#dev 2018-06-23

2018-06-23 UTC
#
www.boffosocko.com
edited /highlight (+554) "/* Chris Aldrich */ post kinds plugin version"
(view diff)
iasai, [eddie], snarfed, tantek__, renem, tantek, gRegorLove, leg and oodani joined the channel
#
oodani
hm. indieauth is /almost/ compatible with generic oauth 2.0 clients, except that the 'me' parameter is new - would it be safe to make 'me' optional, since it can be discovered based on who's logged in?
#
oodani
i just went ahead and made it optional :p it's still validated if it's provided, but if it's omitted the correct 'me' for the current user is automatically assumed. should be just as secure, since you need to be logged in either way.
[eddie], iasai, KartikPrabhu, [jgmac1106] and barpthewire joined the channel
#
@jgmac1106
@senorG sorry I am missing #BadgeSummit this year. I will be at #IndieWeb summit instead. I may even try and cajole folks into theorizing if webmentions and permalinks could serve as a lightweight credentialing program: https://jgregorymcverry.com/can-we-have-an-indieweb-webmentions-credentialing-system-openbadges/ (http://jgregorymcverry.com/3783-2/)
(twitter.com/_/status/1010487724523040769)
[wiobyrne] and barpthewire joined the channel
#
@discusster
So Twitter, Facebook and Instagram don't send webmentions any longer? Tsk!
(twitter.com/_/status/1010516683562405889)
#
Zegnat
oodani, interesting thought. I don’t think you lose any security by making the me parameter optional on the initial request. Could you open a discussion about that on https://github.com/indieweb/indieauth/issues ? And why you chose to make it optional? Might be worth documenting!
leg joined the channel
#
aaronpk
In theory it should be possible to treat IndieAuth as plain OAuth and leave out the "me" parameter entirely, but in practice apps do want to know who logged in
#
aaronpk
Almost no apps use OAuth the way OAuth was intended (without user identity)
#
GWG
Interesting
#
Zegnat
My first thought was that this is about the me parameter in the query upon first request? Not dropping the me from the JSON response? The latter being what the apps want to know?
#
aaronpk
Ah yeah it could be optional in the first request
#
aaronpk
Some OAuth servers have an equivalent of the "me" in the request
#
aaronpk
It's really more of a hint or suggestion in the request anyway
#
Zegnat
That’s what I thought. And if oodani dropped the requirement for it on first request, that could be a good discussion to have. And could maybe be reflected in the spec at some point by marking it optional
#
aaronpk
The reason to include it in the request is to help shared IndieAuth servers, otherwise the IndieAuth server has to ask the user for their identity again after they just gave it to the client
#
aaronpk
Without the "me" in the request the flow would end up being: enter your url into app so it can discover your IndieAuth endpoint, you get directed to your IndieAuth endpoint where it has to ask for a username/url again and then authenticate there
#
aaronpk
I guess you could solve that by telling users their authorization endpoint is something like "myindieauth.com/auth?me=aaronpk.com"
#
Zegnat
Only incase of the multiple-user endpoints. And even then, in cases of it being a multi-user CMS, chances are you are already logged in anyway. So I can totally see it being optional.
#
Zegnat
That is: optional for the endpoint to check. IndieAuth clients should be very much encouraged to send it along.
#
aaronpk
In any case, explaining that it's really more of a suggestion in the request might help clear things up around the security aspect of it
#
Zegnat
I was really interested in the use-case oodani ran into (other OAuth apps?) that made the decision to drop the me. So some context in an issue could really help the discussion :)
#
Zegnat
Was my thinking at least
#
aaronpk
The other thing is in practice OAuth servers are subtly different from each other anyway so there isn't usually a generic OAuth client that actually works 100% on every server out there
#
aaronpk
And thankfully OAuth 2 is so much simpler than 1 that a library isn't usually necessary
#
aaronpk
The real work around an IndieAuth client is dealing with endpoint discovery and verifying the domain of the "me" returned at the end matches the start. And an OAuth client won't help you there
#
Zegnat
I so wish discovery didn’t involve HTML parsing. While at the same time love how easy it is for people to add it to their websites without mucking with response headers. Conflicting feelings abound ;)
#
aaronpk
Me too haha
#
Zegnat
Argh, Firefox, why! An empty lang-href makes the browser decide the entire page is probably not using the Latin alphabet, so lets not apply the users chosen font settings!
