#tantekgRegorLove++ thanks for the "event" markup verification. 7 of 8 impls doing h-event as root object is pretty strong evidence, more than needed to add to the Post Type Algorithm
#Loqigregorlove has 24 karma in this channel (146 overall)
#sknebelmf2util (python lib by kylewm) has a function to parse mfs, which includes events (determines them by being h-event and not h-entry) and which I use to determine days on which IWCs happen for the youtube bot
#tantekinteresting, adding h-event support to Post Type Discovery will require adding it as a normative reference, which will require updating h-event to have similar change control as h-entry. https://github.com/microformats/h-event/issues/1
#Loqi[tantek] #1 adopt same change control as h-entry
#sknebelaaronpk: only thing in the way of completely automatic is that you have to choose an auth provider on indieauth.com, other than that the flow could be relatively easily scripted (that the thought process where my comparison of manual flow to potential automatic one on /non-interacitve IndieAuth came from)
#sknebelright now I'll have to manually grab a session cookie
KartikPrabhu joined the channel
#aaronpkhm, okay i see where you're going with that
#sknebelI took the existing process and tried to figure out what the smallest adjustment would be to work automatically
#sknebelbut of course you then end up with the app trying to use cookies instead of tokens, since browsers don't ask for tokens, which makes things less nice
#[sebsel]also, alice.server should somehow get the code mentioned in 2 from alice.auth. That might be obvious, but since they can be different servers, I think it’s good to make that explicit
#[sebsel]or yeah, that’s before step 1., so is it out of the scope of the spec?
#Zegnat[sebsel], the current server-indieauth seems limited to “Hi, I am $me, do you have a token for me?” Which is nice and simple.
#ZegnatI wonder what makes more sense: 1. Bob giving Alice a token and saying “you can use this to C/R/U/D”, or 2. Alice asking Bob for a token for the specific action she wants to do.
#[sebsel]sknebel, wouldn’t that be just Bob comparing the me=https://alice.example in the token to the list of audience for the post?
#[sebsel]Zegnat, yeah, that last one is probably a bit overboard.
#[sebsel]But we can store tokens, that’s what the extra step is for. So it’s not a per-action thing, it’s also similar future actions
#ZegnatI think sknebel wants scoping within that scope, sebsel. So me=svenknebel.de now has access to all posts ment for him, but he wants the system to be able to request a token me=svenknebel.de that only has access to a subset of the posts.
#[sebsel]well, me+client already gives something you can use, in a way.
#Zegnatprivate wm is a very easy usecase that needs very little. But other auths, such as micropub, will always need slightly more information than this offers
j12t and loicm joined the channel
#ZegnatDoubled the size of my webmention endpoint, it now accepts less stuff. Here’s to hoping I did not break things.
#sknebelif it freely can get read permissions for everything the user can read, that can't be stopped
#sknebelis that a legit concern, or making stuff to complicated for no good reason?
#ZegnatAh, you mean, I might want the wm endpoint on licit.li not be able to read private webmentions sent to vanderven.se/martijn/? But wouldn’t both identify themselves as me=vanderven.se/martijn/ ?
#sknebelhm, so client id could be the url of the webmention endpoint?
#aaronpkA similar example being how my auth endpoint has its own concept of "channels" so I can limit where apps can post to but they don't know anything is different
#aaronpkyeah client id would be something identifying the server that is requesting the token, so the webmention endpoint URL would be a good thing to use
#aaronpkOAuth is a protocol for delegating authorization to third party clients. As a user, you trust those clients only a little, so you grant them limited scope to your account
#aaronpkthats the situation here where you might be using a third party webmention endpoint and you want to limit what it has access to on your site
#sknebelI want to limit what access it has on *other* peoples sites
#aaronpkbut before that's even possible, we need to talk about the authentication side, separate from what it has access to
#aaronpkthe first thing to solve is proving identity in this non interactive way
#aaronpkand treat access and scope as a separate problem
#sknebelok, yes, then most of the questions asked are jumping ahead and about the next steps
#aaronpkWhat we need first is a way for a server to prove a request came from itself.
#aaronpkThen we can use that for the webmention endpoint to authenticate itself when fetching posts
#aaronpkif the webmention endpoint is on a different domain than the user it's claiming to represent, then we need the delegated authorization part so the webmention endpoint can prove the user has authorized it to act on their behalf
#sknebelI'm not sure where the "inception" is. but I'm also currently trying to understand why my webserver configuration actually works (I hope it's not a schrödinger-bug) and still thinking about what I actually wanted to do before that
#sebselthe inception I saw is that in order for alice.server to obtain a code, it needs to prove to alice.auth that it's with alice, which is the whole problem all over again, if they are on different servers.
#sknebelah, ok. yeah, but I assumed those two have pre-established trust of some kind
#ZegnatOne line of explanation “authenticate itself”, next line of explanation “authorization part”, and again the difference after auth- makes all the difference
#sebselIn Dutch they are actually called 'authenticatie' and 'autorisatie' (with and without the extra H), probably for reason :P
eli_oat, j12t and [markmhendrickso joined the channel
#ZegnatThat is a pretty good write-up ^^^ though I am not sure I agree with Slack et al as a social network. A communication network for sure, but I don’t get a big feel of identity on those.
KartikPrabhu joined the channel
#sknebelaaronpk: I found a bug in Indieauth redirects (issue is filed), but with the new-ish feature of it redirecting automatically if there is only an authorization endpoint I think I can implement automatic wiki login
[kevinmarks], gRegorLove and KevinMarks joined the channel
#eli_oatDoes anyone else who sends webmentions via webmentions.io notice that bridgy picks up POSSE'd content faster than the webmention itself is delivered?
#aaronpkwebmention.io receives webmentions for people, and optionally delivers them to the site via a web hook. it processes everything asynchronously and is sometimes kinda slow about that
KartikPrabhu joined the channel
#eli_oatYeah, I'm manually hijacking the source/target form to send them
#eli_oat:D shout out to aaronpk++ for helping me sort out what was going on there (e.g. I was trying to send them through a receiver rather than a transmitter…to go with a radio metaphor)