#dev 2019-10-19

2019-10-19 UTC
[fluffy] and [dmitshur] joined the channel
#
[dmitshur] those who have implemented your own IndieAuth (or OAuth2) authorize endpoint, I'm curious how you've implemented the "Accept" button on the consent screen. does it make a POST request to your own backend? if so, to the same endpoint or another?
#
GWG Post. And same
#
[dmitshur] how do you tell apart the POST request from your consent screen vs the POST request from the client verifying the authorization code?
#
GWG They are different requests.
#
GWG So, the post request to the authorization endpoint returns an authorization code.
#
GWG Then the token endpoint makes the request to verify the authorization code and issues a token.
#
GWG So, the authorization endpoint returns a code, then the token endpoint makes a post request to verify that code
#
GWG Both transactions are dictated by query params
#
[dmitshur] I'm interested in knowing how you tell the two requests apart. One viable way seems to be to check if there's a "code" parameter, which must be present in the Authorization Code Verification request, but you can arrange for it to not be in your "Accept" button press.
#
[dmitshur] so if there are code, client_id, redirect_uri params, then it's a Authorization Code Verification request. else it's a consent screen button press.
#
GWG request_type and grant_type
#
GWG Dictates the requests.
#
GWG Perhaps try this book. It helped me. It is about OAuth
#
GWG https://aaronparecki.com/oauth-2-simplified/
#
[dmitshur] do you mean response_type?
#
GWG Yes.
#
GWG Sorry, it has been a while.
#
[dmitshur] np. thanks, that's helpful
#
GWG response_type=code indicates it expects to receive a code.
[jgmac1106] joined the channel
#
[dmitshur] interestingly, it seems different for IndieAuth specifically. the authn request has response_type=id but it's optional. there is no response_type parameter described in the Authorization Code Verification request.
#
[dmitshur] response_type=code is only relevant in the authorization flow.
#
GWG You are correct. Without it, it is verifying.
#
[dmitshur] unfortunately, https://aaronparecki.com/oauth-2-simplified/ doesn't seem to go into detail for how the consent screen is implemented hehe. it just says "The user sees the authorization prompt <picture> If the user clicks "Allow," the service redirects the user back to your site". what happens when the user clicks the "Allow" button? 😛 I mean I know this is an internal implementation detail that can be done in a any number of ways, but I'm
#
[dmitshur] looking to find out how most people do it and not try to come up with a unique way.
#
GWG I just have a form with a post screen
#
[dmitshur] I'm tempted to use a different path. that way I don't have to guess a sureway to tell the two requests apart. but then I gotta invent a separate path...
[fluffy] joined the channel
#
[fluffy] yeah it’s an implementation detail and “the service redirects the user back to your site” is shorthand for “the service redirects the user to a URL with the necessary callback information so that your application can obtain the authorization token and continue on to get the client token”
#
[fluffy] which two requests do you need to tell apart?
#
[fluffy] oh never mind I saw your previous post
#
[dmitshur] yep, that makes sense and I understand.
#
[dmitshur] the request that the browser makes when user (me) presses the "Accept" button vs https://indieauth.spec.indieweb.org/#authorization-code-verification
#
[fluffy] the user’s POST can be to a different endpoint/URL/whatever, or it can have a request argument that indicates that it’s the user granting access, or whatever
#
[fluffy] also if the user is granting access, presumably they’d be signed in with a session cookie or whatever
#
[fluffy] whereas the verification step wouldn’t be
#
[dmitshur] > the user’s POST can be to a different endpoint/URL/whatever, or it can have a request argument that indicates that it’s the user granting access, or whatever
#
[dmitshur] this is exactly what I'm trying to decide on. the "whatever" part 😛
#
[dmitshur] currently facing the problem of https://en.wikipedia.org/wiki/Overchoice
#
[dmitshur] it's like trying to come up with a name for a variable... one of those time when it's really hard.
#
[fluffy] so for what it’s worth, mastodon appears to just set some POST arguments to /oauth/authorize to tell it that it’s the consent grant
#
[dmitshur] do you know which arguments (and values)?
#
[fluffy] there’s an authenticity_token with some long random-looking data, then copies of client_id, redirect_uri, state, response_type, and scope
#
[dmitshur] does it happen to set authorize=1?
