#dev 2018-10-02

2018-10-02 UTC
#
aaronpk just found https://tools.ietf.org/html/draft-bradley-oauth-stateless-client-id-05#section-2 which is a different attempt at avoiding client registration, but this one solves it by using a full JWT as the client_id parameter and putting all the client info in the JWT
#
KartikPrabhu what is JWT?
#
Loqi JWT (JSON Web Token) is a method of encoding and signing JSON data in a URL-safe string https://indieweb.org/JWT
#
aaronpk i'm curious if any of the indieauth implementors have an opinion on whether this would be easier than IndieAuth's method of using the app's URL as the client_id and fetching app info from the URL
#
aaronpk my thoughts are that it's not easier, because with IndieAuth's method you can start out by just displaying the client_id parameter without any parsing, and then you can incrementally improve the implementation by fetching the URL to show the app's info
#
aaronpk whereas this requires that you decode the JWT from the beginning
#
KartikPrabhu are there any advantages to using JWT?
#
KartikPrabhu is "you get all the info at once" the only use?
snarfed joined the channel
#
aaronpk doesn't require an HTTP request to get the app info like name and logo and redirect URL
#
aaronpk it does require an HTTP request if you want to verify the JWT signature, but that spec says that's optional anyway
#
aaronpk you could also cache the public key so you'd only have to make the HTTP request the first time you see a new app
#
aaronpk but i think saving the HTTP request is the only advantage
#
aaronpk oh, i guess saving the HTTP request plus not needing a microformats parser
#
KartikPrabhu but you do need the "decoder" bit
#
aaronpk yep, it's trading microformats parsing for JWT parsing
#
KartikPrabhu it might be possible to have both suported somehow?
#
KartikPrabhu if someone wants to implement it
#
aaronpk if you're not going to verify the JWT signature then JWT parsing is just `json_decode(base64_decode(explode('.',$jwt)[1])))`
#
aaronpk hm, i'm trying to think if there are any security implications around the difference too, since we do gain something by having client_id be a URL
#
@jjdelc The more I think about it, I think the idea that #Micropub and #Webmention endpoints could ve.. https://jj.isgeek.net/2018/10/02-123939-am/ (twitter.com/_/status/1046922627120553984)
[shurcool] and [eddie] joined the channel
#
[eddie] JWT does seem pretty easy in my mind!
#
[eddie] I also already use JWT in my IndieAuth code so that would be incredibly easy to implement on my server side.
#
[eddie] I guess I do wonder about security. I guess the redirect url has to still match the client id so there’s no redirect issues
#
[eddie] From the client side, JWT does seem trickier
#
[eddie] I would have to actually add that JWT code into the mobile apps rather than hosting some html or a JSON file on a server like the current options provide
#
Loqi gRegorLove has 21 karma in this channel over the last year (109 in all channels)
#
gRegorLove Did I just get karma from a spammer?
#
[eddie] I think so, because it didn’t show up on Slack
#
[eddie] Hahaha
#
Loqi hahaha
#
Ruxton it didnt show up in IRC either
#
gRegorLove sweet
#
gRegorLove yeah, spammers... definitely spammers. not my own bot. ;)
#
aaronpk wooowwww
#
aaronpk [eddie]: so your concern is about encoding the client ID JWT in the mobile app?
#
AngeloGladding what is twilio
#
Loqi https://indieweb.org/twilio
#
AngeloGladding what is Twilio
#
Loqi https://indieweb.org/twilio
cweiske joined the channel
#
Ruxton damn, wish i could /mode #indieweb-dev +b *!*@c-68-34-131-209.hsd1.al.comcast.net :P
#
Zegnat is once again trying to read the Solid WebID spec ...
#
Zegnat JSON << https://twobithistory.org/2017/09/21/the-rise-and-rise-of-json.html
#
Loqi ok, I added "https://twobithistory.org/2017/09/21/the-rise-and-rise-of-json.html" to the "See Also" section of /JSON https://indieweb.org/wiki/index.php?diff=52386&oldid=46887
#
jeremycherfas Any podcasters who want to check their own logs, here is an amazing resource I just discovered https://podnews.net/article/podcast-app-useragents
#
Zegnat What is user agent?
#
Loqi User-agent is a common HTTP header that generally indicates the name, version, and a URL for the application making the request, and is also a robots_txt command (User-agent:) that tells specific robots by name to obey the following commands https://indieweb.org/user-agent
#
Zegnat user agent << https://podnews.net/article/podcast-app-useragents
#
Loqi ok, I added "https://podnews.net/article/podcast-app-useragents" to the "See Also" section of /user-agent https://indieweb.org/wiki/index.php?diff=52387&oldid=46367
#
jeremycherfas It strikes me that it might be possible to make use of that to build a tool that would parse a log and extract all that information to present in a clean way. Could be interesting.
[jgmac1106] joined the channel
#
[jgmac1106] so glad there is no IndieWeb white paper....avoiding temptation to write a snarky white paper article stub
#
Zegnat jeremycherfas, should be easy enough actually. If you have the server access logs, almost trivial
#
jeremycherfas On my list now for a future project
#
jeremycherfas I actually think the data display would be the most difficult part.
