#
aaronpk but might be best to suck it up and use them anyway
#
kbs :) at any rate, a followup thought was that I was thinking whether you might find adding the "iss" to the bearer toke (or a less awkward name :) handy
#
kbs bearer toke?
#
kbs never inhaled
#
aaronpk "iss" being the URL of the token endpoint?
#
kbs the URL of the issuer - the place where you go back to get the public key to validate the signature
#
kbs I think right now you use the "me" parameter to pick that up
paulcp joined the channel
#
aaronpk no the token endpoint would be providing its own public key
#
kbs right. So the micropub endpoint would get "iss"="url-to-token-endpoint"
#
aaronpk yeah
#
aaronpk and it would expect to be able to make a request there and retrieve the public key
#
kbs nods
#
aaronpk (currently an empty GET request to the token endpoint is a 400, so that would give a GET request some purpose)
#
kbs I think you have that info [in some handwavy way] also in the rel=xxx values, but maybe it might be handy to have this in the bearer token itself
#
kbs haha
#
kbs well - that would be an interesting idea for sure
#
aaronpk "prn" == "me"
#
kbs correct
#
aaronpk yuck
#
kbs (I was initially assuming these tokens were part of the protocol itself
#
kbs but understanding your thinking a bit better, guess it's irrevelant)
brianloveswords joined the channel
#
aaronpk it's possibly relevant
#
aaronpk because many of these values do need to be communicated between each of the endpoints
#
aaronpk but whether a client decodes the values from the JWT or queries an API for them it's about equivalent
#
aaronpk so yeah should probably stick to the JWT names for things
#
kbs agree with the bit about the ugly names :) but at any rate, also figure I'd run the "is adding 'iss' useful" thought your way and let you cogitate :)
#
aaronpk adding "iss" is probably useful
brianloveswords joined the channel
#
aaronpk although I don't need it for my current implementation
#
aaronpk because my micropub endpoint only accepts tokens generated by tokens.oauth.net
#
kbs ah, I see
#
aaronpk if there is a case when a micropub endpoint would accept tokens from arbitrary token endpoints then it would be useful I think
#
kbs nods
#
kbs I was initially thinking this is what you had in mind all along - allow each endpoint to be written indpendently
#
kbs and for each endpoint to decide for itself which services it would choose to trust
#
aaronpk yes that's the idea
#
GWG What's the news around here?
#
kbs aaronpk: ah, I see - then if (say) a micropub endpoint is willing to accept > 1 token-exchanging endpoints, it would find "iss" handy [though I believe you can also look that up from the rel=me links from the "prn"s site]
#
aaronpk kbs: yes that sounds correct
#
aaronpk in any case we're in kind of a chicken/egg situation if the micropub endpoint accepts > 1 token endpoint
#
aaronpk because the micropub request comes in with a token and no other identifying information. You'd have to decode the token without first verifying the signature in order to pull out the "iss" or "prn" values.
#
aaronpk then after finding the keys, you could verify the signature of the token
#
kbs right - I think that would be the idea :)
#
aaronpk ok interesting
#
aaronpk I will be trying to think of a case when a micropub endpoint wants to use tokens from somewhere else
#
kbs I think only djb might complain about having to decode before verification, because that exposes a larger surface for attacks
#
aaronpk now that I have the base case implemented I can probably get my head around more complex relationships now
#
kbs yea :) I like bearer tokens too - at least there's some structured way to wrap my head around what's going on.
_6a68 joined the channel
#
kbs aaronpk++ GWG - he's figured out a way to let you approve 3rd party apps to publish to your site, still using indieauth basically. [sort of like how you might approve a new twitter client I guess, except now it's to your own site...]
#
Loqi aaronpk has 438 karma
#
GWG Who is going to try that first?
#
kbs that is an excellent question :)
#
GWG I like to see proof of concept.
#
aaronpk GWG: there are now 3 indieweb sites using it, and 3 apps
#
GWG Is there a wiki page?
#
GWG With links to examples?
#
aaronpk notenoughneon.com aaronparecki.com caseorganic.com
#
GWG aaronpk: What is the use case you are thinking?
#
aaronpk and ownyourgram.com waterpigs.co.uk/notes/new and https://github.com/aaronpk/PushupCounter-iOS
#
kbs haha - you've hooked up your pushup counter to it? nice :)
#
aaronpk no I don't think there is a wiki page that actualy says all of this in a nice way
#
GWG aaronpk: So, what uses are you imagining?
brianloveswords joined the channel
#
aaronpk apps for the indieweb!
#
GWG I can probably think of a few.
#
aaronpk well I just listed 3
#
GWG Yes
#
GWG I just like to hear what people are imagining.
#
GWG I was listening to a guy recently being interviewed who posts all of his development ideas for an open source project...but he doesn't actually do all of them. Too many
#
kylewm does notenoughneon use micropub for ownyourgram only or for all post types?
#
aaronpk probably just photos right now since it's brand new and she's been making the other posts by hand for now
snarfed, KevinMarks and lukebrooker joined the channel
#
kylewm neat
brianloveswords joined the channel
#
emmak kylewm: i made a posting UI that uses the micropub endpoint
#
emmak so it is using micropub for all post types
#
kylewm ooooh, fancy. thank you for publishing your code btw, iā€™m using python but reading your micropub.php helped anyway!
netweb, snarfed and KartikPrabhu joined the channel
#
gRegor` Sheesh. Yahoo is going to ignore Do Not Track http://yahoopolicy.tumblr.com/post/84363620568/yahoos-default-a-personalized-experience
snarfed joined the channel