2019-07-07 UTC
# 00:12 Loqi jacky: [tantek] left you a message 9 hours, 49 minutes ago: a bit delayed, re: how to display reply content from others on your site, we've been collecting various how-tos, exampes, techniques here: https://indieweb.org/comments # 00:13 jacky ooh interesting bit re: singular vs plural valuemachine, gRegorLove, [wtmonroe], Ruthiarcos, [tantek] and [fluffy] joined the channel
# 05:42 [fluffy] [aaronpk] I’m getting pretty close to rolling out a version of Publ with IndieAuth support. Any chance I could get beesbuzz.biz added as a client ID so I can start using it on my own site? 🙂 dhanesh95, vilhalmer, eddy[m]1, JeffMaherVegas[m, rklaehn[m]1, oed3[m], Akshay[m4, macerbi[m]1, Ja3ood[m], placer14[m], Swedneck_, npfoss[m], balupton[m], Lolicon[m], card[m], AXEL-Lee5595[m], enricomarino[m], infominer[m], strugee, prtfw[m], WidgetBotiocli1[, jamietanna[m], celso[m4, jee[m], rittme[m], jenncloud5838[m], andrewxhill[m], zoglesby, ritewhose[m], mattl, Giyomu[m], Kongaloosh, valuemachine, cuibonobo, jimpick, discord[m], astrojuanlu[m], freethinkingaway, aaronpk[m], sfroment[m], sacha[m], iiogama[m], new0ne[m], Nebulous[m], manfred[m], Romaric[m]1, sander[m], tom85[m], romaric[m], drbh[m], Valium[m], RealSnazzy[m], Tianyi[m]1, vasa[m], gorhgorh[m]1, Tianyi[m], Keegen[m], gnunicorn[m], Senshi[m], mZ[m], mikeal[m], stevej[m], cesarosum[m], Gorka[m], gorhgorh[m]2, rklaehn[m], chris[m]3, maparent[m], gozala[m], Mairkur[m], drshamoon[m], aeddi[m], pierreboc[m], celso[m]1, M[AXEL]Darr[m], Rick[m]1, celso[m], CantiTurtleCoin[, AXEL-Lee[m], msena3[m], fozzie[m], AXEL-Brian[m], CryptoEmpress[m], jenncloud[m], Akshay[m]1, Expherience[m], eddy[m], Clment[m], grantcodes[m], carsonfarmer[m], phynite[m], plindner[m], myfreeweb, ketudb[m], jgmac1106[m], Rixon, omz13[m], hvergara[m] and [KevinMarks] joined the channel
gRegorLove and dhanesh95 joined the channel
[jgmac1106] joined the channel
# 12:39 [jgmac1106] dns over https didn't break anything for IndieAuth for me, not that it should but just wanted to check # 12:44 GWG Mozilla is the enemy of the people and all that gRegorLove, ben_thatmustbeme, [wtmonroe], [jgmac1106] and jgmac1106 joined the channel
# 15:05 jgmac1106 a new feature in firefox (dev 67.0.4) has me go to an open tab if I try to typt the same root domain in a new tab. Anyone know how to turn it off? [tantek], ben_thatmustbeme, petermolnar, [davidmead], [grantcodes], valuemac_ and leg joined the channel
# 18:48 GWG I am still trying to conceptualize what modifications I need to get to AutoAuth # 18:50 GWG sebsel, what are your stumbling blocks? # 18:50 sebsel we had some discussions in Åmål about the differences between the normal IndieAuth token flow and this new token flow # 18:51 sebsel to me, it feels like this is a totally different endpoint. # 18:51 sebsel but I've been yakshaving myself into writing a token endpoint for the 'normal' flow first, to get to know the details better. # 18:52 GWG I have the problem that tokens are tied to users on my platform # 18:53 GWG So, someone getting a token from my endpoint must be a user right now. # 18:53 GWG Having trouble reconciling that with unknowns # 18:53 sebsel yea, I have that too, which is why I now write a new one. # 18:54 GWG The simplest solution is to create users for external parties # 18:54 sebsel This could also be an argument for 'this is a different endpoint'. # 18:56 GWG I decided that I probably need to harden the security before allowing those users # 18:56 sebsel I should be careful with my thinking here indeed. My mind wants to think of it as a different endpoint and seeks excuses to do so. # 18:57 GWG My problem is that the token endpoint should be handling security, not the Micropub endpoint # 18:58 GWG But I have a fundamental architecture issue # 18:58 sebsel If you go to the basis of it, the token endpoint is just a place that takes a random string (the token) and maps it to a URL (the user the token represents) and some scopes. And it does the reverse: once it verified some steps, it gives