#indiewebcamp 2014-06-10

2014-06-10 UTC
#
aaronpk :)
brianloveswords joined the channel
#
pauloppenheim aaronpk: i would love to be an auth buddy, but i am not sure i will be a very good auth buddy
#
pauloppenheim i have been working a bit lower in the stack lately
#
aaronpk lower? wow
#
pauloppenheim i am angry at administering servers
#
aaronpk ah yeah
#
pauloppenheim and have written two more wsgi frameworks
#
pauloppenheim i really need to learn docker instead of wasting my life wating for VMs
#
pauloppenheim * waiting
#
@ShaneHudson @pmarca @bhorowitz oh btw Marc, while you're online... Did you see the tweets about #indieweb and @withknown? Definitely the way forward. (twitter.com/_/status/476164389830410240)
#
pauloppenheim aaronpk: what do you need an auth buddy to do?
#
aaronpk brainstorming, helping make UI sketches and docs, and possibly also to make your own implementation of parts of this.
#
KartikPrabhu err what's an auth buddy?
#
aaronpk lol
#
aaronpk just someone i can bounce ideas off of while working on this stuff
#
KartikPrabhu this = indieauth?
#
aaronpk yeah
#
KartikPrabhu oh ok that was my guess too :)
kylewm joined the channel
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:indieauth-web-sign-in.png]]""
#
aaronparecki.com edited /login-brainstorming (+36) "/* Web Sign-In Form */ add img" (view diff)
#
pauloppenheim aaronpk: the To Do list from http://indiewebcamp.com/IndieAuth, or other new works?
#
aaronpk new stuff
#
aaronpk check out this set of pages http://indiewebcamp.com/Category:IndieAuth
#
aaronpk but a lot is still only in my head
#
pauloppenheim i'm not very familiar with OAuth 2
#
aaronpk this should help: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
#
pauloppenheim actually i'm not even great with OAuth, i usually just bug termie
#
aaronpk forget everything you know about oauth 1
#
pauloppenheim lol
#
aaronpk I suppose I need to write a page "how to build an authorization endpoint" next
#
aaronpk to go along with how to build a token endpoint
#
aaronparecki.com edited /simple-indieauth-example (+36) "/* Web Sign-In Form */ add img" (view diff)
#
aaronparecki.com edited /auth-brainstorming (+36) "/* Web Sign-In Form */ add img" (view diff)
#
pauloppenheim aaronpk: yeah, this is complicated, i see what you mean
#
aaronpk :)
#
aaronpk it will all be super straightforward once there's enough docs and diagrams
#
aaronpk (no really, I swear!)
#
pauloppenheim it feels very intertwined with micropub, which i have not been following closely enough
#
aaronpk it partly is, but there's a whole section that is not
#
aaronpk indieauth for authorization is, indieauth for authentication is not
#
aaronpk like when you sign in to the wiki, you're authenticating only, no micropub involved
chrissaad joined the channel
#
pauloppenheim right
#
pauloppenheim this whole thing is very chicken-and-egg
#
pauloppenheim aaronpk: is anyone else implementing their own auth / micropub?
#
aaronpk there's several micropub endpoints now
#
aaronpk nobody else has built an auth server afaik
#
aaronpk there are a few token endpoints
#
bret what if people start putting ads into h-entries?
#
pauloppenheim LOL
#
aaronpk http://meme.loqi.me/4WXxyu03.jpg
#
Loqi who, me?
#
bret pretty much
#
pauloppenheim when the indieweb gets discovered by spammers, we're gonna have problems all over
#
pauloppenheim it'll be fun ;)
#
bret we shall destroy spammers
#
bret >:D
#
aaronpk i'm looking forward to it
#
pauloppenheim oh i doubt that
#
pauloppenheim but we'll have a good ol' war
#
bret we can do social graphs with xfn!
#
bret pauloppenheim i managed to get a working endpoint the other day
#
bret which means basically so can a lot of people
#
bret posting is way to easy now
#
aaronpk oh wow I just realized an auth provider could let you sign in with a pgp key
#
aaronpk by making you sign a challenge with the private key for a public key that's on your site
#
bret aaronpk: any use for keybase there?
j12t joined the channel
#
aaronpk quite possibly yeah
#
pauloppenheim aaronpk: or you could encrypted email a link with an unguessable url
#
aaronpk well it already supports email auth via persona
#
aaronpk more interested in having fewer parties involved
#
aaronpk see this is why I need a "how to make an auth endpoint" tutorial
#
aaronpk so that someone good with pgp can go make an auth endpoint that lets people sign in to whatever with their pgp key
#
acegiak morning, all
#
aaronpk morning!
#
aaronpk it's always morning in #indiewebcamp
#
colbyaley.com edited /2014/Guest_List (+282) "Adding myself to West guest list" (view diff)
#
acegiak aaronpk: channel runs on UGT?
#
aaronpk there's just enough people from different timezones here that someone is always saying good morning!
#
pauloppenheim aaronpk: i would be interested in that
#
pauloppenheim is kbs still around?
#
bret.io edited /2014/Guest_List (+0) "Updated west count" (view diff)
#
bret.io edited /2014/Guest_List (+183) "/* West */ Updated some details on my rsvp" (view diff)
#
bret.io edited /2014/Guest_List (+38) "/* West */ Added my github too" (view diff)
#
aaronpk pauloppenheim: sweet. yeah need to get this tutorial up
#
aaronpk once I finish my silly test endpoint i'll be able to document it
#
pauloppenheim i think you have enough docs that were i close enough, i could make that
#
bret pauloppenheim have not seen kbs in a few days
#
aaronpk yeah it's mostly here http://indiewebcamp.com/login-brainstorming#Authorization_Endpoint
#
aaronpk but that is written from the point of view of the consumer so is not as easy to read if you're actually building the auth endpoint
#
aaronpk whereas I wrote http://indiewebcamp.com/token-endpoint for people building a token endpoint, not just using one
benwerd joined the channel
#
aaronparecki.com edited /token-endpoint (+0) "/* Access Token Request */ typo" (view diff)
tantek joined the channel
#
aaronpk omg i made an auth endpoint
#
pauloppenheim aaronpk: what kind?
j12t joined the channel
#
aaronpk simple password auth on my own site
#
bear \o/
#
aaronpk hmm now to document on http://indiewebcamp.com/authorization-endpoint
#
aaronparecki.com edited /token-endpoint (+177) "redo headers and add section for verifying an access token" (view diff)
fmarier and benwerd joined the channel
#
aaronpk pauloppenheim: question since you're the only pgp person I think is online right now... with this new feature you will be able to point to an auth endpoint that supports pgp auth from your home page. would you be comfortable using a service that handles the pgp verification?
#
aaronpk you'd certainly be able to create your own auth endpoint that does whatever, but it would be convenient if you didn't have to build it of course
#
pauloppenheim i'm not sure what you're asking
#
pauloppenheim would i feel comfy with challenge / response?
#
pauloppenheim or would i consider such a site trustworthy?
#
aaronpk hm
#
pauloppenheim i mean, challenge / response from a pgp pubkey is no worry at all, of course i would use that
#
pauloppenheim i don't know how much i would trust a site that used that, depends on the implementation
#
aaronpk similar to the way you can right now point to multiple auth providers like twitter or github, you will be able to point to one or more indieauth providers, which can be something you implement on yuour own domain or a service like indieauth.com
#
bear I would have to challenge/response to the site, establish a token and then that site would then challenge/response to a user and provide that token
#
pauloppenheim i think just trusting a key sitting on a web server by itself is bad form
#
pauloppenheim aaronpk: i'm not sure if i'd reuse yours, depends how it fits in the rest of my environment
#
aaronpk say for example there is a service called thebestpgplogin.com which you've established a relationship with (you're paying for it, or whatever)
#
pauloppenheim ahh
#
aaronpk you'd add a tag to your site: <link rel="authorization_endpoint" href="https://thebestpgplogin.com/auth">
#
pauloppenheim would i trust that to log me in across the web? maybe, depends on the impll
#
pauloppenheim does it check for key revocations?
