#dev 2018-12-10

2018-12-10 UTC
iasai and snarfed joined the channel
#
@obiwankimberly ↩️ @kplawver Do you mean something like https://brid.gy/ ? (twitter.com/_/status/1071932310835085312)
#
@jgmac1106 ↩️ yeah you need any help with https: http://brid.gy Known, or WordPress #IndieWeb stop by chat anytime. We can help get you the other 10% of the way (https://quickthoughts.jgregorymcverry.com/s/25UruT) (twitter.com/_/status/1071933506257862661)
iasai, [Serena], mblaney1 and ayman joined the channel
#
ayman hello
iasai joined the channel; mblaney1 left the channel
#
aaronpk omg [eddie] you're killing me! I clicked the indigenous action on an event and it said RSVP but then said it isn't implemented yet!
#
aaronpk https://i.imgur.com/aYp8a9J.png
iasai and [eddie] joined the channel
#
[eddie] Lol oops! Sorry!! I expected to have that implemented awhile ago!!
#
[eddie] Hahaha
#
Loqi awesome
#
[eddie] The good news is I’ve got a lot to do on Indigenous it needs a lot of love, so that’s my early 2019 focus
cweiske, iasai, gRegorLove_, [jgmac1106], [pfefferle], jgmac1106, petermolnar and KartikPrabhu joined the channel
#
sknebel security pre-announcement for phpMyAdmin, incase someone runs that themselves: https://www.phpmyadmin.net/news/2018/12/9/upcoming-security-release-pre-announcement/
#
Loqi phpMyAdmin contributors
swentel, iasai, eduardm, jeremych_, [pfefferle], deathrow1, barpthewire, snarfed, [kevinmarks] and [eddie] joined the channel
#
[eddie] (from meta) swentel, what's your IndieAuth question? I can see if I can answer it
#
swentel yeah, should pull it here indeed
#
swentel main reason I ask is that I know what to answer on the security review that's going on now on the drupal indieweb module ;)
#
sknebel what's the benefit of refresh tokens for our use cases?
#
[eddie] That's a good reason 🙂 I think a big thing about IndieWeb specs (like IndieAuth) only implement things when we find a need. I'm sure it's useful security-wise, but it's interesting that we haven't run into any major issues without them yet
#
swentel well, in a way it's a security thing I guess, that's something I know which will come up
snarfed1 joined the channel
#
[eddie] There's definitely no technical reason holding it back
#
swentel that's true
#
[eddie] but most IndieAuth servers and Micropub clients don't support it (as it's an added burden than a static token)
#
swentel I'm sure none of them do right now
#
Zegnat I’d have to do a lot of reading, I feel like, to be able to even say what it will adds
#
[eddie] On my side I enjoy no refresh tokens and just knowing I can cancel existing tokens at any time on my server
#
[eddie] I think the biggest gain for expire/refresh tokens would probably be for hosted IndieAuth token endpoints
#
[eddie] where the user doesn't have direct control
#
swentel however, since I switch to signed jwt tokens, I'm not worried anymore, so it's not that I /want/ it badly or so
#
swentel s/not/not that
#
sknebel they help if your token is intercepted in transit - the token can only be misused for a limited time
#
swentel indeed
#
swentel that's probably the biggest reason refresh tokens exists I guess, haven't read the background on that
#
sknebel I guess they also help against partial compromise of the app - even if the refresh token is compromised, you need to be able to impersonate the app to turn it into a new access token
#
sknebel (at least for apps with registered callback_urls)
#
aaronpk No it doesn't solve that because IndieAuth apps are all public clients and the refresh token doesn't need anything secret to be able to turn it into a new access token
#
aaronpk the refresh token is just posted to the token endpoint to refresh it, not done in any sort of redirect
#
swentel yeah, in a way refresh tokens are kind of dumb too
#
sknebel ah, right "require client authentication for confidential clients or for any client that was issued client credentials" - which we don't have
#
aaronpk The main benefit is it lets the token endpoint issue purely stateless tokens while also being able to revoke them later
#
sknebel if you always replace the refresh token, at least you can notice "something" has happened if the refresh token gets misused too I guess
#
aaronpk I'd say it's more useful if we started adding PKCE support to IndieAuth apps first
#
aaronpk since there are more ways someone can steal an authorization code right now than steal an access token in a way that they wouldn't also get the refresh token
#
aaronpk The nice thing about PKCE is all the clients can start doing it now even before the servers support it. (It won't help anything until the server supports it but it's a nice progressive enhancement)
#
sknebel also works transparently with servers that don#t support it
#
Zegnat pkce++
#
Loqi pkce has 1 karma over the last year
#
sknebel jinx
#
swentel funny that if you google it, you find https://aaronparecki.com/oauth-2-simplified/#mobile-apps ;-)
iasai joined the channel
#
Zegnat Though I still haven’t found the time to work on auth stuff :( Hopefully next week, now that work is going back to normal
#
aaronpk this is kind of my job :-)
#
swentel PKCE looks interesting indeed
deathrow1 joined the channel
#
sknebel I guess the autoauth stuff in a weird way achieves something similar to refresh tokens, except the control over it is shared
#
sknebel in that a client can replace a short-lived token without involving the user, thanks to holding a different token
#
[eddie] Yeah it does look interesting. Probably won't be a super quick add-on, but I think I'll try to add support in Indigenous for iOS when it comes time https://github.com/EdwardHinkle/indigenous-ios/issues/242
#
Loqi [EdwardHinkle] #242 Add PKCE support to IndieAuth
#
swentel opens an issue too
#
aaronpk i'm not super familiar with the APIs, but appauth.io handles the PKCE stuff automatically and _might_ be possible to use with indieauth?
