#dev 2016-09-29

2016-09-29 UTC
#
gRegorLove
aaronpk: Are there some good guidelines on generating the code and realm values?
#
aaronpk
for realm, I intentionally left it somewhat vague in the spec because I want to see what people end up doing with it. my plan for that was going to be to return either the URL of the person who can see the post, or a random string that maps to the URL
KevinMarks joined the channel
#
KevinMarks
Hm, if mention-tech implemented private webmentions, I'm not sure what it would do with them
KevinMarks_ joined the channel
#
gRegorLove
Having a hard time understanding the difference between JWS and JWT.
#
aaronpk
JWS is the algorithm.payload.signature structure. JWT defines a bunch of terms to use in the payload.
#
gRegorLove
Ok, so seems it's fine to use the firebase/JWT lib and just JWT::encode('example.com')? Makes longer codes than I expected from the examples, but seems to work fine.
#
gRegorLove
Just want to make sure it's secure
#
aaronpk
yep it's fine. that library should have been called JWS in the first place.
#
aaronpk
they later started adding some of the JWT vocab to it
#
aaronpk
so now it validates the expiration date itself if you give it a key called "exp" in the payload
#
gRegorLove
Yeah that's what confused me, looking over the code it seemed exactly what JWS spec described
#
aaronpk
you were not the only one confused by the difference between JWT and JWS :)
KevinMarks and ChrisAldrich joined the channel
#
gRegorLove
I've got exchanging a code for access token working now.
#
aaronpk
you are way ahead of me. i'm still working on making a post private
#
gRegorLove
Tweaked my token endpoint a bit so it can be used for this as well as micropub.
#
aaronpk
how did that go? I was hoping that wouldn't be hard
#
GWG
If it makes you feel better, aaronpk, you will always be ahead of me.
#
gRegorLove
Well, not sure I set up my token the "best" way, but it was an if/else: if POSTed 'code', perform all the auth checks, else validate Bearer token. I just added another condition at the beginning: if 'code' and 'grant_type=authorization_code'
#
gRegorLove
So if you post a code with nothing else, it will continue to do the micropub flow
#
aaronpk
hm i just realized that according to OAuth 2.0, "client_id" is a required parameter of a token grant if there is no other client authentication happening (which in this case there isn't)
#
aaronpk
with the indieauth/micropub token exchange the grant_type will also be "authorization_code"
#
aaronpk
that wasn't unique to private webmention
#
gRegorLove
I have a client_id in the micropub part of the token grant, though only because it was on /token_endpoint, not because I fully understand it :)
#
gRegorLove
See, point proven. Apparently I didn't understand that when I set up this token endpoint, heh
#
gRegorLove
grant_type isn't on /token_endpoint though, to be fair.
#
aaronpk
orly?! shoot
ChrisAldrich joined the channel
#
gRegorLove
Ok, now I'm wondering how to differentiate the two
#
aaronparecki.com
edited /Private-Webmention (+181) "/* Obtaining an Access Token */"
(view diff)
#
gRegorLove
ONLY code and grant_type => webmention, otherwise micropub?
#
aaronpk
that would do it, but i'm hesitant to make a new grant type
#
gRegorLove
Sorry, that was ambigous. Not grant_type value of "webmention"
#
gRegorLove
Just if only those two params posted.
#
aaronpk
oh gotcha
#
aaronpk
the other thought i had (noted on the private webmention page) was whether the request should include the target URL or source or both
#
aaronpk
and then you could know it's a webmention token because of that parameter
#
gRegorLove
So 'grant_type' is a requirement of any token grant, right?
chrisaldrich1 joined the channel
#
gRegorLove
Ah, right. I read that. That would make sense.
#
aaronpk
i'm trying to figure out if there is any security benefit to including those
#
aaronpk
it feels similar to including the "redirect_uri" parameter in OAuth https://tools.ietf.org/html/rfc6749#section-4.1.3
#
aaronpk
i'm sure there was a mailing list discussion about including that
#
gRegorLove
source definitely makes sense. Then I can include it in the JWT token and don't have to map tokens to posts.
#
gRegorLove
I guess those could be in my initial 'code' though, too.
#
aaronpk
wow reading some of the earlier oauth 2 drafts is painful
#
aaronpk
i found it!!
KevinMarks joined the channel
#
aaronpk
i don't really see a concrete answer in there
#
aaronpk
closest i found is this: https://mailarchive.ietf.org/arch/msg/oauth/STYsOy77_gknub-pOgO_mTg6cCA "By checking that the callback URI used to deliver the code is the same as the one used to initiate the flow, the authorization server can verify that the user who initiated the flow is the same one to authorize access and finish the flow."
#
gRegorLove
But aren't we, the source, the ones initiating this flow?
#
gRegorLove
Since we generated the code
AngeloGl1 joined the channel
#
aaronpk
I think so?
KevinMarks_, cweiske and KevinMarks joined the channel
#
cweiske.de
edited /Micropub/Servers (+31) "/* Implementation status */ update withknown's micropub status"
(view diff)
loicm, ChrisAldrich, tantek, pfefferle and KartikPrabhu joined the channel
#
pfefferle
'morning
#
www.svenknebel.de
edited /Private-Webmention (+57) "/* Obtaining an Access Token */ clarify that always bearer tokens (https://chat.indieweb.org/2016-09-29/1475157914590000 )"
(view diff)
tantek joined the channel
#
aaronpk
morning
miklb joined the channel
#
aaronparecki.com
edited /Private-Webmention (+598) "move token exchange questions to issues section"
(view diff)
KevinMarks and KevinMarks_ joined the channel
#
aaronpk
huh does firefox not use the system root chain when verifiying ssl certs?
#
aaronpk
weird. had to import the root cert into firefox directly. chrome seems to use the system chain.
cweiske joined the channel
#
gregorlove.com
edited /StartSSL (+352) "WoSign / StartCom backdating allegations, see also"
(view diff)
#
gregorlove.com
edited /StartSSL (+503) "/* Criticism */"
(view diff)
tantek joined the channel
#
gregorlove.com
edited /Let's_Encrypt (+172) "/* IndieWeb Examples */ subheadings, +me"
(view diff)
KartikPrabhu and AngeloGl1 joined the channel
#
tantek.com
edited /2016/Brighton (+162) "/* Blog posts */ sgreger's post"
(view diff)
barryf_, KartikPrabhu and chrisaldrich1 joined the channel
#
vanderven.se martijn
edited /Let's_Encrypt (+153) "Adding myself."
(view diff)
tantek, valan and KartikPrabhu joined the channel
#
tantek
what are wordpress plugins?
#
tantek
GWG, could you add a suitable dfn to ^^^ so Loqi responds with a nice summary?
AngeloGl1 joined the channel
#
tantek
in other news, I have started sharing that URL with some gen 2 folks (per /generations) and asked for any/all feedback. If that's not the right URL (for someone using WordPress (self-hosted) and wanting more IndieWeb funcitonality (especially POSSE+backfeed), let me know!)
KevinMarks, AngeloGl1, singpolyma and AngeloGladding joined the channel