#dev 2016-09-29

2016-09-29 UTC
# 00:24 
gRegorLove aaronpk: Are there some good guidelines on generating the code and realm values?
# 00:26 
aaronpk hmm
# 00:26 
aaronpk I wrote some stuff about the code here: https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
# 00:28 
aaronpk for realm, I intentionally left it somewhat vague in the spec because I want to see what people end up doing with it. my plan for that was going to be to return either the URL of the person who can see the post, or a random string that maps to the URL
KevinMarks joined the channel
# 01:13 
KevinMarks Hm,  if mention-tech implemented private webmentions, I'm not sure what it would do with them
KevinMarks_ joined the channel
# 02:19 
gRegorLove Having a hard time understanding the difference between JWS and JWT.
# 02:24 
aaronpk JWS is the algorithm.payload.signature structure. JWT defines a bunch of terms to use in the payload.
# 02:42 
gRegorLove Ok, so seems it's fine to use the firebase/JWT lib and just JWT::encode('example.com')? Makes longer codes than I expected from the examples, but seems to work fine.
# 02:42 
gRegorLove Just want to make sure it's secure
# 02:46 
aaronpk yep it's fine. that library should have been called JWS in the first place.
# 02:46 
aaronpk they later started adding some of the JWT vocab to it
# 02:46 
aaronpk so now it validates the expiration date itself if you give it a key called "exp" in the payload
# 02:47 
gRegorLove Ahh
# 02:47 
gRegorLove Yeah that's what confused me, looking over the code it seemed exactly what JWS spec described
# 02:48 
aaronpk you were not the only one confused by the difference between JWT and JWS :)
KevinMarks and ChrisAldrich joined the channel
# 03:35 
gRegorLove I've got exchanging a code for access token working now.
# 03:35 
aaronpk woo!
# 03:36 
aaronpk you are way ahead of me. i'm still working on making a post private
# 03:37 
gRegorLove Tweaked my token endpoint a bit so it can be used for this as well as micropub.
# 03:37 
aaronpk how did that go? I was hoping that wouldn't be hard
# 03:37 
GWG If it makes you feel better, aaronpk, you will always be ahead of me.
# 03:41 
gRegorLove Well, not sure I set up my token the "best" way, but it was an if/else: if POSTed 'code', perform all the auth checks, else validate Bearer token. I just added another condition at the beginning: if 'code' and 'grant_type=authorization_code'
# 03:41 
gRegorLove So if you post a code with nothing else, it will continue to do the micropub flow
# 03:43 
aaronpk hm i just realized that according to OAuth 2.0, "client_id" is a required parameter of a token grant if there is no other client authentication happening (which in this case there isn't)
# 03:44 
aaronpk with the indieauth/micropub token exchange the grant_type will also be "authorization_code"
# 03:44 
aaronpk that wasn't unique to private webmention
# 03:44 
gRegorLove I have a client_id in the micropub part of the token grant, though only because it was on /token_endpoint, not because I fully understand it :)
# 03:45 
gRegorLove See, point proven. Apparently I didn't understand that when I set up this token endpoint, heh
# 03:45 
gRegorLove grant_type isn't on /token_endpoint though, to be fair.
# 03:45 
aaronpk orly?! shoot
ChrisAldrich joined the channel
# 03:46 
gRegorLove Ok, now I'm wondering how to differentiate the two
# 03:46 
aaronparecki.com edited /Private-Webmention (+181) "/* Obtaining an Access Token */" (view diff)
# 03:48 
gRegorLove ONLY code and grant_type => webmention, otherwise micropub?
# 03:49 
aaronpk that would do it, but i'm hesitant to make a new grant type
# 03:50 
gRegorLove Sorry, that was ambigous. Not grant_type value of "webmention"
# 03:50 
gRegorLove Just if only those two params posted.
# 03:50 
aaronpk oh gotcha
# 03:50 
aaronpk the other thought i had (noted on the private webmention page) was whether the request should include the target URL or source or both
# 03:51 
aaronpk and then you could know it's a webmention token because of that parameter
# 03:51 
gRegorLove So 'grant_type' is a requirement of any token grant, right?
# 03:51 
aaronpk yes
chrisaldrich1 joined the channel
# 03:51 
gRegorLove Ah, right. I read that. That would make sense.
