#dev 2018-12-10

2018-12-10 UTC
iasai and snarfed joined the channel
#
@jgmac1106
↩️ yeah you need any help with https: http://brid.gy Known, or WordPress #IndieWeb stop by chat anytime. We can help get you the other 10% of the way (https://quickthoughts.jgregorymcverry.com/s/25UruT)
(twitter.com/_/status/1071933506257862661)
iasai, [Serena], mblaney1 and ayman joined the channel
#
ayman
hello
iasai joined the channel; mblaney1 left the channel
#
aaronpk
omg [eddie] you're killing me! I clicked the indigenous action on an event and it said RSVP but then said it isn't implemented yet!
iasai and [eddie] joined the channel
#
[eddie]
Lol oops! Sorry!! I expected to have that implemented awhile ago!!
#
[eddie]
Hahaha
#
Loqi
awesome
#
[eddie]
The good news is I’ve got a lot to do on Indigenous it needs a lot of love, so that’s my early 2019 focus
cweiske, iasai, gRegorLove_, [jgmac1106], [pfefferle], jgmac1106, petermolnar and KartikPrabhu joined the channel
#
sknebel
security pre-announcement for phpMyAdmin, incase someone runs that themselves: https://www.phpmyadmin.net/news/2018/12/9/upcoming-security-release-pre-announcement/
#
Loqi
phpMyAdmin contributors
swentel, iasai, eduardm, jeremych_, [pfefferle], deathrow1, barpthewire, snarfed, [kevinmarks] and [eddie] joined the channel
#
[eddie]
(from meta) swentel, what's your IndieAuth question? I can see if I can answer it
#
swentel
yeah, should pull it here indeed
#
swentel
main reason I ask is that I know what to answer on the security review that's going on now on the drupal indieweb module ;)
#
sknebel
what's the benefit of refresh tokens for our use cases?
#
[eddie]
That's a good reason 🙂 I think a big thing about IndieWeb specs (like IndieAuth) only implement things when we find a need. I'm sure it's useful security-wise, but it's interesting that we haven't run into any major issues without them yet
#
swentel
well, in a way it's a security thing I guess, that's something I know which will come up
snarfed1 joined the channel
#
[eddie]
There's definitely no technical reason holding it back
#
swentel
that's true
#
[eddie]
but most IndieAuth servers and Micropub clients don't support it (as it's an added burden than a static token)
#
swentel
I'm sure none of them do right now
#
Zegnat
I’d have to do a lot of reading, I feel like, to be able to even say what it will adds
#
[eddie]
On my side I enjoy no refresh tokens and just knowing I can cancel existing tokens at any time on my server
#
[eddie]
I think the biggest gain for expire/refresh tokens would probably be for hosted IndieAuth token endpoints
#
[eddie]
where the user doesn't have direct control
#
swentel
however, since I switch to signed jwt tokens, I'm not worried anymore, so it's not that I /want/ it badly or so
#
swentel
s/not/not that
#
sknebel
they help if your token is intercepted in transit - the token can only be misused for a limited time
#
swentel
indeed
#
swentel
that's probably the biggest reason refresh tokens exists I guess, haven't read the background on that
#
sknebel
I guess they also help against partial compromise of the app - even if the refresh token is compromised, you need to be able to impersonate the app to turn it into a new access token
#
sknebel
(at least for apps with registered callback_urls)
#
aaronpk
No it doesn't solve that because IndieAuth apps are all public clients and the refresh token doesn't need anything secret to be able to turn it into a new access token
#
aaronpk
the refresh token is just posted to the token endpoint to refresh it, not done in any sort of redirect
#
swentel
yeah, in a way refresh tokens are kind of dumb too
#
sknebel
ah, right "require client authentication for confidential clients or for any client that was issued client credentials" - which we don't have
#
aaronpk
The main benefit is it lets the token endpoint issue purely stateless tokens while also being able to revoke them later
#
sknebel
if you always replace the refresh token, at least you can notice "something" has happened if the refresh token gets misused too I guess
#
aaronpk
I'd say it's more useful if we started adding PKCE support to IndieAuth apps first
#
aaronpk
since there are more ways someone can steal an authorization code right now than steal an access token in a way that they wouldn't also get the refresh token
#
aaronpk
The nice thing about PKCE is all the clients can start doing it now even before the servers support it. (It won't help anything until the server supports it but it's a nice progressive enhancement)
#
sknebel
also works transparently with servers that don#t support it
#
Zegnat
pkce++
#
Loqi
pkce has 1 karma over the last year
iasai joined the channel
#
Zegnat
Though I still haven’t found the time to work on auth stuff :( Hopefully next week, now that work is going back to normal
#
aaronpk
this is kind of my job :-)
#
swentel
PKCE looks interesting indeed
deathrow1 joined the channel
#
sknebel
I guess the autoauth stuff in a weird way achieves something similar to refresh tokens, except the control over it is shared
#
sknebel
in that a client can replace a short-lived token without involving the user, thanks to holding a different token
#
[eddie]
Yeah it does look interesting. Probably won't be a super quick add-on, but I think I'll try to add support in Indigenous for iOS when it comes time https://github.com/EdwardHinkle/indigenous-ios/issues/242
#
Loqi
[EdwardHinkle] #242 Add PKCE support to IndieAuth
#
swentel
opens an issue too
#
aaronpk
i'm not super familiar with the APIs, but appauth.io handles the PKCE stuff automatically and _might_ be possible to use with indieauth?