#
pauloppenheim do it hit keyservers?
#
aaronpk and then it would show up in the login prompt like this https://farm4.staticflickr.com/3837/14193432239_2ac9a4e7ff_o.png
#
pauloppenheim * does
#
aaronpk I guess my question is would you be willing to trust this third party service to do things responsibly for you?
#
aaronpk it's entirely your choice to use this service of course
#
pauloppenheim aaronpk: depends on the things :)
#
aaronpk say you've done your due diligence, and you're ready to pay $20/year for this
#
pauloppenheim what needs to even pass through the auth endpoint?
caseorganic joined the channel
#
aaronpk the auth endpoint issues and then verifies auth codes
#
pauloppenheim aaronpk: part of security is not needing to trust in the first place
#
bear so my website would do a "hey, is this code valid" check?
#
aaronpk the auth endpoint is the thing you're used to seeing that says "this app would like to ____" like twitter's oauth screen, etc.
#
pauloppenheim right
#
pauloppenheim i would imagine that would run on my site, not externally
#
pauloppenheim i haven't even thought of the implications of that running externally, it sounds very weird
#
aaronpk in the case of the auth server I just made, it lets me modify the scope that the app requested https://farm6.staticflickr.com/5279/14364551756_7751334482_o.png
#
pauloppenheim principally, i do this kind of thing over an ssh tunnel right now, which usually means only using software i have written to handle that
#
aaronpk like a poor man's "checkboxes bitches" https://benward.me/blog/tumblr-968515729 (hi benward!!)
#
pauloppenheim "fire up this app pipeline that will expect to see json on stdin"
#
pauloppenheim hmm
#
pauloppenheim so
#
pauloppenheim if i'm doing anything important on a box, probably not
#
pauloppenheim if it's all public anyway, yeah, probably
#
pauloppenheim i wouldn't want my web apps to have the decision to accept or reject something be made externally, if i care about their security
#
KartikPrabhu aaronpk: 2010! and Google Buzz O_O
#
pauloppenheim why does 2010 not even feel all that long ago
#
bear for me it would be ok to take this type of external auth to say that someone can leave a comment or webmention - but not to do anything else on my site
#
aaronpk interesting
#
pauloppenheim right, depends' what's being authorized
#
bear but i also do a lot of server side static stuff - so me logging into my site is a much less likely thing to happen
#
bear now I would love to see something that lets me trust a webmention as being validated
#
aaronpk one thing at a time ;)
#
pauloppenheim but isn't this for interactive use?
#
aaronpk yes let me finish getting this out onto the wiki
#
bear sorry, yea, I was jumping ahead in the story
#
pauloppenheim but i would probably run that as a module on my own site
#
pauloppenheim but i think then you have the problem of having the 3rd party trust it
#
pauloppenheim because hoo boy, that's a lot of auth providers to just trust, for much the same reason
#
bear right - especially in the indieauth realm - every domain hitting my site I would have to establish a trust relationship with
#
aaronpk that's basically the openid situation, where every domain is potentially its own openid provider
#
pauloppenheim i have a feeling this should look different than normal auth flows
#
pauloppenheim i.e., certs are useful because that mechanism is decentralized
#
pauloppenheim i don't think you need an oauth flow if you have certs
#
aaronpk you always need the oauth flow in the context of micropub
#
bear well, if you have certs >= 2014
#
pauloppenheim but you can't invent your own PKI either, unless you really want to research the fuck out of it
#
bear I like PKI - call me old fashioned
#
bear you get my pub key, I get yours, we cross sign and verify… done
#
aaronparecki.com edited /token-endpoint (+843) "/* Verifying an Access Token */" (view diff)
#
bear hmm, I wonder if IndieAuth used it's pgp key to sign a webmention user would I then be able to request from indieauth a token to allow the indieauth user to submit something to my site without them having to know/use pgp
#
bear thinks he just described what the last 1/2 hr conversation was about
#
pauloppenheim :)
#
pauloppenheim aaronpk: this is where i wish i knew more about oauth2
#
aaronpk take a look at my "OAuth 2 simplified" article, it shouldn't take much to go through it and it covers all the basics
#
aaronpk unfortunately if you look at the actual specs it's more complicated because it's been so abstracted out for lots of possible use cases
#
pauloppenheim as i know it is flexible enough for "enterprise" now, i wonder if it is a superset of normal pubkey use
#
aaronpk there is a whole saml2 thing which i believe is close
#
pauloppenheim aaronpk: been reading that, it's what's on my screen when i get breaks from my current work situation
#
aaronpk cool
#
aaronparecki.com edited /token-endpoint (+96) (view diff)
#
aaronparecki.com created /authorization-endpoint (+694) "stub with section headers" (view diff)
#
aaronpk back in a bit. biking home before the sun goes down.
#
pauloppenheim not a bad idea
brainTrain, j12t and caseorganic joined the channel
#
aaronpk back
#
aaronpk OH snap now that iOS 8 allows API access to the fingerprint reader I can make an indieauth login option that does fingerprint auth!
#
bear laughs
#
aaronpk i'm so doing that
#
aaronpk i've gotta flash iOS 8 onto my test ipod
#
pauloppenheim hmm, that would be cool
#
pauloppenheim i think your auth is a different kind of thing than i am thinking of
#
aaronpk imagine you're signing into a site, you click the "thumbprint" option and then a push notification appears and you have to launch the app and touch your thumb to it
#
pauloppenheim right now indieauth is pretty great for what it is
#
pauloppenheim i think maybe my perspective is bent, and thinking of situations that require more security than you are targeting
#
aaronpk ideally this works for all levels of security, or is at least flexible enough
#
pauloppenheim well, but you want inflexibility for high security applications, so that it can't be fucked up
#
pauloppenheim effectively, flexibility presents much more attack area
#
pauloppenheim and it becomes impossible to evaluate "security"
gRegor` joined the channel
#
pauloppenheim the flip side is PGP, which by all appearances is getting worse, not better, as more people make "guides"
#
pauloppenheim there's enough that's not specified, and there are enough people trying to make it easier in ways that wind up making it less secure
#
pauloppenheim wow i sound like a grumpy old man
#
pauloppenheim :(
#
@CharlesPulliam @schnarfed @islayblog 1 more Q--after enabling brid.gy should the webmentions populate a site's main page or will they appear on every page? (twitter.com/_/status/476211086354427904)
#
bear no, just someone who has had to deploy production security and had to deal with devs who follow bad guides
#
bear that's why i'm all like "amen to that paul!" and shaking my head in agreement
#
dariusdunlap From what I’ve read about the fingerprint auth, it’s nicely secure. No PII is exchanged… just “yep”, or “nope”.
#
aaronpk that is exactly how I assumed they'd implement, and very glad
#
aaronpk actually it unlocks keychain items, so it's a little more than yes/no but yeah, it doesn't actually provide the fingerprint image or anything
#
dariusdunlap Yeah, it was in the cards readin ghte description of the fingerprint system laste year.
#
dariusdunlap er, last year
#
dariusdunlap Does either, actually.
