oodanihm. indieauth is /almost/ compatible with generic oauth 2.0 clients, except that the 'me' parameter is new - would it be safe to make 'me' optional, since it can be discovered based on who's logged in?
oodanii just went ahead and made it optional :p it's still validated if it's provided, but if it's omitted the correct 'me' for the current user is automatically assumed. should be just as secure, since you need to be logged in either way.
[eddie], iasai, KartikPrabhu, [jgmac1106] and barpthewire joined the channel
Zegnatoodani, interesting thought. I don’t think you lose any security by making the me parameter optional on the initial request. Could you open a discussion about that on https://github.com/indieweb/indieauth/issues ? And why you chose to make it optional? Might be worth documenting!
aaronpkIn theory it should be possible to treat IndieAuth as plain OAuth and leave out the "me" parameter entirely, but in practice apps do want to know who logged in
ZegnatMy first thought was that this is about the me parameter in the query upon first request? Not dropping the me from the JSON response? The latter being what the apps want to know?
ZegnatThat’s what I thought. And if oodani dropped the requirement for it on first request, that could be a good discussion to have. And could maybe be reflected in the spec at some point by marking it optional
aaronpkThe reason to include it in the request is to help shared IndieAuth servers, otherwise the IndieAuth server has to ask the user for their identity again after they just gave it to the client
aaronpkWithout the "me" in the request the flow would end up being: enter your url into app so it can discover your IndieAuth endpoint, you get directed to your IndieAuth endpoint where it has to ask for a username/url again and then authenticate there
ZegnatOnly incase of the multiple-user endpoints. And even then, in cases of it being a multi-user CMS, chances are you are already logged in anyway. So I can totally see it being optional.
ZegnatI was really interested in the use-case oodani ran into (other OAuth apps?) that made the decision to drop the me. So some context in an issue could really help the discussion :)
aaronpkThe other thing is in practice OAuth servers are subtly different from each other anyway so there isn't usually a generic OAuth client that actually works 100% on every server out there
aaronpkThe real work around an IndieAuth client is dealing with endpoint discovery and verifying the domain of the "me" returned at the end matches the start. And an OAuth client won't help you there
ZegnatI so wish discovery didn’t involve HTML parsing. While at the same time love how easy it is for people to add it to their websites without mucking with response headers. Conflicting feelings abound ;)
ZegnatArgh, Firefox, why! An empty lang-href makes the browser decide the entire page is probably not using the Latin alphabet, so lets not apply the users chosen font settings!
oodanimy particular use case for oauth2-compatible indieauth is paw.app, because it has support for oauth built-in - i was using jwt for tokens earlier, and having paw generate its own rather than fetch them from my site, but after switching to database-backed tokens i actually needed to do the oauth dance and it didn't *quite* work
ZegnatI don’t use any of those apps (the price never seemed worth it to me, especially for Paw) so I am not sure what type of OAuth flow they support. An issue with some of the details would be super appreciated!
www.boffosocko.com edited /highlight (+554) "/* Chris Aldrich */ post kinds plugin version" (view diff)
@jgmac1106 @senorG sorry I am missing #BadgeSummit this year. I will be at #IndieWeb summit instead. I may even try and cajole folks into theorizing if webmentions and permalinks could serve as a lightweight credentialing program: https://jgregorymcverry.com/can-we-have-an-indieweb-webmentions-credentialing-system-openbadges/ (http://jgregorymcverry.com/3783-2/) (twitter.com/_/status/1010487724523040769)
@discusster So Twitter, Facebook and Instagram don't send webmentions any longer? Tsk! (twitter.com/_/status/1010516683562405889)
Zegnat oodani, interesting thought. I don’t think you lose any security by making the me parameter optional on the initial request. Could you open a discussion about that on https://github.com/indieweb/indieauth/issues ? And why you chose to make it optional? Might be worth documenting!
oodani my particular use case for oauth2-compatible indieauth is paw.app, because it has support for oauth built-in - i was using jwt for tokens earlier, and having paw generate its own rather than fetch them from my site, but after switching to database-backed tokens i actually needed to do the oauth dance and it didn't *quite* work
aaronpk oh hey I forgot about this http://sendawebmention.com
aaronparecki.com created /shirts (+293) "create page just for shirts for a nicer page to link to" (view diff)
[grantcodes] Only just noticed aperture includes refs now. Awesome!