#
aaronpk
if nothing else you can steal code from it
#
swentel
oh wow yeah
#
swentel
that's good to know
[jgmac1106], eli_oat, iasai, snarfed and [tantek] joined the channel
#
GWG
Did I miss a PKC3, refresh and expiring token discussion? Darn
#
Loqi
misses a too
#
aaronpk
you never really miss a discussion on IRC, feel free to start it back up again
#
GWG
I still want to offer the option of expiring tokens if not used for a while
#
GWG
Which is different then a traditional expiring token
#
GWG
The question is how do most clients deal with an invalid token
#
aaronpk
without a refresh token, the only thing they can do is consider it either a temporary error or log the user out
#
GWG
I am thinking about OYG and such, where they use the token without user input
#
GWG
How does the user know it failed?
#
aaronpk
bridgy does a pretty good job of this
#
GWG
That's the only question I considered for expiring disused tokens
#
GWG
aaronpk, who is your weather provider?
#
aaronpk
i think it's the one that's shutting down soon
#
GWG
That's what I was getting at
#
GWG
I am having trouble hedging against that
#
GWG
And avoiding API costs of an excessive nature
#
GWG
I may have to build a hybrid system
#
aaronpk
that's basically what i did with atlas.p3k.io
#
aaronpk
so i only have to swap the provider out there without changing a bunch of code
[pfefferle] joined the channel
#
GWG
aaronpk, I did the same by abstraction
#
GWG
I am thinking of using the National Weather Service, but I need to be able to fall back outside the US
#
GWG
Does the EU have a weather service?
#
Zegnat
Didn’t someone mention using a Canadian gov weather service?
#
Zegnat
cjwillcock?
deathrow1|absnt joined the channel
#
GWG
Zegnat, correct
#
GWG
I have no problem adding it
#
GWG
I added DarkSky in 20 minutes
#
GWG
But I keep running against daily API limits and service deaths so I need to get a creative
iasai joined the channel
#
Zegnat
GWG, looks like the Swedish weather service has public data https://opendata.smhi.se/apidocs/metobs/index.html unsure what is included in it
#
GWG
Zegnat, I will wait till I visit Sweden
snarfed joined the channel
#
sknebel
the norwegians also have an API (that's also useful in some other countries), but as a soft discouragement of misuse they only publish the API docs in norwegian and ask that people do not publish translations :D
#
Zegnat
That sounds like an interesting policy
#
GWG
I think I can cover most of my travel with just the us service
#
GWG
That's my plan at least
#
GWG
I also added json output to my home weather station
#
Zegnat
I was looking at the Dutch weather service, but can’t find any data. Surprising, I thought they were government owned.
#
Zegnat
Also interesting, they do ask people to submit measurements. So they have no problem importing, just with sharing. (https://wow.knmi.nl/)
#
GWG
I just wonder what the NWS does if you ask it's API for something outside the US
#
GWG
I should check
#
sknebel
Zegnat: can't have a state-run service offering services for free that companies could sell!1. at least that's the issue in Germany...
#
Zegnat
I think if it was Sweden I would explicitly be allowed to demand whatever data they are collecting
#
Zegnat
Huh. The WOW crowdsourcing thing may be international: http://wow.metoffice.gov.uk/
#
sknebel
I might be able to do that too here, with the usual 30 days allowed processing delay etc :D
#
sknebel
(there was some really ugly legal crap when the german weather service started offering their own apps...)