#
pauloppenheim so does this not matter?: http://istouchidhackedyet.com/
#
dariusdunlap BTW, after reading a good chunk of the Swift book, I decided I really needed to go back through it as a “playground”… so I’m doing that now.
benwerd joined the channel
#
dariusdunlap Never did matter.. The objective isn’t perfect security. The objective is security that’s better than the crap password that you reuse everywhere, or even a good 6-digit pin.
#
aaronpk pauloppenheim: that's incredible
#
@schnarfed @CharlesPulliam incoming webmentions show up on individual posts, as Disqus comments. https://www.brid.gy/about#incoming (twitter.com/_/status/476213518874587136)
#
dariusdunlap It’s a pretty briliant physical hack.
#
pauloppenheim it's better than the samsung galaxy 5, which evidently lets you make unlimited attempts
#
pauloppenheim can't change your fingerprints!
#
dariusdunlap lol
dybskiy joined the channel
#
Loqi [mention] http://manu.sporny.org/2014/identity-credentials/ linked to http://indiewebcamp.com/NASCAR_problem (pingback)
#
aaronpk wow they made all sorts of domains for their proof of concept implementation... credential.club and login-hub.com and identus.org
dybskiy joined the channel
#
bret so much of that is routed around if you have a domain available already
dybskiy joined the channel
#
bret its neat they incorporate telehash
#
bret except telehash isnt working yet
snarfed joined the channel
#
bret well dht works fine but the libs are not ready yet
#
bret aaronpk: is there an oauth meetup in town?
#
aaronpk hm maybe I should make one
#
aaronpk there were a few "state of the auth" meetups a while ago
#
aaronpk http://calagator.org/events/search?tag=oauth
wtd and dybskiy joined the channel
#
bret that would be interesting
#
aaronpk there were only 2 meetups. I gave a talk on OAuth 2, then ozten gave a talk on Persona lol
#
bret where is manu!
dybskiy, lupinedev, j12t, snarfed, Jihaisse, cweiske and pfefferle joined the channel
#
Loqi pfefferle: snarfed left you a message on 6/6 at 9:42am: no custom post types for my possed retweets, favorites, etc. just categories to hide them from front page etc.
sparverius joined the channel
#
pfefferle snarfed: hmm… that is also a good idea!
#
pfefferle good morning everyone
#
acegiak pfefferle: morning
dybskiy, petermolnar, eschnou, jsilvestre, KartikPrabhu and krendil joined the channel
#
@jon_newman How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476283932758245377)
krendil joined the channel
#
@igogarcia How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476289343531646977)
#
@mapkyca Pondering whether upload_with_media & QR codes might be a hack to get syndicated twitter posts feeding back brid.gy #indieweb comments... (twitter.com/_/status/476289416592646145)
#
@JimmieJScttoo RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476289502508355584)
#
@aidanjjjq RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476290033230417920)
#
@OswegoParkDtist RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476291010121965569)
#
@oysfypkwwql RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476291859074252800)
#
@riley_oje RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476292433785794561)
#
@CodyBlueSnired RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476293562741825536)
#
@BBiafreo RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476294158068776960)
#
@jillkegho RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476294951496867840)
#
@vivimosom RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476295795898318848)
#
@JulianNoront RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476296556975771648)
pfefferle joined the channel
#
@williebegodoe RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476297580985348096)
#
@KiLongfelolw RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476298256377733120)
#
@andrewkhannse RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476298980955926528)
#
@SeeingBlcak RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476299422372868097)
#
@natawoyrr RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476299977082159104)
dybskiy and dybskiy_ joined the channel
#
@EdinaRotyra RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476300744073945088)
#
@arthurlawren_ec RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476301295439998976)
#
@laurenr30o RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476301738736353280)
#
@AmplifyMySucsce RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476302409921069057)
#
@cdapressomcg RT @igogarcia: How we're on the verge of an amazing new open web #indieweb http://werd.io/2014/how-were-on-the-verge-of-an-amazing-new-open (twitter.com/_/status/476302911694471168)
tobiastom and barnabywalters joined the channel
#
@knitatoms Great post from @benwerd on why the Indie Web movement is so important and gaining momentum: http://werd.io/2014/backing-up-the-indieweb-some-evidence #indieweb @indiewebcamp (twitter.com/_/status/476313722403979264)
#
@DoubleMalt RT @knitatoms: Great post from @benwerd on why the Indie Web movement is so important and gaining momentum: http://werd.io/2014/backing-up-the-indieweb-some-evidence #indiewe… (twitter.com/_/status/476314205063503872)
dybskiy joined the channel
#
tobiastom barnabywalters: got two seconds for your php-mf2 classes?
#
barnabywalters tobiastom: fire away
#
tobiastom cool, thanks. when I run this input https://github.com/tobiastom/tests/blob/master/h-card/hcard/input.html with your parser, I do not get this (expected?) result: https://github.com/tobiastom/tests/blob/master/h-card/hcard/output.json
#
barnabywalters looks
#
tobiastom especially your parser does not create two h-card items. is that intentional?
#
barnabywalters tobiastom: that test is wrong, it shows the nested microformat twice
Phae and JonathanNeal joined the channel
#
barnabywalters IIRC there was a proposal ages ago to do exactly that — surface nested microformats at the top level too
#
tobiastom I’m not playing the blame game here, but that comes directly from https://github.com/microformats/tests/blob/master/hcard.html
#
barnabywalters or to provide an alternative representation which is completely flattened
#
barnabywalters both of which turned out to be more confusing than useful
#
barnabywalters tobiastom: I’ll raise an issue on the repo — thanks!
#
tobiastom and actually, I can see to problem with returning it multiple times, but right now I would have to loop though all nodes (recursivly) to find all h-cards.
#
barnabywalters tobiastom: that should be fairly straightforward, and https://github.com/barnabywalters/php-mf-cleaner might be of use if you don’t want to write all the code yourself
#
barnabywalters specifically https://github.com/barnabywalters/php-mf-cleaner/blob/master/src/BarnabyWalters/Mf2/Functions.php#L223
#
barnabywalters findMicroformatsByType($mf2, ‘h-card’, true)
#
tobiastom yeah, I see that. but wasn’t to goal of the JSON structure to have a good interoperatable format? implementing this search is not really a problem, but maybe we could find better ways for that.
#
tobiastom for example a preferences key on each item, which will be an array with the references to the root nodes.
#
barnabywalters tobiastom: the goal of the JSON representation was to have a canonical, easy to use representation of the microformats in a piece of HTML
#
barnabywalters tobiastom: adding references to DOMElements in the parsed output is something I’ve considered before — what’s your use case for it?
#
tobiastom nope. not to the DOMElements, give me a second, I’ll fake a gist.
Sebastien-L joined the channel
#
barnabywalters tobiastom: cool. Also I can’t find https://github.com/tobiastom/tests/blob/master/h-card/hcard/output.json anywhere in https://github.com/microformats/tests/blob/master/hcard.html
#
barnabywalters so if it came directly from there, either the original has changed since then, or I’m missing something :)
#
barnabywalters btw I *love* the idea of https://github.com/tobiastom/tests/, and can’t wait to start using it!
#
tobiastom something like https://gist.github.com/tobiastom/34a64f31953b31e8a706
#
barnabywalters I’ll create a utility which makes it easy to run them over arbitrary parsers
#
barnabywalters tobiastom: what use-case does that make easier?
#
barnabywalters for the most common (in my experience) case of accessing nested microformats, that approach complicates things unnecessarily
#
barnabywalters also we should move this discussion to #microformats
#
tobiastom thanks barnabywalters. I just needed the data in a more machine readable way, so that I can test the stuff I do here. that’s why I caught the ”žerror“ in the first place.
