#dev 2019-03-17

2019-03-17 UTC
iasai and [aaronpk] joined the channel
# 00:33 
[aaronpk] Reading it over again, I'm not sure grant_type=authorization_code is the right term for the first step either
# 00:33 
[aaronpk] Wasn't there a flow diagram somewhere? Couldn't find it on the wiki or GitHub
iasai joined the channel
# 00:50 
@beka_valentine ↩️ the set up I have in mind is a Pi Zero W or other similarly cheap computer with Labrys pre-installed and already set up, that you just plug into your home network and configure via a nice UI, and now you have

1) an IndieAuth identity server
2) a web server
3) web autonomy (twitter.com/_/status/1107081720015147008)
[jgmac1106], iasai, snarfed and [aaronpk] joined the channel
# 06:44 
[aaronpk] [sknebel] give the intro here a read, it sounds very similar to the goals of this IndieAuth extension https://leastprivilege.com/2013/12/23/advanced-oauth2-assertion-flow-why/
# 06:53 
[aaronpk] This also sounds similar to what we're trying to do https://tools.ietf.org/html/rfc7521
iasai, [tonz], [aaronpk] and [kevinmarks] joined the channel
# 09:09 
Zegnat The flow described in that blogpost seems very close to what we are trying to do. Will read the RFC after my tea
[Rose] joined the channel
# 09:12 
Zegnat One difference seems to be that it lets a client talk directly to the resource's Auth server (token endpoint?) and we specifically only wanted clients to talk to the user's endpoint. That way your trusted endpoint knows about all the tokens ans can revoke for rogue clients
iasai joined the channel
# 09:25 
sknebel [aaronpk]: diagrams are linked from github issue
# 09:25 
sknebel also thx for the links, will take a look at them later
# 09:29 
sknebel [aaronpk]: also, feel free to open tons of github issues for concerns or suggestions you have - while I think I understand how the various OAuth bits work, I don't have a intuition for how new stuff fits into that framework properly
# 09:31 
Zegnat Hmm, assertions look to be dependent on prior established trust. From skimreading the RFC. E.g. I requires assertions to be cryptographically signed to stop tampering, but the only way to verify such a signature is through prior exchanges. Or you need to tack on some sort of key discovery system.
# 09:37 
sknebel diagram: https://www.svenknebel.de/temp/autoauth_diagram.svg
# 09:37 
[aaronpk] Yea ignore that part, or rather replace "signing key" with our mechanism of http verification
iasai joined the channel
# 10:06 
Zegnat  all (post assertion to auth_endpoint).
# 10:06 
Zegnat At that point you may as well also ignore the expiry times that are a MUST for assertions and suddenly you are mostly (completely?) back to what AutoAuth already describes. Because the assertion may as well be a random token now, it doesn’t need to contain any accessible information.
# 10:06 
Zegnat I don’t think there is a lot left from assertions when you ignore the part that makes assertions self contained. Now when you receive an assertion you need to check who is is for (example.com) who the issuer is (example.com/auth) then you need to contact who it is for to see if they still use that issuer (fetch example.com and check if auth_endpoint is /auth) and then you need to contact the issuer to see if the assertion is valid at
jeremych_, [Rose] and [jgmac1106] joined the channel
# 10:38 
jeremycherfas I had one of those small hours of the morning conceptual coding breakthroughs, and I am itching to try it, but I have to get tomorrow's podcast finished first.
iasai joined the channel
# 11:29 
Zegnat Do people have favourite (open-source) tools for doing HTTP request / API debugging?
[aaronpk] joined the channel
# 11:45 
[aaronpk] curl?
# 11:45 
[aaronpk] I've been trying to use postman lately but I feel like it got confusing
# 11:46 
Zegnat I love curl for seeing all the data, but I find it a bit frustrating when I am trying to rapidly test different request bodies and so on
[Rose] joined the channel
# 11:48 
[Rose] Huh, you folks must be reading my mind, I'm wrestling with curl right now.
# 11:58 
[aaronpk] I usually end up making a text file to save curl commands and quickly edit them and repeat them
# 12:06 
Zegnat Oh, wow, Feedbin API apparently doesn’t let me go through all feeds within 1 tag. Argh
# 12:10 
GWG Another exciting Indieweb dev day
# 12:45 
GWG Thinking about UIs for different post types
# 12:47 
GWG I need to improve my UI because I found some errors in saving data I am not yet displaying, so didn't notice the problem
[frank], iasai and [tonz] joined the channel
# 14:15 
Zegnat !cancel #6524
# 14:15 
Loqi Okay, I cancelled it!
[jgmac1106], [pfefferle] and iasai joined the channel
# 18:15 
[jgmac1106] !tell schmarty a recording on how to fork the webring would be pretty cool, want to set one up for https://remixer.visualthinkery.com/a/bloggersInk lot of my friends adding this
# 18:15 
Loqi Ok, I'll tell them that when I see them next
[Rose], gRegorLove, [tantek], iasai, [frank], [jgmac1106] and KartikPrabhu joined the channel
# 21:16 
@jgmac1106 Look how #edu307  webmention badges display on a student post: https://literaryadventuresofjenn.wordpress.com/2019/02/21/book-group-thoughts/#comment-11 Time to reclaim assessment and start badging from your own domain. #OpenBadges #IndieWeb (https://quickthoughts.jgregorymcverry.com/s/1d9gxA) (twitter.com/_/status/1107390160252137472)
iasai and snarfed joined the channel
# 22:26 
GWG snarfed, pfefferle and I connected to talk Semantic Linkbacks
iasai, KartikPrabhu and snarfed joined the channel