#
[fluffy] and the deny button also adds a _method=delete
#
[fluffy] I don’t see anything like that, no
#
[fluffy] I assume it uses the validity of authenticity_token (which is probably what it forwards along to the callback) along with the fact the user has a valid session
#
[fluffy] hm, no, it doesn’t forward that along, but it probably associates it with the client_id or something? I dunno. I dont’ feel like digging into debug logs enough to figure this out.
gRegorLove joined the channel
#
[dmitshur] POST /login/oauth/authorize
#
[dmitshur] github does something like:
#
[dmitshur] utf8=%E2%9C%93
#
[dmitshur] authorize=1
#
[dmitshur] ```
#
[dmitshur] authenticity_token=<...>
#
[dmitshur] client_id=<...>
#
[dmitshur] state=<...>
#
[dmitshur] redirect_uri=<...>
#
[dmitshur] scope=
#
[dmitshur] authorize=1
#
[dmitshur] ```
[manton] joined the channel
#
[dmitshur] hmm, confirming something. so when logging in to https://indieweb.org/, I see it uses indielogin.com. when I try to sign in with my dev website that has a WIP authorize endpoint, the client_id will be indielogin.com and there's no way I show that the original sign in request is for indieweb.org, can I.
#
[dmitshur] show on the consent screen*
#
[dmitshur] it makes sense, in that I _am_ allowing indielogin.com to identify me as me, and then I can only hope/trust that indielogin.com will forward that to indieweb.org. but my website can't know or make any guarantees about indieweb.org
#
[dmitshur] is this an example of where using indielogin.com (instead of implementing the authz endpoint directly on your site) can be create a worse user experience?
#
[dmitshur] e.g., if indieweb.org implemented indieauth itself instead of re-using indielogin.com, then my consent form can show that I'm trying to sign in to indieweb.org.
#
[dmitshur] I tried the 3 example apps that support IndieAuth listed at https://indieweb.org/IndieAuth#How_to and they're all using indielogin.com 😞
#
[dmitshur] the only non-indielogin.com client_id I was able to find so far was indieauth.com, via the "Try it now" sample at the bottom of https://indieauth.com/setup
KartikPrabhu and [Lewis_Cowles] joined the channel
#
[Lewis_Cowles] How are others dealing with synonyms?
#
[Lewis_Cowles] I have a heavyweight solution using a database, but I don't want any part of my main site to be database-driven. I'm thinking of using symbolic links, but then it doesn't really help discoverability
#
[Lewis_Cowles] The problem I am trying to solve is redirection based on deliberately chosen other words.
BenLubar joined the channel
#
[Lewis_Cowles] Like if I used to talk about graceful degredation, but I meant progressive enhancement, and a frontend person I worked with, pointed out, I'm an idiot because they are not the same
#
[Lewis_Cowles] Then I would be able to rename the references, check it made sense and maintain a symbolic link, rather than setup a 30X redirect in a web-server I may wish to migrate away from later
[aaronpk] joined the channel
#
[aaronpk] [dmitshur] you're right about the consent screen showing indielogin.com instead of the site you're actually trying to sign in to. That's a limitation right now, (which incidentally is the same limitation the banking industry is facing with OAuth which I'm working on another spec for)
BenLubar_, [Rose] and mblaney joined the channel
#
mblaney [dmitshur] let me know if you're after more implementations to have a look at but I've done similar to what GWG has described.
#
[aaronpk] Actually [dmitshur] it sounds like you've got it backwards. IndieLogin.com doesn't provide an IndieAuth server so it's not something you can use instead of implementing an authorization server on your site.
#
[aaronpk] But yes if the wiki implemented IndieAuth itself then your consent screen would show the wiki's client_id
mblaney and [christophe194] joined the channel
#
[christophe194] /
KartikPrabhu, discord[m]2, [KevinMarks] and [tantek] joined the channel
#
[tantek] 👋 [christophe194]
gxt, [Lewis_Cowles], [barryf], [frank], [tonz], [jgmac1106] and [dmitshur] joined the channel
#
[dmitshur] Curious to see the spec you’re working on if/when there are public artifacts
#
[dmitshur] [aaronpk] Ah, right, I did get that mixed up. I meant to say “using indielogin.com instead of implementing an IndieAuth consumer themselves” there. As I understand, it’s related to why you were hesitant to give me access to it. Thanks again for confirming. :)
#
aaronpk there is a draft right now, but it builds on oauth client registration so isn't really applicable to indieauth
#
[dmitshur] That’s ok, I’m still curious to see
#
aaronpk https://tools.ietf.org/id/draft-parecki-oauth-client-intermediary-metadata-00.txt
#
[dmitshur] thanks!