#
tobiastom not sure how to continue in #microformats, without repeating stuff. :)
#
tobiastom also, you are right, the test seem to have changed. I’ll regenerate mines.
#
rascul ahh i figured it out
#
rascul not gonna bother with markdown, just gonna write articles as html
#
rascul no need for front matter or meta data, i can keep it inside the html and grab it with mf2py
#
rascul oops i think i meant for that in #indiechat i got my channels mixed up
#
barnabywalters rascul: publishing format discussion is fine, and encouraged in #indiewebcamp :)
#
barnabywalters it’s totally on-topic
#
rascul ok
#
rascul see i decided that markdown got silly when i put a bunch of html in it anyway
#
rascul may as well just do it all in html instead of mixing markups all over the place
#
barnabywalters rascul: personally I author articles and notes in markdown, manually adding HTML whenever necessary, but only save the HTML
#
barnabywalters so future edits are to the HTML
#
barnabywalters I’ve found that to be a good balance of markdown as a convenient authoring tool, and HTML as a precise, long term archival
#
rascul also i don't have to keep any meta data around which makes it easier
#
tobiastom damit. looks like I lost the genrator for that tests…
#
tobiastom nice, time machine for the rescure.
tantek, dybskiy, ttepasse, pfefferle, jsilvestre and BjornW joined the channel
#
tantek rascul, I'm very interested in your compare/contrast in using HTML vs markdown as your format for writing articles
#
tantek here's a question, how about markdown, but put all the metadata in an HTML block at the top (instead of goofy JSON-like syntax)
#
tantek i.e. is there some hybrid approach that would be get benefits of both?
#
rascul hrm interesting idea you have
#
tantek hasn't tried it. just thinking out loud based on what you said.
jonnybarnes joined the channel
#
rascul tantek your idea is excellent that's what i'm going with now
#
rascul i didn't want to use any sort of meta data because that stuff is already in the articles in microformats
Sebastien-L and caseorganic joined the channel
#
tantek rascul - right, that was the idea. just a top level <article class=h-entry> with all the other (non content) properties right there at the top, and then </article> at the bottom
#
tantek or even <div>
#
tantek <div class=h-entry>
dybskiy, dybskiy_, scor, chloeweil and luxagraf joined the channel
#
luxagraf is #indiechat logged anywhere? I'm curious what the markdown problem is that you're talking about
#
rascul no problem, i was just considering not using it since i end up writing html anyway, then tantek came up with a solution that works for me
#
@ShaneHudson @ryanhavoc That's too static for my needs, sadly! I need database (or a very strong data structure) for comments, webmentions etc (twitter.com/_/status/476356831569514496)
#
GWG !tell acegiak Might want to check out the latest push
#
Loqi Ok, I'll tell them that when I see them next
#
luxagraf i have a question for the no database crowd. how and where do you store incoming webmentions?
#
jonnybarnes what is micropub
#
Loqi Micropub is an API spec that is used to create h-entry or h-event posts on one's own domain using third-party clients http://indiewebcamp.com/micropub
#
barnabywalters luxagraf: http://indiewebcamp.com/Taproot#Storage — any further questions, just ask
chrissaad joined the channel
#
@strwbrryLttr23 @jmenglund03 Perfect timing -- come join us next Wednesday! Would be great to meet you! https://www.facebook.com/events/805644702779370/ #indieweb (twitter.com/_/status/476359182967263234)
#
luxagraf barnabywalters: so you pull in the stored webmentions as the post is built and written out to html?
#
barnabywalters luxagraf: yep, “querying” a CSV file
#
barnabywalters I’m barely in the no-db crowd, I just have a fake database :)
#
luxagraf barnabywalters: yeah, CSV huh? that's always seemed like a very fragile format to me.
#
luxagraf barnabywalters: but it is pretty unlikely to corrupt data
pfefferle joined the channel
#
barnabywalters luxagraf: yep, and can be rebuilt in seconds and is rather fast
dybskiy joined the channel
#
cweiske the libraries accessing the csv file are the ones that corrupt them
#
cweiske not the data themselves
#
luxagraf cweiske: true.
brianloveswords, caseorganic and caseorga_ joined the channel
#
jonnybarnes aaronpk: I can't log into indiewebcamp.com
#
jonnybarnes I get RelParser::SSLError at /auth/start
#
jonnybarnes file: relparser.rb
#
jonnybarnes location: rescue in load_page
#
jonnybarnes line: 91
#
jonnybarnes anyone else getting indieauth errors?
snarfed joined the channel
#
cweiske no
#
cweiske but I don't use ssl
#
acegiak GWG: missing bracket? :P
#
Loqi acegiak: GWG left you a message 45 minutes ago: Might want to check out the latest push
#
GWG acegiak: We all make mistakes.
#
cweiske indieweb homepage points 2 and 3 are diametral
#
GWG But, I was talking about kind-functions
#
cweiske "your articles go to all services" vs. " with no one monitoring you"
#
acegiak functions look good. ill have to check how the classes look for repost with comment
#
luxagraf jonnybarnes: worked for me.
#
barnabywalters cweiske: indeed, “monitoring” is too vague in this case
#
barnabywalters “censoring” or “controlling” might be more accurate
#
GWG acegiak: I based the functions on the syntax of existing Wordpress functions. kind_class is based on body_class.
#
GWG acegiak: Besides, you can add additional cases. Anything for which there isn't a specific case will add in the kind slug as a class.
#
acegiak yeah makes sense
#
cweiske because now, every service is monitoring you
#
cweiske which means that groups doing surveillance only need to monitor one service now instead of multiple :)
#
aaronpk jonnybarnes: argh...
#
barnabywalters cweiske: not necessarily — take the extreme case of facebook listening to the audio as you post, that can only be done by compromising people’s servers
#
aaronpk that error is supposed to be caught better now
#
jonnybarnes clicking rescan says there was an SSL error
#
barnabywalters but agreed, the terminology could be better
#
cweiske ah, you mean the microphone?
#
jonnybarnes this is appearing in my nginx access.log if it helps: 173.230.155.197 - - [10/Jun/2014:16:27:48 +0200] "GET / HTTP/1.1" 200 5475 "-" "-"
#
jonnybarnes I'm not sure what the 5475 part means
#
cweiske number of bytes sent from the server
#
aaronpk hm in this case i'm actually getting a more specific error that just isn't being displayed
#
aaronpk "SSL ERROR: hostname does not match the server certificate"
#
jonnybarnes hmmm
#
barnabywalters cweiske: yeah :/
#
barnabywalters fortunately such things can’t be done without explicitly giving permission on web devices
gRegor` joined the channel
#
barnabywalters s/web devices/web browsers
#
Loqi barnabywalters meant to say: fortunately such things can’t be done without explicitly giving permission on web browsers
#
aaronpk that almost sounds like an SNI error, except that I know indieauth.com works with SNI sites because mine is one
#
cweiske aaronpk, does the indiewebcamp.com login support custom indieauth servers, or does it foce me on indieauth.com?
