#dev 2019-10-01

2019-10-01 UTC
[adam]1, [manton]1, [schmarty]1, KartikPrabhu and shah^ joined the channel; nnst^ left the channel
cweiske and [Lewis_Cowles] joined the channel
#
[Lewis_Cowles]
welcome indeed [Paul_Robert Lloyd]
#
[Lewis_Cowles]
[Paul_Robert Lloyd] ++
#
aaronpk
paulrobertlloyd: I don't see any references to indielogin.com in that code, how are you ending up there?
#
[Lewis_Cowles]
Is it possible they are using IndieAuth directly now? https://gist.github.com/paulrobertlloyd/22a71f5db3dfa75c9df45e1c17a10521#file-routes-js-L6
#
[Lewis_Cowles]
https://gist.github.com/paulrobertlloyd/22a71f5db3dfa75c9df45e1c17a10521/revisions shows some history which seems to suggest not. bottom of authenticate redirects. Perhaps to a relative link which should be indielogin
ichoquo0Aigh9ie and [aaronpk] joined the channel
#
[aaronpk]
It looks like it fetches the url the user enters, which is right, but if that's the case then they shouldn't ever end up on indielogin.com because you can't use that to get an access token or do the IndieAuth flow
#
[aaronpk]
I also can't figure out what library "require('indieauth-helper')" is
#
[aaronpk]
There's no need to run both verifyCode and getToken. That's probably where the problem is
#
[aaronpk]
If you want an access token the run only getToken because that'll return both the token and the "me" value at the same time
#
[aaronpk]
The authorization code is meant to be one time use, so that's probably why the getToken is failing, because it's already been used to verify the code
[schmarty], krychu and paulrobertlloyd joined the channel
#
[Lewis_Cowles]
require(‘indieauth-helper’) is https://grantcodes.github.io/indieauth-helper/#/?id=indieauth-helper
#
[Lewis_Cowles]
attribution [grantcodes]
#
[Lewis_Cowles]
Perhaps Login / Auth have been conflated
#
aaronpk
usually
#
paulrobertlloyd
[aaronpk] [Lewis_Cowles] Morning. Here’s the form I’m using on my sign-in page. This posts to IndieLogin.com, should it be posting to IndieAuth.com? https://gist.github.com/paulrobertlloyd/22a71f5db3dfa75c9df45e1c17a10521#file-sign-in-njk
#
aaronpk
paulrobertlloyd: what are you trying to do exactly?
#
aaronpk
are you trying to identify the user and then issue your own session cookie to get them logged in to this express app?
#
paulrobertlloyd
Essentially, I have some configuration/settings pages on a (Micropub) server that I want behind auth. I will later need an access token so that the user can post from that server to their own site.
#
paulrobertlloyd
But I will need to get an access token at some point too.
#
aaronpk
ok this is where the confusion is then
#
aaronpk
if you need an access token to post to a user's own site, then that access token has to come from their own authorization endpoint, and indielogin.com can't help you with that
#
aaronpk
so that form should post back to your express app, where you use the URL they enter to discover their own authorization endpoint, and then go send them off to that URL to log in
#
paulrobertlloyd
The URL being in the returned code (encoded)?
#
paulrobertlloyd
A token with a me value, essentially?
#
aaronpk
no, nothing is encoded
#
aaronpk
this is the response you get from the getToken method https://indieauth.spec.indieweb.org/#access-token-response
#
cweiske
I'm getting more and more pingback spam in the last weeks from sites that scrape my site and embed my images.
#
aaronpk
you'll need to drop the verifyCode() method you have, because that's using up the authorization code and the getToken() method is failing because the code has already been used
#
paulrobertlloyd
So it is possible to authenticate and request a token using that one step (possibly), but I need to pass the user’s token endpoint to that function?
#
aaronpk
when you get an access token you also get back the user's identifier (URL)
#
aaronpk
and in order to do that you have to interact with their own authorization endpoint and token endpoint
#
aaronpk
so you don't hard-code indielogin.com or indieauth.com at all
#
paulrobertlloyd
So I auth user via IndieLogin, then after that I can use the verified URL in the getToken method to request an access token, correct?
#
aaronpk
no, no indielogin at all
#
aaronpk
this section walks through it step by step https://indieauth.spec.indieweb.org/#authorization
#
paulrobertlloyd
So where should my sign in form point to? (I’ve read the specs plenty of times, but authentication/authorisation, similarly named tokens… it’s all quite opaque to the uninitiated, sadly!)
#
aaronpk
your sign-in form should point back to a route in your express app
#
paulrobertlloyd
Okay. Well sounds like using IndieLogin has thrown me off course! I need to handle it all on my side of things, using the helper library (hopefully!)
#
paulrobertlloyd
That’s really useful to know, thanks! What is IndieLogin for then, out of interest?