#
[dmitshur] I haven’t looked at the impl details but the problem statement reads nicely, and confirms what we discussed above
#
[dmitshur] I’m looking forward to adding my site to a new subsection under https://indieweb.org/IndieAuth#IndieWeb_Examples of people who implemented an IndieAuth consumer on their sites... will I be the first one, or am I missing an existing section elsewhere?
#
aaronpk there are definitely a few others
#
[dmitshur] (After I finish it of course)
#
aaronpk oh consumer
#
[dmitshur] Yep, specially consumer
#
[dmitshur] I’m working on both, but consumer seems to be more rarely implemented on one’s personal site directly.
#
[dmitshur] But I want to do it to 1) learn and 2) provide a better client_id and hence user experience to those signing in
#
[dmitshur] and 3) I promised my use of indielogin.com was temporary
#
aaronpk this would be the section to look at https://indieweb.org/IndieAuth#IndieAuth_Clients
#
aaronpk ah darn I was hoping https://unicyclic.com implemented from scratch but it uses indieauth.com too
#
[dmitshur] But that section isn’t entirely what I’m looking for. Eg it lists indieweb.org yet that site doesn’t impl indieauth consumer directly, it uses indielogin.com service
#
aaronpk I don't think we have a list of specfiically indieauth consumers
#
aaronpk just end user applications that you can use an indieauth identity to sign in to
#
[dmitshur] That’s why I want to start a new list... I wish it already existed, so if I finish my stuff, it’s my chance to help the next person who chooses to do this too
#
aaronpk so there is another place that has a similar list, which is micropub clients
#
aaronpk because a micropub client can't use indielogin.com
#
[dmitshur] noted, thanks. I’ll take a look
#
aaronpk https://indieweb.org/Micropub/Clients
#
[dmitshur] ty
#
[dmitshur] Oh, quick question while you’re here. I noticed indielogin.com doesn’t serve an h-app card. The indieauth spec says it “should”:
#
[dmitshur] It’s within spec not to, but I was wondering why doesn’t it? Is it just an unfinished TODO? Or just not very important?
#
[dmitshur] > The HTML on the client_id URL SHOULD be marked up with [h-app] Microformat to indicate the name and icon of the application.
#
[dmitshur] IndieAuth.com has one.
#
aaronpk hmm a combination of reasons I think... there has been some discussion about using alternative client info methods, such as a manifest file, so I think I was waiting on a resolution on that
#
[dmitshur] I see, thanks. Don’t consider this a request to implement it sooner, I just asked to understand better.
#
[dmitshur] It has a small benefit in that it serves as a distinct test case for the consent screen presentation. :p
#
aaronpk haha yeah
[frank], [tonz], [jacek], [fluffy], [snarfed], [schmarty] and dougbeal|mb1 joined the channel
#
[schmarty] listening in on the Shortcuts session at IWC Brighton. i like the approach that Rose uses for micropub building blocks in Shortcuts.
#
[schmarty] one shortcut per important piece of info. "IndieAuth" outputs a micropub auth token. "Micropub Endpoint" outputs the URL of her site's micropub endpoint.
#
[schmarty] simplifies their use when you actually need the value in a given Shortcut
#
[schmarty] sebsel mentioned the approach that i am trying - combining those nicely abstracted individual Shortcuts, and then making a single "Micropub Post" shortcut that takes in the properties for a post and hides away all the details of constructing and sending the post.
[jgmac1106], KartikPrabhu, jfoster and [dmitshur] joined the channel
#
[dmitshur] http://instantshare.win/ofvb35oc668t.png lol
#
[schmarty] Hahaha
#
Loqi [schmarty]: lol
#
[schmarty] dmitshur++
#
Loqi dmitshur has 4 karma in this channel over the last year (5 in all channels)
[dougbeal], [Michael_Beckwit, [Rose], [Lewis_Cowles] and jfoster joined the channel
#
sebsel [schmarty]: I believe you said so, and we looked into it in Amsterdam, but it seems like it’s quite impossible to obtain a JSON object / dictionary from an earlier step and then put it in an HTTP request :(
#
sebsel which make it harder to take that approach
#
[schmarty] argh, that's frustrating :]
#
[schmarty] err :[
#
sebsel we’ll find a way!
#
GWG https://timeago.org/ - Anyone have any alternative js libraries for this purpose? Found this by searching.