#
aaronpk cweiske: did you read the logs from yesterday? :D
#
cweiske no
#
aaronpk indiewebcamp.com uses indieauth.com to handle authentication. that is a decision you do not need to care about
#
jonnybarnes aaronpk: it is an SNI type error
#
aaronpk however i'm in the process of making indieauth.com recognize custom OAuth servers
#
jonnybarnes without the -servername option openssl s_client gets the wrong cert sent back by me server
#
aaronpk so when signing in to the wiki, you will see something like this: https://farm4.staticflickr.com/3837/14193432239_2ac9a4e7ff_o.png
#
jonnybarnes obv with the servername option I'm serving the correct SSL cert
#
luxagraf barnabywalters: that we know of :)
#
barnabywalters luxagraf: don’t even go there :)
#
barnabywalters I trust firefox not to do such things
#
aaronpk cweiske: more generally, IndieAuth clients should look for one or more "rel=authorization_endpoint" servers and present those as an option to the user
#
cweiske indieauth solves the nascar problem by not showing logos except for persona
#
luxagraf I trust even the best, well-intention programmers to make mistakes
#
barnabywalters luxagraf: yeah, and AFAIK a complete, independant security audit of firefox hasn’t been done.
#
jonnybarnes aaronpk: I've "fixed" the issue by getting my server to return the jonnybarnes.net SSL cert when SNI is not in use
#
luxagraf barnabywalters: cwesiek has an interesting point though and there doesn't seem to be a page on the wiki with that criticism
#
barnabywalters luxagraf: indeed, makes those little webcam-cover vinyl things particularly necessary
#
barnabywalters luxagraf: cweiske: this is true. not sure where it should go — /privacy?
#
jonnybarnes aaronpk: I've logged into indiewebcamp.com now
#
barnabywalters so far indiewebcamp work in general has been focused more on publishing than privacy, but it’s an important factor to many here
#
aaronpk jonnybarnes: that's bizarre... can you open an issue here and document your SSL setup and versions of web server and openssl? https://github.com/aaronpk/IndieAuth/issues
#
luxagraf barnabywalters: or a piece of electrical tap (goes well with DIY tinfoil hat)
#
jonnybarnes aaronpk: opening now
#
luxagraf s/tap/tape
#
Loqi luxagraf meant to say: barnabywalters: or a piece of electrical tape (goes well with DIY tinfoil hat)
#
luxagraf that's my one remaining use for Flickr, sharing photos with specific sets of people. i need an indieweb way to do that on my own site.
#
barnabywalters I’m sure we had a page on access control somewhere
#
barnabywalters as some people have experimented with that
#
luxagraf barnabywalters: there's http://indiewebcamp.com/private_posts
#
barnabywalters ew underscores — thanks! missed that one
#
waterpigs.co.uk created /access-control (+24) "Created page with "#redirect[private_posts]"" (view diff)
#
waterpigs.co.uk created /private (+24) "Created page with "#redirect[private_posts]"" (view diff)
#
gRegor` kylewm tested sharing a note only to specific URLs using indieauth
#
waterpigs.co.uk edited /access-control (+2) "Redirected page to [[private posts]]" (view diff)
#
waterpigs.co.uk edited /private (+2) "argh wiki syntax" (view diff)
#
barnabywalters gRegor`: yep, aaronpk has that working, I used to have it working but never used it so turned it off
#
waterpigs.co.uk edited /private_posts (+26) "linked to privacy" (view diff)
#
luxagraf For my specific case I suppose a simple .htpasswd would work as well as anything. Not very scalable, but then I'm not sure that's something that will ever need to scale
#
waterpigs.co.uk created /privacy (+585) "stubbed page" (view diff)
#
luxagraf.net edited /User:Luxagraf.net (+84) "added goal" (view diff)
#
barnabywalters ^^^ luxagraf, cweiske, feel free to expand /privacy with brainstorming, criticism, goals, examples etc
#
gregorlove.com created /PGP (+17) "redirect" (view diff)
#
jonnybarnes ooh, a new feature for Loqi could be to announce on here things from relevant Github repos
#
gregorlove.com edited /privacy (+10) "/* See Also */" (view diff)
#
jonnybarnes such as this new issue I've opened on IndeAuth: https://github.com/aaronpk/IndieAuth/issues/55
dybskiy joined the channel
#
gregorlove.com edited /pgp (+17) "+dfn" (view diff)
#
gregorlove.com edited /pgp (+0) (view diff)
#
jonnybarnes.net edited /micropub (+285) "/* h-entry */ sending location with a note" (view diff)
#
cweiske aaronpk, why does the auth code verification do a POST instead of a GET? http://indiewebcamp.com/login-brainstorming#Verifying_the_authorization_code
#
jonnybarnes cweiske: security maybe? if the request is done over HTTPS then no-one would see the info being sent
#
cweiske do you mean http?
#
jonnybarnes cweiske: no, the request is to https://indieauth.com/
caseorga_ joined the channel
#
cweiske I don't talk about https vs. http
#
cweiske I talk about GET vs. POST
#
jonnybarnes yeah, just realised, doesn't matter, you have to negotiate a secure connection before you make a GET request
#
tantek.com edited /events/2014-06-18-homebrew-website-club (+698) "Minneapolis is a go!" (view diff)
tantek joined the channel
#
cweiske tantek, do you know?
#
cweiske why does the auth code verification do a POST instead of a GET? http://indiewebcamp.com/login-brainstorming#Verifying_the_authorization_code
#
aaronpk cweiske: because GET requests are more often logged by intermediate proxy servers, etc.
#
aaronpk it's from http://tools.ietf.org/html/rfc6749#section-5
GWG joined the channel
#
tantek aaronpk - sounds like a good addition to the FAQ!
#
tantek (especially since you have a citation)
#
gregorlove.com edited /events/2014-06-18-homebrew-website-club (+13) "/* RSVP */" (view diff)
#
cweiske why is that a problem? the token gets only verified, and after that the token is invalid anyhow
#
aaronpk if you like I can try to dig up the actual email from the OAuth list where that was decided
#
cweiske btw, I don't find anything related to get vs. post in section 5
#
aaronpk yeah section 5 just shows it's a POST. I think they moved all the notes about it to a separate doc
#
cweiske no, sect 5 does not show it's a post
#
aaronpk yes it does http://tools.ietf.org/html/rfc6749##The+parameters+are+included+in+the+entity-body
#
cweiske that's the response
#
aaronpk gah whered it go
#
cweiske that sentence talks about the response, not the request
#
cweiske you might get lost with "parameters"
#
cweiske because one would expect "parameters" only be used for requests
#
aaronpk here we go
#
cweiske not response "parameters"
#
aaronpk http://tools.ietf.org/html/rfc6749#section-3.2
#
aaronpk "The client MUST use the HTTP "POST" method when making access token requests."
#
aaronpk yeah hm that is poorly worded
#
aaronpk found more references
wagle joined the channel
#
jonnybarnes how should micropub clients send location info? see what I said in location at http://indiewebcamp.com/micropub#h-entry
#
jonnybarnes is there any accepted way?
#
aaronparecki.com edited /authorization-endpoint (+449) "add FAQ about POST vs GET" (view diff)
#
aaronpk cweiske: tantek: http://indiewebcamp.com/authorization-endpoint#Why_are_auth_codes_verified_with_a_POST_instead_of_a_GET
#
cweiske thanks
#
jonnybarnes aaronpk: did you see my issue I opened?
#
cweiske bb
ttepasse joined the channel
#
tantek thanks aaronpk
#
aaronpk jonnybarnes: yep thanks
#
aaronpk jonnybarnes: right now ownyourgram.com is sending a geo: URI in the "location" field, along with a separate "place_name" field
#
aaronpk i'm not entirely happy with that but it works
#
jonnybarnes aaronpk: what would you prefer it did?
#
aaronpk a geo: URI for location is fine, it's the place name that i'm uncertain about
#
jonnybarnes are geo URI spec'd anwhere? microformats wiki?
#
aaronpk http://en.wikipedia.org/wiki/Geo_URI
#
jonnybarnes thanks
#
jonnybarnes so what do you think is wrong with the `place_name`?
