#swentelmain reason I ask is that I know what to answer on the security review that's going on now on the drupal indieweb module ;)
#sknebelwhat's the benefit of refresh tokens for our use cases?
#[eddie]That's a good reason 🙂 I think a big thing about IndieWeb specs (like IndieAuth) only implement things when we find a need. I'm sure it's useful security-wise, but it's interesting that we haven't run into any major issues without them yet
#swentelwell, in a way it's a security thing I guess, that's something I know which will come up
snarfed1 joined the channel
#[eddie]There's definitely no technical reason holding it back
#swentelthat's probably the biggest reason refresh tokens exists I guess, haven't read the background on that
#sknebelI guess they also help against partial compromise of the app - even if the refresh token is compromised, you need to be able to impersonate the app to turn it into a new access token
#sknebel(at least for apps with registered callback_urls)
#aaronpkNo it doesn't solve that because IndieAuth apps are all public clients and the refresh token doesn't need anything secret to be able to turn it into a new access token
#aaronpkthe refresh token is just posted to the token endpoint to refresh it, not done in any sort of redirect
#swentelyeah, in a way refresh tokens are kind of dumb too
#sknebelah, right "require client authentication for confidential clients or for any client that was issued client credentials" - which we don't have
#aaronpkThe main benefit is it lets the token endpoint issue purely stateless tokens while also being able to revoke them later
#sknebelif you always replace the refresh token, at least you can notice "something" has happened if the refresh token gets misused too I guess
#aaronpkI'd say it's more useful if we started adding PKCE support to IndieAuth apps first
#aaronpksince there are more ways someone can steal an authorization code right now than steal an access token in a way that they wouldn't also get the refresh token
#aaronpkThe nice thing about PKCE is all the clients can start doing it now even before the servers support it. (It won't help anything until the server supports it but it's a nice progressive enhancement)
#sknebelalso works transparently with servers that don#t support it
#sknebelthe norwegians also have an API (that's also useful in some other countries), but as a soft discouragement of misuse they only publish the API docs in norwegian and ask that people do not publish translations :D
#tantekand "We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019."
swentel and [jgmac1106] joined the channel
#[jgmac1106],.......somethign must be really really bad in vunerability.....of having a platform where people bitch about you taking away a platform is bad for business
#[jgmac1106]go back to the old model of customer service for Google....a user supported listserv with information three years out of date
#LoqiGoogle is primarily used for searching the open web (where indieweb sites typically rank highly), but also produces end user software, and hosts a number of content silos and other services https://indieweb.org/Google
#LoqiGoogle+ (AKA Google Plus, GPlus, or G+) is both a social content hosting silo operated by Google, similar in many respects to Facebook, and a centralized Google identity service for other Google services like YouTube https://indieweb.org/Google_Plus
#snarfedeh no it's still there, just not g+ branded
#Loqisnarfed: swentel left you a message 2 days, 7 hours ago: finally figured out why webmentions sometimes didn't work from fed.bridgy - the html response is gzipped and on my server it isn't decoded ... funky - not sure if this is mention-php client or a server/php thing, but I can at least debug further now :)
#LoqiIt looks like we don't have a page for "Google Identity Platform" yet. Would you like to create it? (Or just say "Google Identity Platform is ____", a sentence describing the term)
#tantekGoogle Identity Platform is https://developers.google.com/identity/ (formerly part of Google+) a proprietary identity provider for building [[Google Sign-In]] support into your applications that only provides Google-controlled identities, and does not accept externally provided identities.
#snarfedtrue! although when i search for and view @0x1C3B00DA@baptiste.gelez.xyz in mastodon, i see a toot that has the title and a link to that article, not the article itself
#Loqi[Zack] Hey, #IndieWeb peeps! I proposed microformat support for #Plume and one of the contributors is working on it. https://github.com/Plume-org/Plume/issues/229
I just started learning about the indieweb myself so feel free to hop in and offer guidance.