#
GWG
I also have aircrafts flying over my house in a json format. I have yet to figure out a cool thing to do on my site with that
#
sknebel
background image similar to aarons?
[chrisaldrich], tantek, leg and [tantek] joined the channel
#
tantek
Wow: "We will sunset all Google+ APIs in the next 90 days." - https://www.blog.google/technology/safety-security/expediting-changes-google-plus/ (posted today)
iasai joined the channel
#
tantek
and "We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019."
swentel and [jgmac1106] joined the channel
#
[jgmac1106]
,.......somethign must be really really bad in vunerability.....of having a platform where people bitch about you taking away a platform is bad for business
#
[jgmac1106]
go back to the old model of customer service for Google....a user supported listserv with information three years out of date
#
tantek
what is Google+
#
Loqi
Google is primarily used for searching the open web (where indieweb sites typically rank highly), but also produces end user software, and hosts a number of content silos and other services https://indieweb.org/Google
#
tantek
what is Google Plus
#
Loqi
Google+ (AKA Google Plus, GPlus, or G+) is both a social content hosting silo operated by Google, similar in many respects to Facebook, and a centralized Google identity service for other Google services like YouTube https://indieweb.org/Google_Plus
#
tantek
guess that identity piece is gone now
snarfed joined the channel
#
snarfed
eh no it's still there, just not g+ branded
#
Loqi
snarfed: swentel left you a message 2 days, 7 hours ago: finally figured out why webmentions sometimes didn't work from fed.bridgy - the html response is gzipped and on my server it isn't decoded ... funky - not sure if this is mention-php client or a server/php thing, but I can at least debug further now :)
#
snarfed
...hasn't been for a while now
#
tantek
snarfed, what is it then?
#
tantek
if it doesn't have a different name, I'm just going to drop it
#
tantek
without a name, no way to refer to it
#
snarfed
single sign on. "login with google." i'm fine with dropping it, your call
#
tantek
searched for "login with google" - nothing on first page of Google results that's hosted on (*.)google.com
#
snarfed
oh i don't know the official product name
#
tantek
thank you!
[johnjohnston] joined the channel
#
tantek
What is Google Identity Platform
#
Loqi
It looks like we don't have a page for "Google Identity Platform" yet. Would you like to create it? (Or just say "Google Identity Platform is ____", a sentence describing the term)
#
tantek
Google Identity Platform is https://developers.google.com/identity/ (formerly part of Google+) a proprietary identity provider for building [[Google Sign-In]] support into your applications that only provides Google-controlled identities, and does not accept externally provided identities.
iasai and snarfed joined the channel
#
swentel
interesting
#
swentel
should see if I can reply with bridgy fed :-)
#
swentel
ah bummer
#
swentel
snarfed ^
#
swentel
trying to reply on something new
#
swentel
just for testing :)
#
snarfed
ah, so that's a blog, not an ostatus or AP site
#
swentel
well, https://joinplu.me/ says it is using AP
#
swentel
of course maybe that part isn't fully working yet
#
snarfed
"Couldn't fetch https://fediverse.blog/~/FederationTesting... as ActivityStreams 2" is the key part of the bridgy fed log
#
swentel
hmm readme on github says 'basic federation'
#
swentel
will have to wait a bit heh
[eddie] and iasai joined the channel
#
swentel
it's interesting that it came to mastodon though
#
swentel
(unless I'm seeing it wrong)
#
snarfed
true! although when i search for and view @0x1C3B00DA@baptiste.gelez.xyz in mastodon, i see a toot that has the title and a link to that article, not the article itself
#
snarfed
so i suspect the article itself is not an AP-accessible post
#
swentel
hmm, but the canonical url (if you hover '4h' goes to the article)
#
swentel
oh well, I replied on https://toot.cafe/@zack/101206779193111042 - it's his test account, will see if I can get more details from him :)
#
Loqi
[Zack] Hey, #IndieWeb peeps! I proposed microformat support for #Plume and one of the contributors is working on it. https://github.com/Plume-org/Plume/issues/229 I just started learning about the indieweb myself so feel free to hop in and offer guidance.
[jgmac1106] joined the channel
#
tantek
n.b. for those into /URL_design see the "PS:" at the end - good example why not to use slugs as a required part of your permalinks
#
aaronpk
that's hilarious
iasai joined the channel