#dev 2018-10-02

2018-10-02 UTC
#
aaronpk
just found https://tools.ietf.org/html/draft-bradley-oauth-stateless-client-id-05#section-2 which is a different attempt at avoiding client registration, but this one solves it by using a full JWT as the client_id parameter and putting all the client info in the JWT
#
KartikPrabhu
what is JWT?
#
Loqi
JWT (JSON Web Token) is a method of encoding and signing JSON data in a URL-safe string https://indieweb.org/JWT
#
aaronpk
i'm curious if any of the indieauth implementors have an opinion on whether this would be easier than IndieAuth's method of using the app's URL as the client_id and fetching app info from the URL
#
aaronpk
my thoughts are that it's not easier, because with IndieAuth's method you can start out by just displaying the client_id parameter without any parsing, and then you can incrementally improve the implementation by fetching the URL to show the app's info
#
aaronpk
whereas this requires that you decode the JWT from the beginning
#
KartikPrabhu
are there any advantages to using JWT?
#
KartikPrabhu
is "you get all the info at once" the only use?
snarfed joined the channel
#
aaronpk
doesn't require an HTTP request to get the app info like name and logo and redirect URL
#
aaronpk
it does require an HTTP request if you want to verify the JWT signature, but that spec says that's optional anyway
#
aaronpk
you could also cache the public key so you'd only have to make the HTTP request the first time you see a new app
#
aaronpk
but i think saving the HTTP request is the only advantage
#
aaronpk
oh, i guess saving the HTTP request plus not needing a microformats parser
#
KartikPrabhu
but you do need the "decoder" bit
#
aaronpk
yep, it's trading microformats parsing for JWT parsing
#
KartikPrabhu
it might be possible to have both suported somehow?
#
KartikPrabhu
if someone wants to implement it
#
aaronpk
if you're not going to verify the JWT signature then JWT parsing is just `json_decode(base64_decode(explode('.',$jwt)[1])))`
#
aaronpk
hm, i'm trying to think if there are any security implications around the difference too, since we do gain something by having client_id be a URL
#
@jjdelc
The more I think about it, I think the idea that #Micropub and #Webmention endpoints could ve.. https://jj.isgeek.net/2018/10/02-123939-am/
(twitter.com/_/status/1046922627120553984)
[shurcool] and [eddie] joined the channel
#
[eddie]
JWT does seem pretty easy in my mind!
#
[eddie]
I also already use JWT in my IndieAuth code so that would be incredibly easy to implement on my server side.
#
[eddie]
I guess I do wonder about security. I guess the redirect url has to still match the client id so there’s no redirect issues
#
[eddie]
From the client side, JWT does seem trickier
#
[eddie]
I would have to actually add that JWT code into the mobile apps rather than hosting some html or a JSON file on a server like the current options provide
#
Loqi
gRegorLove has 21 karma in this channel over the last year (109 in all channels)
#
gRegorLove
Did I just get karma from a spammer?
#
[eddie]
I think so, because it didn’t show up on Slack
#
[eddie]
Hahaha
#
Loqi
hahaha
#
Ruxton
it didnt show up in IRC either
#
gRegorLove
yeah, spammers... definitely spammers. not my own bot. ;)
#
aaronpk
wooowwww
#
aaronpk
[eddie]: so your concern is about encoding the client ID JWT in the mobile app?
#
AngeloGladding
what is twilio
#
AngeloGladding
what is Twilio
cweiske joined the channel
#
Ruxton
damn, wish i could /mode #indieweb-dev +b *!*@c-68-34-131-209.hsd1.al.comcast.net :P
#
Zegnat
is once again trying to read the Solid WebID spec ...
#
Loqi
ok, I added "https://twobithistory.org/2017/09/21/the-rise-and-rise-of-json.html" to the "See Also" section of /JSON https://indieweb.org/wiki/index.php?diff=52386&oldid=46887
#
jeremycherfas
Any podcasters who want to check their own logs, here is an amazing resource I just discovered https://podnews.net/article/podcast-app-useragents
#
Zegnat
What is user agent?
#
Loqi
User-agent is a common HTTP header that generally indicates the name, version, and a URL for the application making the request, and is also a robots_txt command (User-agent:) that tells specific robots by name to obey the following commands https://indieweb.org/user-agent
#
Loqi
ok, I added "https://podnews.net/article/podcast-app-useragents" to the "See Also" section of /user-agent https://indieweb.org/wiki/index.php?diff=52387&oldid=46367
#
jeremycherfas
It strikes me that it might be possible to make use of that to build a tool that would parse a log and extract all that information to present in a clean way. Could be interesting.
[jgmac1106] joined the channel
#
[jgmac1106]
so glad there is no IndieWeb white paper....avoiding temptation to write a snarky white paper article stub
#
Zegnat
jeremycherfas, should be easy enough actually. If you have the server access logs, almost trivial
#
jeremycherfas
On my list now for a future project
#
jeremycherfas
I actually think the data display would be the most difficult part.