#
aaronpk if nothing else you can steal code from it
#
swentel oh wow yeah
#
swentel that's good to know
[jgmac1106], eli_oat, iasai, snarfed and [tantek] joined the channel
#
GWG Did I miss a PKC3, refresh and expiring token discussion? Darn
#
Loqi misses a too
#
aaronpk you never really miss a discussion on IRC, feel free to start it back up again
#
GWG I still want to offer the option of expiring tokens if not used for a while
#
GWG Which is different then a traditional expiring token
#
GWG The question is how do most clients deal with an invalid token
#
aaronpk without a refresh token, the only thing they can do is consider it either a temporary error or log the user out
#
GWG I am thinking about OYG and such, where they use the token without user input
#
GWG How does the user know it failed?
#
aaronpk bridgy does a pretty good job of this
#
GWG That's the only question I considered for expiring disused tokens
#
GWG aaronpk, who is your weather provider?
#
aaronpk i think it's the one that's shutting down soon
#
GWG That's what I was getting at
#
GWG I am having trouble hedging against that
#
GWG And avoiding API costs of an excessive nature
#
GWG I may have to build a hybrid system
#
aaronpk that's basically what i did with atlas.p3k.io
#
aaronpk so i only have to swap the provider out there without changing a bunch of code
[pfefferle] joined the channel
#
GWG aaronpk, I did the same by abstraction
#
GWG I am thinking of using the National Weather Service, but I need to be able to fall back outside the US
#
GWG Does the EU have a weather service?
#
Zegnat Didn’t someone mention using a Canadian gov weather service?
#
Zegnat cjwillcock?
deathrow1|absnt joined the channel
#
GWG Zegnat, correct
#
GWG I have no problem adding it
#
GWG I added DarkSky in 20 minutes
#
GWG But I keep running against daily API limits and service deaths so I need to get a creative
iasai joined the channel
#
Zegnat GWG, looks like the Swedish weather service has public data https://opendata.smhi.se/apidocs/metobs/index.html unsure what is included in it
#
GWG Zegnat, I will wait till I visit Sweden
#
Zegnat Hehe
snarfed joined the channel
#
sknebel the norwegians also have an API (that's also useful in some other countries), but as a soft discouragement of misuse they only publish the API docs in norwegian and ask that people do not publish translations :D
#
Zegnat That sounds like an interesting policy
#
GWG I think I can cover most of my travel with just the us service
#
GWG That's my plan at least
#
GWG I also added json output to my home weather station
#
Zegnat I was looking at the Dutch weather service, but can’t find any data. Surprising, I thought they were government owned.
#
Zegnat Also interesting, they do ask people to submit measurements. So they have no problem importing, just with sharing. (https://wow.knmi.nl/)
#
GWG I just wonder what the NWS does if you ask it's API for something outside the US
#
GWG I should check
#
sknebel Zegnat: can't have a state-run service offering services for free that companies could sell!1. at least that's the issue in Germany...
#
Loqi yea
#
Zegnat I think if it was Sweden I would explicitly be allowed to demand whatever data they are collecting
#
Zegnat Huh. The WOW crowdsourcing thing may be international: http://wow.metoffice.gov.uk/
#
sknebel I might be able to do that too here, with the usual 30 days allowed processing delay etc :D
#
sknebel (there was some really ugly legal crap when the german weather service started offering their own apps...)
#
GWG I also have aircrafts flying over my house in a json format. I have yet to figure out a cool thing to do on my site with that
#
sknebel background image similar to aarons?