out those tokens. # 18:58 sebsel There is not really a notion of 'user' there, other than that URL. # 18:59 GWG Correct, but that only works of you are on a platform that doesn't use users for permissions # 19:00 sknebel well, you potentially could have a kind of "holding state" for URLs that currently do not map to users # 19:00 GWG Also, look at the spec where it mentions user profiles # 19:01 sknebel if we assume that *if* an user-URL is granted special access to something a user for it will be created # 19:01 GWG For me, it is easier for that holding state to be a type of user # 19:01 sknebel "Also, look at the spec where it mentions user profiles" - what do you mean? # 19:02 sknebel true, but that doesn't have to 1:1 match your definition of a user deathrow1 joined the channel
# 19:03 sknebel the "holding state" would in my mind be something like "this request has a confirmed identity attached, but they're not a user, so they're treated the same as an unauthenticated request" # 19:04 GWG In the definition I am thinking of, a user would be a row in the user table. That allows it to be associated with arbitrary data like a user id, url, etc # 19:04 sknebel right, and I'm not sure you want to add a user just because someone made an authenticated request # 19:04 GWG If I don't do that, I have to change how I store tokens, as they are associated with the user id # 19:05 GWG Well, I had the idea of adding users to represent people in my contact list for a long time # 19:05 sknebel (unless you only give out tokens to users that actually exist as users in your system, but that also has pitfalls) # 19:05 GWG So I could import their h-card, subscribe/update it, allow for private responses, etc # 19:06 GWG Well, who should get authenticated posts if not people I trust? # 19:07 GWG aaronpk at IWS was commenting on letting anyone authenticate so you know who is reading your feed # 19:08 GWG Which is an interesting idea... I am oversimplifying that conversation # 19:08 sknebel it also enables people to follow you, including private posts, even if your system doesn't know them yet # 19:08 GWG So, back to the system automatically creating unprivileged users # 19:09 sknebel otherwise their (e.g.) reader would have to regularly attempt to auth, even if it has been failing for a long time, to make sure to catch the moment they're added # 19:09 GWG Is there a risk in adding a user who has no permissions that I could escalate over time? # 19:09 sknebel could be an annoyance - many users added you don't actually care about # 19:10 sebsel I have no knowledge of the wp_users table, but to me it feels like you want a different table for this info. # 19:10 sknebel bugs that allow escalation from any existing user now can become relevant # 19:11 sebsel From the token, you can get an identifier for the user, and all you have to do is anwer the question: can this user see this post? [tantek] joined the channel
# 19:11 sebsel showing feeds is a different problem then. But it almost feels like a taxonomy (if we're talking WP terms) # 19:13 sebsel A user_id, a row in the wp_users table, a profile URL... they are all not users, but just identifiers for a user (as in a human) # 19:13 sknebel but if WP has the infrastructure to handle this for WP users, it makes sense to use it # 19:16 GWG Which is why I will probably invest time in locking it down # 19:16 sebsel and with 'the infrastructure' you mean WP's login form? # 19:17 sknebel I'm assuming concepts for post permissions etc tied to users also already exist # 19:18 sebsel yea there is this 'subscriber' role, I believe. But again I'm no expert. # 19:19 GWG roles are just a collection of permissions # 19:20 sebsel a different angle on this: as a user, it is a nice feature to have a page with all my tokens, so I can revoke them. # 19:21 sebsel but here, the admin / writer of the blog, would be the one who wants to seee those tokens as well (?) # 19:21 sebsel hm, but there can be value in seeing my tokens on your site, as a reader, as well. [wtmonroe] joined