#
Zegnat https://gionkunz.github.io/chartist-js/ is pretty easy to work with, if you are looking for front-end graph rendering. I use it for my weight graph
#
[jgmac1106] @petermolnar are you sending sms messages as way to POSSE?
#
jeremycherfas Noted! Thanks.
[kevinmarks] joined the channel
#
petermolnar [jgmac1106]: https://petermolnar.net/home-sms-gateway-with-mqtt-gammu-thinkpad/ - since this, I reworked it quite a few times, and to be fair, I'm not actively using it right now
#
Loqi [Peter Molnar] Self-hosted home SMS gateway
#
petermolnar summary: I have a former laptop of mine, a ThinkPad T400 as home server, which has a minipci 3g modem; that can be used with either python or gammu to send sms
#
[jgmac1106] wow thanks
#
[jgmac1106] I thought about this but I am going back to Known: https://wordpress.org/plugins/wp-sms/
#
Loqi [Verona Labs] Description By WP SMS you can add the ability of SMS sending to your WordPress product. So you can send SMS to your newsletter subscribers or your users and get their attentions to your site and products. Using WP SMS you can enjoy many features, Yo...
#
[kevinmarks] this is super nerdy terminal lore: http://xn--rpa.cc/essays/term
#
sknebel !tell aaronpk: re that oauth draft, details on how *exactly* one is supposed to verify the signature seems missing. I guess without it there is a small loss (no registered callback url, but at least same domain could still be enforced/warned about)
#
Loqi Ok, I'll tell them that when I see them next
[schmarty] and [eddie] joined the channel
#
[eddie] !tell aaronpk I don't think it's a problem to do it from the client side. Just noticed it shifts the "burden" mostly from the IndieAuth server to the IndieAuth client. Not sure if there is one side that is better to deal with the complexity than the other.
#
Loqi Ok, I'll tell them that when I see them next
KartikPrabhu and eli_oat joined the channel
#
skippy good mornign.
ben_thatmustbeme, [eddie], [dougbeal], Loqi, [schmarty], [tantek], jgmac1106 and [jgmac1106] joined the channel
#
gweedo767sa Found it. https://support.apple.com/en-us/HT208033
[tantek], [dougbeal], jackjamieson, [eddie] and [jgmac1106] joined the channel
#
[jgmac1106] will throw this here as well, my generic webmention page getting too big full of blank avatars what do folks think of something like: https://webmentionavatar.glitch.me/
#
aaronpk is that like an auto-generated placeholder avatar?
#
Loqi aaronpk: sknebel left you a message 6 hours, 2 minutes ago: re that oauth draft, details on how *exactly* one is supposed to verify the signature seems missing. I guess without it there is a small loss (no registered callback url, but at least same domain could still be enforced/warned about)
#
Loqi aaronpk: [eddie] left you a message 5 hours, 26 minutes ago: I don't think it's a problem to do it from the client side. Just noticed it shifts the "burden" mostly from the IndieAuth server to the IndieAuth client. Not sure if there is one side that is better to deal with the complexity than the other.
#
aaronpk i wouldn't want to put a face to someone's name that isn't theirs
#
aaronpk that's why my blank avatar looks barely like a person
#
[jgmac1106] i know that is a placeholder
#
[jgmac1106] it would be the real person from the hcard, its just I have you like 17 times on my page
#
aaronpk i don't think i understand the question then
#
gRegorLove There's also /libravatar
#
[jgmac1106] instead of people showing up multiple times I want them to show up once with a counter: http://jgregorymcverry.com/about-me-2/
#
Loqi [john] Hi Greg, Not sure how you want the image to display, but I had a quick pass at this: http://johnjohnston.info/blog/flickr-faves/
#
aaronpk ohhhh i didn't notice the hover
#
[jgmac1106] I just used a place holder as an example
#
[jgmac1106] ...okay that would be problem, ill make the opacity .1 before hover or something
#
gRegorLove That's interesting tantek's rsvp post shows even though it's not in-reply-to your about page
#
[jgmac1106] all my generic mentions to jgregorymcverry.com go there
#
gRegorLove I'm even more confused, where did "I post everywhere" come from? not tantek's post
#
[jgmac1106] and stupid WordPress keeps stripping my p tags, exit door stage left
#
gRegorLove That's the inverse of the issue I usually run into thanks to wpautop(), haha
[kevinmarks], swentel and renem joined the channel
#
sknebel !tell [Rose] there's a " missing right at the top of your homepage: <link rel="alternate" type="application/atom+xml" href="https://www.rosemaryorchard.com/blog.atom /> <--- href has no closing "
#
Loqi Ok, I'll tell them that when I see them next
[schmarty] and KartikPrabhu joined the channel
#
@kickscondor Just a little proposal to use 301 permanent redirects on http://Webmention.io. http://github.com/aaronpk/webmention.io/issues/113 (twitter.com/_/status/1047208240604504064)
[schmarty] and [Rose] joined the channel