#
myfreeweb GWG: https://github.com/github/time-elements
#
Loqi [github] time-elements: Web component extensions to the standard <time> element.
#
GWG That means I have to change markup
#
myfreeweb well, you didn't say you wanted not to do that :)
#
myfreeweb i prefer doing everything via custom elements and not having a "site script" at all
#
GWG Well, I have to account for WordPress themes alas
KartikPrabhu joined the channel
#
[Rose] Hack day has started. Jeremy Cherfas has his mini project done!!!
#
[Rose] (I won't spoiler, you'll have to see the demos tomorrow to find out what it is)
fLsh42Discord[m] joined the channel
#
[schmarty] what time is it for adactio?
#
Loqi In adactio's timezone, Europe/London, it is currently 9:15pm on October 19
#
[schmarty] the pre-hack-day hack time is paying off 😄
evantravers joined the channel
#
sebsel Yes, we really not in the AirBnB and really not doing hack-day stuff.
#
sebsel That'd be cheating
#
[schmarty] 😄
[qubyte] joined the channel
#
[qubyte] For my little projects for tomorrow I want to integrate some shortcuts (inspired by [Rose]'s session on them at the end of the day). I know some building blocks are hosted on blogs, but does anyone have links handy?
#
[Rose] Give me half an hour and I'll get you the blog post I've been working on with the links.
#
aaronpk no, nobody here is working on any hack day projects, not at all
[snarfed] joined the channel
#
[qubyte] oops
#
[qubyte] Sorry, I didn't mean to rush you! I can wait until tomorrow!
#
[Rose] It may be tomorrow morning. As I am definitely not reading Okta documentation right now.
#
[Rose] hides BBEdit.
#
[qubyte] This is good. I'm more likely to get some sleep tonight. 👍
#
[Rose] 😛
#
[qubyte] I'm tempted to cheat a bit with the indieauth side of this. Since I'm me and definitely not someone else, I might allow my micropub server to check for a shared secret as an alternative to the token.
#
[Rose] It’s not a terrible idea, unless someone else gets the shared secret
#
[Rose] You could always check for dfghjkoiuhghjkjn header being equal to fgyuihbufdftyuhjbvcf or something else though if you want to do security through obscurity
#
aaronpk [qubyte]: I don't see how that helps you? you need to send some sort of token to micropub clients. I guess you could send the same random string to every micropub client you log in to
#
GWG aaronpk: Quill work?
#
aaronpk oh I see you're talking about shortcuts specifically
#
aaronpk so yeah you can hard-code a token
#
aaronpk that's fine, that's barely cheating
#
[qubyte] I already have indieauth in place (I currently use omnibear to post notes and bookmarks).
#
[Rose] https://www.icloud.com/shortcuts/02cae0afe95f43078708a80e88fb68a8
#
[Rose] IndieAuth in a Shortcut
#
aaronpk ah then rose's shortcut above is the best option
#
[Rose] 99.9% of the credit for this goes to Sebsel
#
[qubyte] Since I'm effectively writing the client by putting shortcuts together, the need to trust the software is less significant (and I can trust myself not to expose a secret).
#
aaronpk yeah if you have the ability to hard-code a token in your backend you can do that. it's not the best security, but it's not terrible.
#
mblaney aaronpk I only use indieauth.com as a fallback if no authorization endpoint was found?
#
[qubyte] But! If it's already there and easy to integrate then I'll just use the IndieAuth since I've already got the endpoint for it. What has me a little wary is the generation of the token, which becomes similarly dangerous to a shared secret anyway.
#
[Rose] I should note, I have nothing in place inside of any of these Shortcuts to handle “token invalid”
#
Loqi +1
#
[Rose] So I’m building a Shortcut right now to let you delete any of the config files.
#
aaronpk mblaney: sorry what is the context of this?
#
mblaney https://chat.indieweb.org/dev/2019-10-19/1571494637313400
#
Loqi [aaronpk] ah darn I was hoping https://unicyclic.com implemented from scratch but it uses indieauth.com too
#
aaronpk oh! haha that was so long ago sorry
#
aaronpk been a long day
#
mblaney yeah I bet!
#
aaronpk gotcha! that's great, I only tested with one of my scratch identities and I think I even typo'd it.
#
aaronpk that is for [dmitshur]! so there you go, there's another indieauth identity consumer!