the channel
# 19:29 sknebel sebsel: for the reader, that's something the auth endpoint can provide # 19:31 sknebel although I guess it might not know all attached detail, so a way of viewing them on the other side could still be useful # 19:32 sknebel it's an interesting question what kind of interface a site operator would need/want # 19:33 GWG I think talking IndieAuth UI would be a great conversation # 19:34 GWG I mirrored a lot of what I was seeing others doing, with a little original UI stevej[m] left the channel
# 19:41 GWG I have a token revokation admin page already # 19:41 GWG What I need is one for admins that can show all users # 19:42 sknebel question is: when would you revoke a users token as the admin? # 19:44 GWG But admins should know what tokens are issued on the system # 19:45 sknebel if you remove a users permissions, the token shouldn't matter (although a system might choose to automatically revoke tokens based on it?) jgmac1106 joined the channel
# 19:46 sknebel I guess for things like Micropub it makes sense, e.g. "service X is suddenly spamming broken posts, let's kill their token and not wait for the user to do it" # 19:47 sknebel I'm less sure it's important for read-only users, but still could be a thing # 19:49 sebsel yea, so: only create the user in the table once they have permissions attached # 19:49 GWG sknebel, right now, the system will issue tokens for scopes that reflect permissions the user doesn't have # 19:49 GWG It will fail when you try to use it silent_Activist[ joined the channel
# 19:50 GWG So, I have a lot of little things to handle around that # 19:50 sebsel the token is telling you: this is X who is viewing this. And you say: well X, I don’t know you and I don’t have any, so here is just the normal homepage # 19:50 GWG I want to uncheck the scope on the authorize page if you don't have it # 19:51 GWG Or rather, disable it automatically. # 19:51 GWG Either way, scope improvements are needed. # 19:52 GWG But, assuming I get past that stumbling block, I also need to build that private and public setup you mentioned. # 19:52 GWG So, lot of security hardening to make this work for me. # 19:52 GWG Which, what did you call it? Shaving? # 20:00 sebsel well if it's actual work it's not yak shaving. Yak shaving is doing the things you think are required, but are actually just keeping you from the real stuff. # 20:01 sknebel sebsel: which, as far as I know, is actually not the original definition of yak shaving [pfefferle] joined the channel
# 20:03 sebsel hm then I'm using it wrong. Either way, I'm procrastinating by building a token endpoint instead of doing real AutoAuth. # 20:04 Loqi [sknebel] #18 Pass data via Token Request vs Authorization Code Verification response? dougbeal|imac, lyon[m] and gRegorLove joined the channel
# 21:34 Loqi Ok, I'll tell them that when I see them next valuemachine, [KevinMarks] and KartikPrabhu joined the channel
Loqi jacky: [tantek] left you a message 9 hours, 49 minutes ago: a bit delayed, re: how to display reply content from others on your site, we've been collecting various how-tos, exampes, techniques here: https://indieweb.org/comments
@nhoizey ↩️ That’s what @AaronGustafson’s Webmention plugin for Jekyll does, with an additional refresh rate depending on the article age, so that every build is fast, while not losing any mention. (twitter.com/_/status/1147798614900715521)
[jgmac1106] dns over https didn't break anything for IndieAuth for me, not that it should but just wanted to check
@jaroslawjarosik ↩️ I'd probably put microsub servers and clients somewhere there too but that's a complex matter as these have no propertiary protocols and most often have no second one to pair, you just grab ones you like and they will play together nicely (twitter.com/_/status/1147925738043191296)
sknebel aaronpk: can you take a look at https://github.com/sknebel/AutoAuth/issues/18 ? there might be an answer along the lines of "OAuth prefers X" I don't know
gRegorLove !tell mblaney did my like of your post come through?