#
Zegnat
goes to see if there are add-ons to configure default fonts instead
#
oodani
my particular use case for oauth2-compatible indieauth is paw.app, because it has support for oauth built-in - i was using jwt for tokens earlier, and having paw generate its own rather than fetch them from my site, but after switching to database-backed tokens i actually needed to do the oauth dance and it didn't *quite* work
#
oodani
i imagine other Advanced Http Client Apps, like postman, would also support oauth2 but not indieauth out of the box? so. those kinds of apps
#
Zegnat
I don’t use any of those apps (the price never seemed worth it to me, especially for Paw) so I am not sure what type of OAuth flow they support. An issue with some of the details would be super appreciated!
#
oodani
paw doesn't actually implement oauth 2.0 *correctly*, even ignoring the indieauth extension, so that's. obnoxious
#
oodani
(it doesn't include the client id when it's retrieving a token using a code :/ )
#
oodani
but yeah i'll figure out exactly what it can and can't do and make an issue c: i'll check postman too, i think i have it installed
#
Zegnat
Thanks!
#
Zegnat
If we can make IndieAuth simpler for developers, through documentation and marking some thing as optional, I could see that being helpful :)
#
aaronpk
oh hey I forgot about this http://sendawebmention.com
#
GWG
Fun
#
GWG
I was thinking about rel-me and wondering what I could do with it other than rel-me auth.
#
GWG
Makes me think I should build an h-card and rel=me importer to WordPress user accounts
iasai joined the channel
#
Zegnat
In https://wiki.zegnat.net/media/the-real-deal-about-rel-me.html I actually mention distributed verification before web sign-in. I felt like RelMeAuth really builds on distributed verification being a thing, not the other way around.
[eddie], gRegorLove_ and [jgmac1106] joined the channel
#
aaronpk
whoops apparently aperture was "caching" images even if the server returned http 403
#
aaronpk
which google did for this one post
#
aaronpk
and each "image url" which was 403'ing was a different URL and had different content
#
aaronpk
and because of a bug in this function, it wasn't cleaning up the file on the failure, so it wrote 10gb of html files to disk
#
Zegnat
yikes. That’ll fill up space over time
KartikPrabhu joined the channel
#
www.boffosocko.com
edited /commonplace_book (+381) "mrkrndvs and wiobyrne examples with links"
(view diff)
gRegor-mobile, KartikPrabhu, [nate658] and [eddie] joined the channel
#
[eddie]
Lol glad I didn’t enable caching of images yet 😁 thanks for dealing with the bugs, aaronpk!
#
aaronparecki.com
edited /swag (-318) "new t-shirt run!"
(view diff)
jjuran and mblaney joined the channel
#
aaronparecki.com
created /shirts (+293) "create page just for shirts for a nicer page to link to"
(view diff)
mblaney-web joined the channel
[grantcodes] joined the channel
#
[grantcodes]
Only just noticed aperture includes refs now. Awesome!
#
aaronpk
haha that's been there a long time!
#
[grantcodes]
Well obviously I've not been paying attention
#
[grantcodes]
It only includes them if they were embedded on the original page though?
#
[grantcodes]
I noticed them for my granary twitter feeds but not my indieweb one
#
aaronpk
yea, and aperture doesn't actually fetch permalinks yet so they only appear if the feed has the expanded data
#
[grantcodes]
Ok that makes sense
#
[grantcodes]
Gives me a reason to fix my microformats on my own site 😛
#
[grantcodes]
It will look for embedded h-cites inside `like-of` or equivalent right?
#
aaronpk
yeah, like-of, in-reply-to, repost-of