#
aaronpk it's just kind of arbitrary
#
aaronparecki.com edited /micropub (+112) "/* h-entry */ add example geo URI" (view diff)
#
luxagraf is there a way to send a webmention such that only the relevant paragraph comes through?
#
aaronpk that's more up to the decision of the side receiving the mention
#
GWG I probably should leave the house today.
#
GWG As opposed to coding indieweb plugins for Wordpress
#
luxagraf aaronpk: that's what I figured
jsilvestre joined the channel
#
GWG acegiak: Any ideas on what should be next?
dybskiy and caseorganic joined the channel
#
luxagraf to go back briefly to the privacy things, does anyone here have any sort of privacy policy on their site?
#
luxagraf e.g. when you come to this site, these services can track you sort of thing
#
tantek luxagraf yes!
#
tantek what is tracking
#
tantek what is disclosure
#
Loqi A disclosure is a bit of content, typically on a home page, on an indie web site that proactively discloses some aspect about the site that the site owner wants the user to explicitly be aware of http://indiewebcamp.com/disclosure
#
luxagraf tantek: ah, disclosure. didn't try that term
#
tantek.com edited /disclosure (+42) "privacy policy" (view diff)
npdoty joined the channel
#
aaronparecki.com edited /privacy (+17) "/* See Also */ [[disclosure]]" (view diff)
benwerd joined the channel
#
tantek luxagraf, please feel free to add to http://indiewebcamp.com/disclosure !
#
aaronpk this post is public now that silicon florist posted about it:
#
aaronpk http://aaronparecki.com/articles/2014/06/06/1/the-importance-of-urls
#
aaronpk somewhat relevant to the indieweb :)
#
luxagraf tantek: working on getting a privacy statement on my site, when that's done I'll add it to /disclosure examples
#
tantek.com edited /privacy (+198) "provide another reference for privacy policy" (view diff)
#
tantek luxagraf - are you researching existing privacy policies or are you just making one up?
#
tantek.com edited /disclosure (+14) "see also privacy" (view diff)
#
luxagraf tantek: i was just making one up when i thought, huh, prior art might be good here
#
luxagraf tantek: but I'm creating a privacy policy that just says, hey, i track your visits, but no one else does
#
luxagraf unless arcgisonline.com sends something with map tiles. hmm, have to look into that.
#
aaronpk that's not really a privacy policy, that's disclosure
#
luxagraf aaronpk: i was just going off wikipedia's definition: "A privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data"
#
luxagraf aaronpk: because wikipedia is never wrong
#
aaronpk yeah I suppose, just feels wrong to call it a privacy policy
#
luxagraf aaronpk: why?
#
aaronpk a privacy policy seems like something I have to agree to in order to continue using the site
#
tantek luxagraf feel free to start /privacy_policy
#
aaronpk i may be overthinking it tho
#
tantek even with just examples in the wild, even just from silos
#
tantek links are good
#
aaronpk yeah examples would be great
#
luxagraf aaronpk: exactly. you're implicitly agreeing to it whenever you visit a site.
#
luxagraf I'm not hung up on the name though, i can just add things to /disclosure
#
aaronpk privacy policy might be better cause it's a more used term
#
aaronpk meh
#
luxagraf aaronpk: doesn't mean it's better though
#
luxagraf maybe adding a section to /disclosure that just says, "sometimes called a privacy policy" or something...
#
gRegor` aaronpk: Ahh, that chirpify thing makes sense now. I saw your tweet and waxpancake say something about it being evil, but I didn't get why.
#
@pepelsbey_ It’s sad that @t and other guys from Mozilla are using 2012 @shower_me version for 2014 presentations — http://tantek.com/presentations/2014/05/indieweb/ (twitter.com/_/status/476398980575010816)
#
@pepelsbey Грустно, что @t и другие ребята из Mozilla используют версию @shower_me 2012 года для презентаций в 2014-м — http://tantek.com/presentations/2014/05/indieweb/ (twitter.com/_/status/476399101610049536)
tantek, caseorganic and snarfed joined the channel
#
wtd caseorganic: I liked your talk at AWE a couple of weeks ago.
#
caseorganic wtd: thanks very much! glad you were there!
#
tantek Minneapolis HWC meetup next week is a go!
#
wtd caseorganic: Quite the event. I found it all a bit odd, but I'm not used to Silicon Valley.
#
caseorganic wtd: where are you from?
#
wtd caseorganic: Toronto, working in libraries.
#
caseorganic wtd: last year's event was really good. very creative. now the industry is over the hype cycle and is applicable to industrial applications, enterprise and adverts
#
wtd Heh, exactly.
#
caseorganic wtd: want to continue this convo in #indiechat?
#
wtd caseorganic: Sure, let move windows around.
#
@funnymonkey Currently reading about fragmentations: http://indiewebcamp.com/fragmention##Challenges - h/t @kevinmarks @benwerd (twitter.com/_/status/476405095014203393)
#
caseorganic any people in toronto interested in hosting a HWC or IndieWebCamp?
dybskiy, tantek, emmak, j12t and paulcp joined the channel
#
GWG I am once again trying to figure out what a like looks like
iangreenleaf and j12t joined the channel
#
GWG Anyone have strong feelings about it?
#
aaronpk hasn't figured out what that's going to look like on his site yet
#
GWG Maybe I should start with reply, but like seemed easier to code
barnabywalters joined the channel
#
barnabywalters GWG: designing how to display a post is way more effort than writing the plumbing for it, so I’d recommend reply if you’re unsure how to display likes
#
GWG I agonize over every decision
dybskiy, jsilvestre and squeakytoy joined the channel
#
bret GWG: just do something and let the agony lead you
#
bret even if its a small, unoticeable increment it will feel good
#
GWG I also have to, because of my modular design, design two versions
#
bret who is the second version for?
#
GWG Me
#
bret i dont understand
tantek and chrissaad joined the channel
#
GWG I am using WordPress, so the plugin needs a barebones implementation, and then I want a deluxe version in the theme
#
@jalbertbowdenii @StanZheng i publish all my twitter shit via api onto my site. browser offers built in search. could be betta. #ownyourdata (twitter.com/_/status/476422374334926848)
#
Loqi gives GWG a deluxe version in the theme
eschnou joined the channel
#
tantek lol
Kyle-K joined the channel
#
benwerd Whoa. Spoke to Domain of One's Own yesterday
#
benwerd they've already written a POSSE plugin from Known => WordPress.
#
benwerd Fast work.
#
@nobantu Registration is OPEN for #IIW XIX #19 Take advantage of SUPER EarlyBird Prices now: https://www.eventbrite.com/e/internet-identity-workshop-xix-19-2014b-tickets-11845172229 #identity #VRM #UMA #Indieweb (twitter.com/_/status/476426983463596032)
#
aaronpk hm might be fun to go to that again!
#
caseorganic aaronpk: yeah! i liked that one
#
aaronpk that was the one I went to with benwerd and erinjo and kevinmarks a few weeks ago at the computer history museum
#
caseorganic aaronpk: yay! comp hist museum
#
Loqi does a happy dance!
eschnou joined the channel
#
caseorganic aaronpk: i'll be speaking in nyc - perhaps i could fly to sf on the way back
#
aaronpk hm! that could work!
shaners, lupinedev and gavinc_ joined the channel
#
aaronpk whoa orchestrate.io is phasing out Persona login in favor of user/pass http://orchestrate.io/blog/2014/06/10/userauth/
#
aaronpk that's like an... auth death?
#
aaronpk what's the proper header for that on the /Persona page?
