#[aaronpk]Reading it over again, I'm not sure grant_type=authorization_code is the right term for the first step either
#[aaronpk]Wasn't there a flow diagram somewhere? Couldn't find it on the wiki or GitHub
iasai joined the channel
#@beka_valentine↩️ the set up I have in mind is a Pi Zero W or other similarly cheap computer with Labrys pre-installed and already set up, that you just plug into your home network and configure via a nice UI, and now you have
1) an IndieAuth identity server
2) a web server
3) web autonomy (twitter.com/_/status/1107081720015147008)
[jgmac1106], iasai, snarfed and [aaronpk] joined the channel
iasai, [tonz], [aaronpk] and [kevinmarks] joined the channel
#ZegnatThe flow described in that blogpost seems very close to what we are trying to do. Will read the RFC after my tea
[Rose] joined the channel
#ZegnatOne difference seems to be that it lets a client talk directly to the resource's Auth server (token endpoint?) and we specifically only wanted clients to talk to the user's endpoint. That way your trusted endpoint knows about all the tokens ans can revoke for rogue clients
iasai joined the channel
#sknebel[aaronpk]: diagrams are linked from github issue
#sknebelalso thx for the links, will take a look at them later
#sknebel[aaronpk]: also, feel free to open tons of github issues for concerns or suggestions you have - while I think I understand how the various OAuth bits work, I don't have a intuition for how new stuff fits into that framework properly
#ZegnatHmm, assertions look to be dependent on prior established trust. From skimreading the RFC. E.g. I requires assertions to be cryptographically signed to stop tampering, but the only way to verify such a signature is through prior exchanges. Or you need to tack on some sort of key discovery system.
#ZegnatAt that point you may as well also ignore the expiry times that are a MUST for assertions and suddenly you are mostly (completely?) back to what AutoAuth already describes. Because the assertion may as well be a random token now, it doesn’t need to contain any accessible information.
#ZegnatI don’t think there is a lot left from assertions when you ignore the part that makes assertions self contained. Now when you receive an assertion you need to check who is is for (example.com) who the issuer is (example.com/auth) then you need to contact who it is for to see if they still use that issuer (fetch example.com and check if auth_endpoint is /auth) and then you need to contact the issuer to see if the assertion is valid at
jeremych_, [Rose] and [jgmac1106] joined the channel
#jeremycherfasI had one of those small hours of the morning conceptual coding breakthroughs, and I am itching to try it, but I have to get tomorrow's podcast finished first.
iasai joined the channel
#ZegnatDo people have favourite (open-source) tools for doing HTTP request / API debugging?