# 03:51 
aaronpk i'm trying to figure out if there is any security benefit to including those
# 03:52 
aaronpk it feels similar to including the "redirect_uri" parameter in OAuth https://tools.ietf.org/html/rfc6749#section-4.1.3
# 03:52 
aaronpk i'm sure there was a mailing list discussion about including that
# 03:53 
gRegorLove source definitely makes sense. Then I can include it in the JWT token and don't have to map tokens to posts.
# 03:54 
gRegorLove I guess those could be in my initial 'code' though, too.
# 03:55 
aaronpk wow reading some of the earlier oauth 2 drafts is painful
# 04:00 
aaronpk i found it!!
# 04:00 
aaronpk https://mailarchive.ietf.org/arch/msg/oauth/0ndM5T_oR27WH9OwU97xQEzKbEc
KevinMarks joined the channel
# 04:07 
aaronpk i don't really see a concrete answer in there
# 04:07 
aaronpk closest i found is this: https://mailarchive.ietf.org/arch/msg/oauth/STYsOy77_gknub-pOgO_mTg6cCA "By checking that the callback URI used to deliver the code is the same as the one used to initiate the flow, the authorization server can verify that the user who initiated the flow is the same one to authorize access and finish the flow."
# 04:17 
gRegorLove But aren't we, the source, the ones initiating this flow?
# 04:17 
gRegorLove Since we generated the code
AngeloGl1 joined the channel
# 04:35 
aaronpk I think so?
KevinMarks_, cweiske and KevinMarks joined the channel
# 06:50 
cweiske.de edited /Micropub/Servers (+31) "/* Implementation status */ update withknown's micropub status" (view diff)
loicm, ChrisAldrich, tantek, pfefferle and KartikPrabhu joined the channel
# 14:25 
pfefferle 'morning
# 14:27 
www.svenknebel.de edited /Private-Webmention (+57) "/* Obtaining an Access Token */ clarify that always bearer tokens (https://chat.indieweb.org/2016-09-29/1475157914590000 )" (view diff)
tantek joined the channel
# 14:28 
aaronpk morning
miklb joined the channel
# 14:36 
aaronparecki.com edited /Private-Webmention (+598) "move token exchange questions to issues section" (view diff)
KevinMarks and KevinMarks_ joined the channel
# 17:50 
aaronpk huh does firefox not use the system root chain when verifiying ssl certs?
# 17:52 
aaronpk weird. had to import the root cert into firefox directly. chrome seems to use the system chain.
# 17:59 
Zegnat Mozilla has their own CA Cert store: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
# 17:59 
bear yea, that is a very common question -- https://wiki.mozilla.org/CA:FAQ#Why_does_Mozilla_include_a_default_set_of_CA_certificates.3F
cweiske joined the channel
# 18:19 
gregorlove.com edited /StartSSL (+352) "WoSign / StartCom backdating allegations, see also" (view diff)
# 18:22 
gregorlove.com edited /StartSSL (+503) "/* Criticism */" (view diff)
# 18:22 
gregorlove.com moved /letsencrypt to /Let's_Encrypt "Canonical"
tantek joined the channel
# 18:25 
gregorlove.com edited /Let's_Encrypt (+172) "/* IndieWeb Examples */ subheadings, +me" (view diff)
KartikPrabhu and AngeloGl1 joined the channel
# 19:27 
tantek.com edited /2016/Brighton (+162) "/* Blog posts */ sgreger's post" (view diff)
barryf_, KartikPrabhu and chrisaldrich1 joined the channel
# 20:03 
vanderven.se martijn edited /Let's_Encrypt (+153) "Adding myself." (view diff)
tantek, valan and KartikPrabhu joined the channel
# 21:00 
tantek what are wordpress plugins?
# 21:00 
Loqi https://indieweb.org/WordPress/Plugins
# 21:00 
tantek GWG, could you add a suitable dfn to ^^^ so Loqi responds with a nice summary?
AngeloGl1 joined the channel
# 21:01 
tantek in other news, I have started sharing that URL with some gen 2 folks (per /generations) and asked for any/all feedback. If that's not the right URL (for someone using WordPress (self-hosted) and wanting more IndieWeb funcitonality (especially POSSE+backfeed), let me know!)
KevinMarks, AngeloGl1, singpolyma and AngeloGladding joined the channel