tantekI'm happy to report that the few bots and such IPs that I blocked resulted in 1/6th the bandwidth usage for my site in November as compared to October
aaronpkI have this vague recollection of a discussion about dropping the "me" from the initial redirect, since client's shouldn't be trusting variables in query strings. but I can't find that discussion, and two of the indieauth pages were not updated to reflect that.
Zegnat!tell aaronpk "3.2 Client Identifier" disallows ports for clients, how will this work with e.g. shpub where the Micropub client locally runs a server?
Zegnat!tell aaronpk "Discovery by Clients" says: “For the Authorization workflow […] the client needs to find the user's authorization_endpoint, token_endpoint and micropub endpoint”. I get using Micropub as example, but the it is listed here almost makes it sounds like the micropub endpoint is a MUST for the authz flow. Is there a better way to phrase t
ZegnatI guess you could fix it by having a publicly hosted home page for shpub and define only the redirect_uri with a port, since that is allowed. But then the publicly hosted page needs to whitelist all possible ports on 127.0.0.1 or something…
Loqiaaronpk: Zegnat left you a message 6 hours, 15 minutes ago: "3.2 Client Identifier" disallows ports for clients, how will this work with e.g. shpub where the Micropub client locally runs a server?
Loqiaaronpk: Zegnat left you a message 5 hours, 25 minutes ago: "Discovery by Clients" says: “For the Authorization workflow […] the client needs to find the user's authorization_endpoint, token_endpoint and micropub endpoint”. I get using Micropub as example, but the it is listed here almost makes it sounds like the micropub endpoint is a MUST for the authz flow. Is there a better way to phrase t
ZegnatWas interrupted with school stuff though, still need to pull my thoughts together on the Authentication flow. Maybe have some more thoughts / questions in about an hour when I get home.
ZegnatIn layman’s terms (as an authorization endpoint) if an application has 127.0.0.1 listed as a redirect_uri, I can (SHOULD/MUST) accept it with any port?
aaronpkthe point of redirect url registration is to prevent an attacker from setting the redirect URL to something under their control to steal the auth code
ZegnatIf local shpub knows its own IP and port, it could theoretically already set client_id to shpub.com/?port=1111&ip=127.0.0.1 and have shpub.com serve a dynamic redirect_uri value.
aaronpkthat provides shpub with two options. for local use, it would have to use a public URL client_id with a query string component to specify the local port of the redirect URI. for remote use, it could use the remote IP as the client_id
aaronpkoh yeah, one more option. since what we're trying to do here is prevent specific attacks involving tricky redirect URLs, if the scheme/domain/port of the client_id match the redirect_uri then there wouldn't be any surprises. so I *think* we can bypass the redirect_uri lookup altogether if those match
ZegnatIf you don't end up allowing different ports, maybe reference the OAuth document on allowing variable ports for loopback. I think that is worth calling out.
[manton]With this kind of variable pricing, would be nice if the lowest price is less than $75. .blog has this same approach, where some words are $$$$, but at least they start at something like $20.
ZegnatIf someone wants to rewrite selfauth into v2 with separate dependencies and pull in an mf2 parser etc, I would not be against it. But that’s not something that is currently in my planning.
Loqi[Daniel Goldsmith] Oh wow. Just wow. The quantity of quality available on this site. Such an incredible resource, such an incredible artist.
http://www.neilyoungarchives.com
Loqi[Daniel Goldsmith] Oh wow. Just wow. The quantity of quality available on this site. Such an incredible resource, such an incredible artist.
http://www.neilyoungarchives.com
snarfeddgold1: re "i think I've been having a conceptual anti-pattern in wanting a shorter h-card & a full-featured one," you've seen https://indieweb.org/h-card#Issues ?
gRegorLove "Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).
chrisaldrichsknebel, which browser are you using that you saw the overlap issue? I changed it because there was an overlap issue before, but it looks fine in chrome & ff for me.
ZegnatNeed many eyes, and all that jazz :) I am pretty full up with uni at the moment, but hope to have time to give it another solid look later this week.
tantek, [horsemansyospos and [mrkrndvs] joined the channel