[chrisaldrich], tantek, leg and [tantek] joined the channel
#
tantek Wow: "We will sunset all Google+ APIs in the next 90 days." - https://www.blog.google/technology/safety-security/expediting-changes-google-plus/ (posted today)
iasai joined the channel
#
tantek and "We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019."
swentel and [jgmac1106] joined the channel
#
[jgmac1106] ,.......somethign must be really really bad in vunerability.....of having a platform where people bitch about you taking away a platform is bad for business
#
[jgmac1106] go back to the old model of customer service for Google....a user supported listserv with information three years out of date
#
tantek what is Google+
#
Loqi Google is primarily used for searching the open web (where indieweb sites typically rank highly), but also produces end user software, and hosts a number of content silos and other services https://indieweb.org/Google
#
tantek what is Google Plus
#
Loqi Google+ (AKA Google Plus, GPlus, or G+) is both a social content hosting silo operated by Google, similar in many respects to Facebook, and a centralized Google identity service for other Google services like YouTube https://indieweb.org/Google_Plus
#
tantek guess that identity piece is gone now
snarfed joined the channel
#
snarfed eh no it's still there, just not g+ branded
#
Loqi snarfed: swentel left you a message 2 days, 7 hours ago: finally figured out why webmentions sometimes didn't work from fed.bridgy - the html response is gzipped and on my server it isn't decoded ... funky - not sure if this is mention-php client or a server/php thing, but I can at least debug further now :)
#
snarfed ...hasn't been for a while now
#
tantek snarfed, what is it then?
#
tantek if it doesn't have a different name, I'm just going to drop it
#
tantek without a name, no way to refer to it
#
snarfed single sign on. "login with google." i'm fine with dropping it, your call
#
tantek searched for "login with google" - nothing on first page of Google results that's hosted on (*.)google.com
#
snarfed oh i don't know the official product name
#
snarfed looks like "google sign-in." https://developers.google.com/identity/
#
tantek thank you!
[johnjohnston] joined the channel
#
tantek What is Google Identity Platform
#
Loqi It looks like we don't have a page for "Google Identity Platform" yet. Would you like to create it? (Or just say "Google Identity Platform is ____", a sentence describing the term)
#
tantek Google Identity Platform is https://developers.google.com/identity/ (formerly part of Google+) a proprietary identity provider for building [[Google Sign-In]] support into your applications that only provides Google-controlled identities, and does not accept externally provided identities.
#
Loqi ok
iasai and snarfed joined the channel
#
swentel hmmm
#
swentel https://fediverse.blog/~/FederationTesting@baptiste.gelez.xyz/plume-and-the-indie-web
#
swentel interesting
#
swentel should see if I can reply with bridgy fed :-)
#
swentel ah bummer
#
snarfed ?
#
swentel https://fed.brid.gy/log?start_time=1544480167&key=https%3A%2F%2Frealize.be%2Freply%2Fcontent%2F1685+https%3A%2F%2Ffediverse.blog%2F%7E%2FFederationTesting%40baptiste.gelez.xyz%2Fplume-and-the-indie-web
#
swentel snarfed ^
#
swentel trying to reply on something new
#
swentel just for testing :)
#
snarfed ah, so that's a blog, not an ostatus or AP site
#
swentel well, https://joinplu.me/ says it is using AP
#
swentel of course maybe that part isn't fully working yet
#
snarfed yeah
#
snarfed "Couldn't fetch https://fediverse.blog/~/FederationTesting... as ActivityStreams 2" is the key part of the bridgy fed log
#
swentel hmm readme on github says 'basic federation'
#
swentel will have to wait a bit heh
[eddie] and iasai joined the channel
#
swentel it's interesting that it came to mastodon though
#
swentel see https://toot.cafe/@zack
#
swentel (unless I'm seeing it wrong)
#
snarfed true! although when i search for and view @0x1C3B00DA@baptiste.gelez.xyz in mastodon, i see a toot that has the title and a link to that article, not the article itself
#
snarfed https://snarfed.org/0x1C3B00DA.png
#
snarfed so i suspect the article itself is not an AP-accessible post
#
swentel hmm, but the canonical url (if you hover '4h' goes to the article)
#
swentel oh well, I replied on https://toot.cafe/@zack/101206779193111042 - it's his test account, will see if I can get more details from him :)
#
Loqi [Zack] Hey, #IndieWeb peeps! I proposed microformat support for #Plume and one of the contributors is working on it. https://github.com/Plume-org/Plume/issues/229 I just started learning about the indieweb myself so feel free to hop in and offer guidance.
[jgmac1106] joined the channel
#
tantek https://andregarzia.com/2018/12/while-we-blink-we-loose-the-web.html
#
tantek n.b. for those into /URL_design see the "PS:" at the end - good example why not to use slugs as a required part of your permalinks
#
aaronpk that's hilarious
iasai joined the channel