#
Zegnat
https://gionkunz.github.io/chartist-js/ is pretty easy to work with, if you are looking for front-end graph rendering. I use it for my weight graph
#
[jgmac1106]
@petermolnar are you sending sms messages as way to POSSE?
#
jeremycherfas
Noted! Thanks.
[kevinmarks] joined the channel
#
petermolnar
[jgmac1106]: https://petermolnar.net/home-sms-gateway-with-mqtt-gammu-thinkpad/ - since this, I reworked it quite a few times, and to be fair, I'm not actively using it right now
#
Loqi
[Peter Molnar] Self-hosted home SMS gateway
#
petermolnar
summary: I have a former laptop of mine, a ThinkPad T400 as home server, which has a minipci 3g modem; that can be used with either python or gammu to send sms
#
[jgmac1106]
wow thanks
#
[jgmac1106]
I thought about this but I am going back to Known: https://wordpress.org/plugins/wp-sms/
#
Loqi
[Verona Labs] Description By WP SMS you can add the ability of SMS sending to your WordPress product. So you can send SMS to your newsletter subscribers or your users and get their attentions to your site and products. Using WP SMS you can enjoy many features, Yo...
#
[kevinmarks]
this is super nerdy terminal lore: http://xn--rpa.cc/essays/term
#
sknebel
!tell aaronpk: re that oauth draft, details on how *exactly* one is supposed to verify the signature seems missing. I guess without it there is a small loss (no registered callback url, but at least same domain could still be enforced/warned about)
#
Loqi
Ok, I'll tell them that when I see them next
[schmarty] and [eddie] joined the channel
#
[eddie]
!tell aaronpk I don't think it's a problem to do it from the client side. Just noticed it shifts the "burden" mostly from the IndieAuth server to the IndieAuth client. Not sure if there is one side that is better to deal with the complexity than the other.
#
Loqi
Ok, I'll tell them that when I see them next
KartikPrabhu and eli_oat joined the channel
#
skippy
good mornign.
ben_thatmustbeme, [eddie], [dougbeal], Loqi, [schmarty], [tantek], jgmac1106 and [jgmac1106] joined the channel
[tantek], [dougbeal], jackjamieson, [eddie] and [jgmac1106] joined the channel
#
[jgmac1106]
will throw this here as well, my generic webmention page getting too big full of blank avatars what do folks think of something like: https://webmentionavatar.glitch.me/
#
aaronpk
is that like an auto-generated placeholder avatar?
#
Loqi
aaronpk: sknebel left you a message 6 hours, 2 minutes ago: re that oauth draft, details on how *exactly* one is supposed to verify the signature seems missing. I guess without it there is a small loss (no registered callback url, but at least same domain could still be enforced/warned about)
#
Loqi
aaronpk: [eddie] left you a message 5 hours, 26 minutes ago: I don't think it's a problem to do it from the client side. Just noticed it shifts the "burden" mostly from the IndieAuth server to the IndieAuth client. Not sure if there is one side that is better to deal with the complexity than the other.
#
aaronpk
i wouldn't want to put a face to someone's name that isn't theirs
#
aaronpk
that's why my blank avatar looks barely like a person
#
[jgmac1106]
i know that is a placeholder
#
[jgmac1106]
it would be the real person from the hcard, its just I have you like 17 times on my page
#
aaronpk
i don't think i understand the question then
#
[jgmac1106]
instead of people showing up multiple times I want them to show up once with a counter: http://jgregorymcverry.com/about-me-2/
#
Loqi
[john] Hi Greg, Not sure how you want the image to display, but I had a quick pass at this: http://johnjohnston.info/blog/flickr-faves/
#
aaronpk
ohhhh i didn't notice the hover
#
[jgmac1106]
I just used a place holder as an example
#
[jgmac1106]
...okay that would be problem, ill make the opacity .1 before hover or something
#
gRegorLove
That's interesting tantek's rsvp post shows even though it's not in-reply-to your about page
#
[jgmac1106]
all my generic mentions to jgregorymcverry.com go there
#
gRegorLove
I'm even more confused, where did "I post everywhere" come from? not tantek's post
#
[jgmac1106]
and stupid WordPress keeps stripping my p tags, exit door stage left
#
gRegorLove
That's the inverse of the issue I usually run into thanks to wpautop(), haha
[kevinmarks], swentel and renem joined the channel
#
sknebel
!tell [Rose] there's a " missing right at the top of your homepage: <link rel="alternate" type="application/atom+xml" href="https://www.rosemaryorchard.com/blog.atom /> <--- href has no closing "
#
Loqi
Ok, I'll tell them that when I see them next
[schmarty] and KartikPrabhu joined the channel
[schmarty] and [Rose] joined the channel