#aaronpkfor realm, I intentionally left it somewhat vague in the spec because I want to see what people end up doing with it. my plan for that was going to be to return either the URL of the person who can see the post, or a random string that maps to the URL
KevinMarks joined the channel
#KevinMarksHm, if mention-tech implemented private webmentions, I'm not sure what it would do with them
KevinMarks_ joined the channel
#gRegorLoveHaving a hard time understanding the difference between JWS and JWT.
#aaronpkJWS is the algorithm.payload.signature structure. JWT defines a bunch of terms to use in the payload.
#gRegorLoveOk, so seems it's fine to use the firebase/JWT lib and just JWT::encode('example.com')? Makes longer codes than I expected from the examples, but seems to work fine.
#aaronpkyou are way ahead of me. i'm still working on making a post private
#gRegorLoveTweaked my token endpoint a bit so it can be used for this as well as micropub.
#aaronpkhow did that go? I was hoping that wouldn't be hard
#GWGIf it makes you feel better, aaronpk, you will always be ahead of me.
#gRegorLoveWell, not sure I set up my token the "best" way, but it was an if/else: if POSTed 'code', perform all the auth checks, else validate Bearer token. I just added another condition at the beginning: if 'code' and 'grant_type=authorization_code'
#gRegorLoveSo if you post a code with nothing else, it will continue to do the micropub flow
#aaronpkhm i just realized that according to OAuth 2.0, "client_id" is a required parameter of a token grant if there is no other client authentication happening (which in this case there isn't)
#aaronpkwith the indieauth/micropub token exchange the grant_type will also be "authorization_code"
#gRegorLoveI have a client_id in the micropub part of the token grant, though only because it was on /token_endpoint, not because I fully understand it :)
#gRegorLoveSee, point proven. Apparently I didn't understand that when I set up this token endpoint, heh
#aaronpki don't really see a concrete answer in there
#aaronpkclosest i found is this: https://mailarchive.ietf.org/arch/msg/oauth/STYsOy77_gknub-pOgO_mTg6cCA "By checking that the callback URI used to deliver the code is the same as the one used to initiate the flow, the authorization server can verify that the user who initiated the flow is the same one to authorize access and finish the flow."
#gRegorLoveBut aren't we, the source, the ones initiating this flow?
#tantekGWG, could you add a suitable dfn to ^^^ so Loqi responds with a nice summary?
AngeloGl1 joined the channel
#tantekin other news, I have started sharing that URL with some gen 2 folks (per /generations) and asked for any/all feedback. If that's not the right URL (for someone using WordPress (self-hosted) and wanting more IndieWeb funcitonality (especially POSSE+backfeed), let me know!)
KevinMarks, AngeloGl1, singpolyma and AngeloGladding joined the channel