#
aaronparecki.com edited /how-to-sponsor (+2551) "add more event background and details" (view diff)
#
tantek aaronpk - see /OpenID
#
aaronpk thx
#
aaronpk #Shutdowns
cweiske joined the channel
#
aaronparecki.com edited /Persona (+300) "add "shutdowns" section and note orchestrate.io" (view diff)
KartikPrabhu and lionzan joined the channel
#
aaronparecki.com edited /how-to-sponsor (+964) "/* Sponsorship */ reorganize sponsor amount sections" (view diff)
#
cweiske aaronpk, http://indiewebcamp.com/login-brainstorming - auth request: what is "state"? is that parameter app-specific?
#
aaronpk yes
KartikPrabhu joined the channel
#
cweiske does the auth server have to support it?
#
aaronpk yeah
#
aaronpk it just passes it through, doesn't need to interpret it or anything
#
cweiske can I invent my own parameters that the auth servers have to support?
#
aaronpk no, that's what state is for
#
aaronpk you can encode data in it if you want, or use it as a session token
#
cweiske ok.
#
cweiske what is "response_type"?
#
aaronpk this one i'm not 100% sold on yet. in OAuth 2.0, response_type will be either "code" or "token"
#
cweiske login-brainstorming tells me to default to "id"
#
aaronpk it's not really possible to support "token" for indieauth
#
cweiske auth-brainstorming has "code"
#
aaronpk OpenID connect supports an additional "id" type
#
cweiske why do I have to put "state" manually in the callback url? why isn't it already part of the callback url?
#
aaronpk so my thought is that it will be either "id" or "code". in the case of "id" it means the consumer is not requesting authorization, just authentication
#
aaronpk if you omit response_type then it's the same as not asking for authorization, so that's why it defaults to "id"
#
aaronpk ---
#
aaronpk re: state in the callback URL, who is "I" in your question?
#
cweiske the server
#
@veganstraightedge "The Internet With A Human Face" has so many great #indieweb lessons in it. http://idlewords.com/bt14.htm (twitter.com/_/status/476443474015703040)
#
cweiske the server gets it as parameter separate from the callback url, but is required to put it into the callback url when redirecting back
#
aaronpk the callback URL shouldn't be dynamic per request so that callback URLs can be registered
#
aaronpk "state" is allowed to vary per request
paulcp joined the channel
#
cweiske why should callback urls be registered?
#
aaronpk without registration it's easier to perform a redirect attack. more background here: http://tools.ietf.org/html/rfc6749#section-3.1.2.2
#
cweiske ok. how does the client website register the callback at the server?
#
aaronpk haven't written this part up yet, but the idea is for the client to publish its registered redirect URIs on its web page with a <link> tag
#
aaronpk and since client IDs are always URLs, it's all discoverable that way
#
cweiske I have the feeling the deeper I proceed in this rabbit hole, the more complex indie auth becomes
#
aaronpk so for client_id https://example.com/ a server can find its valid redirect URIs by looking for <link rel="redirect_uri" href="https://example.com/callback"> at example.com
#
aaronpk :)
#
aaronpk you asked
#
cweiske yes, I asked. we'll see if indieauth is really simpler than openid
#
cweiske I do still have my doubts
#
aaronpk so far signs point to yes
#
cweiske ha. not even everything is documented yet
#
aaronpk and yet there are still a bunch of sites that use it :)
#
shaners cweiske: at the very least, indieauth is MUCH easier as a user.
#
shaners i can't speak to ease as an implementor, yet
#
cweiske yes, you and your dunstkreis
#
aaronpk believe me i'm trying really hard to make sure this doesn't rely on centralized services. at the same time, building login mechanisms is the last thing most peope want to do, so using swappable services for parts is useful.
gavinc_ joined the channel
#
cweiske aaronpk, authorization request as described on http://indiewebcamp.com/login-brainstorming - is that a GET or a POST?
#
GWG !tell acegiak Pushed again, updated roadmap with plans. Starting to build display elements
#
Loqi Ok, I'll tell them that when I see them next
#
aaronpk GET, because the browser is directed there with a Location header
erikmaarten joined the channel
#
cweiske may it be a POST?
#
aaronpk hm oauth2 says MUST support GET and MAY support POST http://tools.ietf.org/html/rfc6749#section-3.1
#
cweiske and there is no location header. the login form on the wiki does a get request by the browser's form submit
#
aaronpk i'm not sure why you'd want to do it as a post
#
aaronparecki.com edited /login-brainstorming (+273) "/* Authorization Endpoint */ clarify directing the user to the auth endpoint with a Location header or link" (view diff)
ttepasse joined the channel
#
aaronparecki.com edited /how-to-sponsor (+278) "/* Sponsorship */ trying to make this look better" (view diff)
#
cweiske ok, now I understand. I have to discover the auth server first
#
cweiske location makes sense then
barnabywalters and pauloppenheim joined the channel
#
aaronparecki.com edited /how-to-sponsor (-132) "/* Sponsorship */ remove css" (view diff)
fmarier joined the channel
#
cweiske aaronpk, may the auth code be used multiple times?
#
aaronpk no
#
aaronpk (looking for citation)
#
cweiske then I do not see why a POST needs to be made to verify the code. since it cannot be used multiple times, the validation request itself invalidates the code
#
cweiske and thus cannot be used again
#
aaronpk in practice most implementations allow the code to be used for x seconds, like 30 or 60, during which period it will be accepted multiple times
#
aaronpk that is in order to avoid needing to store state on the server
#
aaronpk indieauth.com currently stores the auth codes in a database but i'm going to replace that soon so that it doesn't require a DB
caseorga_ joined the channel
#
aaronpk my token endpoint doesn't require any backend storage because it uses self-encoded tokens for everythign
caseorga_ joined the channel
#
@kevinmarks RT @veganstraightedge: "The Internet With A Human Face" has so many great #indieweb lessons in it. http://idlewords.com/bt14.htm (twitter.com/_/status/476456813286551553)
#
cweiske so all data is encoded in token?
#
aaronpk yes, implementation notes here: http://indiewebcamp.com/token-endpoint#Self-Encoded_Tokens
#
@Sociability "The Internet With A Human Face" has so many great #indieweb lessons in it http://idlewords.com/bt14.htm (via @veganstraightedge) (twitter.com/_/status/476457057856782336)
tantek joined the channel
#
aaronpk looks like I was wrong about the auth code being used more than once. http://tools.ietf.org/html/rfc6749#section-4.1.2
#
aaronpk "A maximum authorization code lifetime of 10 minutes is recommended. The client MUST NOT use the authorization code more than once."
#
aaronparecki.com edited /authorization-endpoint (+1045) "/* FAQ */ add some more FAQs" (view diff)
#
aaronparecki.com edited /how-to-sponsor (+1078) "/* Sponsorship */ add details about sponsorship levels" (view diff)
vanderwal joined the channel
#
tantek anyone want to try a webrtc demo with talky.io in the next half hour?
#
tantek I'm at W3C AC meeting, talking about tools
etymancer joined the channel
#
aaronparecki.com edited /how-to-sponsor (+0) "/* Sponsorship */" (view diff)
#
aaronparecki.com edited /how-to-sponsor (+35) "/* Sponsorship */ add $ to the table" (view diff)
#
aaronparecki.com edited /how-to-sponsor (+31) "/* Sponsorship */ capitalize sentences" (view diff)
Loqi joined the channel
#
@temporaryhuman "How do we build an Internet we're not ashamed of?" MT @veganstraightedge: Internet w/ A HumanFace #indieweb lessons http://idlewords.com/bt14.htm (twitter.com/_/status/476463243087855616)
brianloveswords, emmak_, Sebastien-L and lionzan_ joined the channel
#
bret tantek: still need a demo?