#
aaronpk
yep! indielogin.com is *only* for the case where you want to identify the user
#
aaronpk
for example the wiki uses it to log people in. the wiki doesn't need an access token because it doesn't try to post to their website
#
paulrobertlloyd
Okay, thanks for your help. Will have a second crack at this later this week, and hopefully get it working.
#
[Lewis_Cowles]
It seems to be a network-application-level service to enable you to login using google, twitter, etc without cluttering your apps with many client codes
#
aaronpk
[Lewis_Cowles]: yes, tho specifically while identifying the user by their own URL rather tan by twitter/github/etc
#
[Lewis_Cowles]
would their own URL be a public or private resource?
#
[Lewis_Cowles]
or it doesn’t matter?
#
aaronpk
not sure what you mean
#
[Lewis_Cowles]
Then lets ignore it as I was trying to understand “identifying the user by their own URL”
#
aaronpk
the user types in their own URL (e.g. aaronpk.com) and then indielogin.com authenticates them by getting them to log in via twitter/github/indieauth/email/etc based on what profiles they link to from their website
#
[Lewis_Cowles]
given lewiscowles.co.uk indielogin.com would use my github to say “this is Lewis<User:734637348>“?
#
aaronpk
the result of indielogin.com is "yes the person at the computer is aaronpk.com"
#
[Lewis_Cowles]
Ha… Smart
#
[Lewis_Cowles]
So if someone pointed it at an employee page in an employee directory would it use the domain or the full URL?
#
aaronpk
the user's identifying URL can include a path
[tonz] joined the channel
#
[tonz]
e.g. my identifying url has /blog in its path. https://indieweb.org/User:Www.zylstra.org_blog
#
[Lewis_Cowles]
I’m sure the language used makes sense to all that are not me. The sequence diagram linked makes sense of the timings of things
#
[Lewis_Cowles]
the description that a URL can be an identifying URL makes sense
#
[Lewis_Cowles]
The bit I’m stuck on is how my login via GitHub would relate to the indieweb or any other page / app. I’ve looked for the content and all I have found is an sso link which sends me to indielogin with a code (perhaps the code is a token)
#
Loqi
RelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site. RelMeAuth is the technology behind web-sign-in. Editor Tantek Çelik (http://tante...
#
[Lewis_Cowles]
😂 so that is my confusion Tonz wiki page has no rel=“me” links.
#
[Lewis_Cowles]
🤦
#
[aaronpk]
his wiki page isn't part of the authentication flow, it's just a page he created after he logged in
[grantcodes] joined the channel
#
[grantcodes]
!tell paulrobertlloyd here is an express example of using the indieauth helper library (in a basic form) https://glitch.com/~indieauth-lib-wip
#
Loqi
Ok, I'll tell them that when I see them next
#
[Lewis_Cowles]
hmmm I got invalid session state from indielogin after adding rel=“me” to all my links. IndieLogin worked perfectly and even auto-picked a source of truth for authorizing with a third party (GitHub)
#
[Lewis_Cowles]
[grantcodes] ++
#
Loqi
[grantcodes] has 27 karma in this channel over the last year (45 in all channels)
#
[aaronpk]
"Invalid session state" usually means something is blocking cookies
krychu joined the channel
#
[Lewis_Cowles]
oh man… “privacy badger”
#
[Lewis_Cowles]
[aaronpk] ++
#
Loqi
[aaronpk] has 44 karma in this channel over the last year (183 in all channels)
#
[Lewis_Cowles]
I’m now using the indieweb wiki authed
#
[Lewis_Cowles]
😂
#
[Lewis_Cowles]
TBH I keep meaning to come back to indielogin, but this step has made me pause until I could understand it better
#
[Lewis_Cowles]
now I feel like I get it.
gxt, [schmarty], jgmac1106, [jgmac1106], krychu and [tonz] joined the channel
#
@johanbove
Activated Github POSSE #Indieweb publishing through https:/brid.gy/github on my site. #awesome
(twitter.com/_/status/1179009403518951425)
#
@johanbove
Activated Github POSSE #Indieweb publishing through https:/brid.gy on my site. #awesome
(twitter.com/_/status/1179009800417484802)
t-mo, [Lewis_Cowles], [jgmac1106], [snarfed] and krychu joined the channel
#
@ton_zylstra
Test of where this ends up on Twitter. Some weird interaction with http://Brid.gy going on. (https://www.zylstra.org/blog/2019/10/9566/)
(twitter.com/_/status/1179029700343209985)
[aaronpk], [schmarty] and jgmac1106 joined the channel
[pfefferle], Sm03leBr00tDisco, [tonz], [grantcodes], astraiaDiscord[m, leg, [Rose], gxt, [KevinMarks], krychu, jjuran, [fluffy] and gRegorLove joined the channel
#
[KevinMarks]
This is an interesting take - is it a problem to use cloud silos? https://diginomica.com/did-government-kill-oligopoly-or-just-send-it-back-us-cloud
[tantek], [Zach_Leatherman, [schmarty], [jgmac1106], KartikPrabhu, ambackDiscord[m] and sfoster_ joined the channel