#
tantek hey bret
#
tantek talky.io/w3c
#
bret who is the epic beard?
#
bret was the audio okay?
krendil joined the channel
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:2014-03-07-iwc-sf-pano.jpg]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:2014-03-08-iwc-sf-pano.jpg]]""
#
aaronparecki.com edited /2014/SF (+99) "/* Photos */ add photos" (view diff)
snarfed, chrissaad and tantek joined the channel
#
tantek bret - audio was good! Thanks much!
#
tantek epic beard? this was a W3C meeting, you'll have to be more specific
caseorga_, dybskiy, benwerd and wtd joined the channel
#
aaronpk hah best bio ever... "I write cache invalidation protocols, then name them" - https://twitter.com/mnot
#
aaronpk i want to ask him if he can count to 2 as well
#
barnabywalters aaronpk: “I wrote a cache invalidation protocol, then named them”
#
aaronpk barnabywalters++
#
Loqi barnabywalters has 45 karma
#
aaronpk you win that joke
#
cweiske aaronpk, did you have an app that supports authorization_endpoint?
#
aaronpk ownyourgram.com does
#
aaronpk it does the authorization on its own, not using indieauth.com even
#
aaronpk oh and https://quill.p3k.io now too
#
cweiske unfortunately, all want more than plain auth
#
cweiske (token and micropub)
#
aaronpk yeah, sorry
#
aaronpk you can just point to https://tokens.indieauth.com/token for your token endpoint and put in a fake micropub endpoint if you want to test it
#
@t Presented @W3C AC meeting on how @IndieWebCamp develops/implements specs (e.g. Webmention) WITHOUT email, ... http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email (twitter.com/_/status/476477108366348290)
#
aaronpk it won't try to do anything with the micropub endpoint until you make a request
paulcp and KartikPrabhu joined the channel
#
cweiske whoa
#
cweiske it works
#
tantek nice!
#
cweiske so I've got a indieauth-openid proxy now
#
aaronpk whoa sweet!
#
cweiske proxies all indieauth requests to the user's openid server
#
aaronpk wow. congrats
#
tantek cweiske++ for keeping the flame alive
#
Loqi cweiske has 7 karma
#
cweiske <link rel="authorization_endpoint" href="http://cweiske.de/indieauth-openid/www/" />
#
cweiske everyone could use that one already
#
tantek and for loosely joining the small pieces
#
tantek seriously, well done.
#
cweiske ok, time for bed now
#
cweiske bb
#
@jorgeegomez RT @t: Presented @W3C AC meeting on how @IndieWebCamp develops/implements specs (e.g. Webmention) WITHOUT email, ... http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email (twitter.com/_/status/476478474312757248)
#
@domenicoperri RT @t: Presented @W3C AC meeting on how @IndieWebCamp develops/implements specs (e.g. Webmention) WITHOUT email, ... http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email (twitter.com/_/status/476480647871991808)
fmarier joined the channel
#
kylewm huh, i think i'm confused. where https://indieauth.com/openid is a way to use indieauth as your openid provider, cweiske's proxy is a way to use openid as your micropub authorization endpoint?
#
aaronpk haha yeah, it's the opposite
#
aaronpk assuming you already have an openid endpoint, you can use his proxy to turn it into an indieauth endpoint
#
kylewm cool!
#
kylewm (i was confused because indieauth is my openid provider, so obviously got sent to indieauth when i went through his endpoint)
#
aaronpk i'm gonna have to use it on a test domain for signing in to these test apps. it's getting to the point where I need to be able to sign in as different users using different mechanisms to test everything
#
aaronpk kylewm: hahaha wow
#
aaronpk yeah indieauth.com is serving several roles in this picture, which makes it kind of confusing to talk about
#
bret i wanna make more graffles
#
bret :D
#
bret i just wish there was an esier way to share them
#
bret the vector export failed pretty badly
tantek joined the channel
#
bret http://cweiske.de/home_stylesheet.htm cool
#
aaronpk nice! I should totally do that too.
#
aaronpk but it would be based on my current location, not just my hometown
#
bret incorporate location
#
bret :D
#
GWG What is a graffle?
#
bret omnigraffle
#
bret GWG: http://indiewebcamp.com/auth-brainstorming
caseorganic joined the channel
#
GWG bret: Haven't gotten to authorization yet
#
GWG bret: Although I would have if I was going A to Z
#
GWG I'm sort of meandering around the indieweb
#
bret The endpoint is the fun part
#
bret i skipped auth and tokens
#
bret cause its easy to skip those
#
bret https://twitter.com/EdwardTufte/status/475518906409713664
#
@EdwardTufte Don Knuth on why he dropped email in 1990, after 15 years. https://twitter.com/EdwardTufte/status/475518906409713664/photo/1 (twitter.com/_/status/475518906409713664)
#
aaronpk heh I agree with this: https://twitter.com/davidkidd/status/475520098027851776
#
@davidkidd @EdwardTufte This reads more like an argument for getting "a wonderful secretary" to handle your email, rather than ditching email. (twitter.com/_/status/475520098027851776)
#
bret lol
#
aaronpk also https://twitter.com/mohamed/status/475538853995220992
#
@mohamed @sivers I like the idea of dealing in batch versus constant attention as a way to maintain focus. (twitter.com/_/status/475538853995220992)
benwerd joined the channel
#
tantek aaronpk, bret - interesting coincidence, fall of 1989 (september to december) was the quarter when Knuth taught his last class at Stanford as well (I was fortunate enough to take it).
#
bret haha no way?
#
tantek so it makes sense that he was able to drop email, since he no longer had to communicate with students re: classes.
#
tantek as of 1990-01-01
#
bret he passed along his taste for email i see ;)
#
tantek I didn't read his screed about email until MUCH later - in fact - only after I wrote EmailEfail
#
tantek tantek.com/w/EmailEfail
benwerd joined the channel
#
bret some of those links have been murdured by about.me
#
bret http://www.mickipedia.com/?p=1333 - Fatty fatty facebook
dybskiy joined the channel
#
tantek benwerd snarfed, SF location for next week's Homebrew Website Club? http://indiewebcamp.com/events/2014-06-18-homebrew-website-club
#
tantek notes there's a Minneapolis location already :)
#
tantek.com edited /Events (+103) "Chicago and Minneapolis" (view diff)
#
tantek.com edited /Main_Page (+19) "/* Homebrew Website Club */ -London, +Minneapolis" (view diff)
#
@rekeds IndieWeb http://jj.rollin.lv/?name=indieweb (twitter.com/_/status/476497890433458176)
#
aaronpk ironically it seems that more people have rel=nofollow on their twitter and github links than rel=me
#
bret hey, might be spam
benwerd_, paulcp and tantek joined the channel
#
@equivalentideas .@t to @W3C AC meeting on how @IndieWebCamp develops/implements specs with no email, @CassPF @Info_Aus http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email (twitter.com/_/status/476500555485827073)
vanderwal and kylewm joined the channel
#
snarfed !tell tantek definitely! we'll start planning now
#
Loqi Ok, I'll tell him that when I see him next
#
snarfed benwerd_: thoughts on hwc 6/18? matter, quip, …?
#
KartikPrabhu re: email - if you need a "wonderful secretary" to handle email you're doing something wrong... (says me who has never gotten loads of email)
tantek joined the channel
#
Loqi tantek: snarfed left you a message 17 minutes ago: definitely! we'll start planning now
#
tantek.com edited /Main_Page (+1) "/* Homebrew Website Club */ e" (view diff)