#
[Rose] Why am I failing to find docs on sending a photo post to micropub (I already have the URLs of the images)
#
aaronpk there is an example here: https://micropub.net/draft/#json-syntax
#
[Rose] Ahhh, I remember now why I wasn’t doing it the right way
#
aaronpk uhoh why
#
[Rose] Shortcuts doesn’t support setting an array to an existing list
#
[Rose] You have to recreate the list.
#
aaronpk don't you already know how many photos you're posting at the same time?
#
[Rose] It doesn't work like that.
#
GWG aaronpk, why did you drop flight tracking stuff?
#
[Rose] You have to specify the number when creating the shortcut.
#
GWG likes flight tracking stuff
#
[Rose] So I can make a design decision that you will always post X photos, but if you more more or fewer than X it may break spectacularly
#
[Rose] More it would just drop your images, less your micropub endpoint gets empty images.
#
[Rose] I’m trying something else, this may also break spectacularly
#
aaronpk ohhh funny
#
aaronpk GWG: that flight tracking thing relied on an API that changed to a paid model
#
aaronpk and I wasn't super happy with how it worked anyway
#
GWG aaronpk, didn't you see the v3 beta?
#
aaronpk no
#
aaronpk in any case i'd need to rewrite it
#
GWG https://flightaware.com/commercial/flightxml/v3/pricing.rvt
#
GWG And you get an extra 500 queries if you have a Piaware
#
GWG Which I do
#
GWG If you find good flight APIs, tell me
#
aaronpk right now i'm scraping from their HTML 🙈 but i'm not gonna put that into an app other people can use
#
GWG I may play with their beta to see if I can use it
#
[Rose] Working IndieAuth Shortcut: https://www.icloud.com/shortcuts/24f7b4eb708b4aa094a8d0fc2b5fdcaf
#
[Rose] That was a lot of wasted time debugging
#
[Rose] (Tip: if you never save the token it won’t work!)
gRegorLove joined the channel
#
[Rose] And the workaround I tried does not work
#
[Rose] More thinking required
#
aaronpk is that the Shortcuts version of "is it plugged in?"
#
[Rose] What was Zegnat’s page where I can see what I posted to a micropub endpoint?
#
Loqi It looks like we don't have a page for "Zegnat’s page where I can see what I posted to a micropub endpoint" yet. Would you like to create it? (Or just say "Zegnat’s page where I can see what I posted to a micropub endpoint is ____", a sentence describing the term)
#
Zegnat sink.zegnat.net
#
Zegnat What is Sink?
#
Loqi Sink is an experimental site by Martijn van der Ven that allows anyone with an IndieAuth enabled URL to post to it using any Micropub client https://indieweb.org/Sink
#
Zegnat That the one you mean, [Rose]?
#
[Rose] Yes
#
[Rose] Do I need to IndieAuth?
#
Zegnat Yes
#
aaronpk as it
#
Zegnat Because it was also an experiment in multi-author blogs
#
Zegnat Though you may be able to just do that once and record the Bearer token out of bounds?
#
@aaronpk ↩️ Sorry, that was my fault! The error should have said that there was no link found, and that's because Twitter URLs can't be used when http://webmention.io is handling the request. I just fixed http://webmention.io tho! (twitter.com/_/status/1185674675377987584)
#
aaronpk ^^ that was a fix I just pushed to webmention.io that I finally figured out thanks to sebsel trying to use tantek's webmention form which failed for completely unrelated reasons
dougbeal|mb1 joined the channel
#
sebsel which still means my RSVP is not delivered to Tantek, but that's more on Tantek's side
[dougbeal] joined the channel
#
[Rose] ends up uploading her pictures for the umpteenth time
#
@aaronpk ↩️ It'd be great if you could drop a Twitter link into someone's webmention form, but that'll take me a while to figure out. In the mean time if that person is using https://brid.gy it'll work without anyone doing any manual work. (twitter.com/_/status/1185675826685067264)
#
@aaronpk ↩️ It'd be great if you could drop a Twitter link into someone's webmention form, but that'll take me a while to figure out. In the mean time if that person is using https://brid.gy it'll work without anyone doing any manual work. (twitter.com/_/status/1185675826685067264)
[tantek] joined the channel
#
[dougbeal] [Rose]: is there a shortcut enabled PGP app? 👹
#
[Rose] Not that I know of
#
[dougbeal] I think I would trust iCloud Keychain with my private key 🤔
#
[Rose] Then you probably need to use scriptable to interface with the iCloud Keychain
#
[Rose] Which is also how I'm going to solve this photo post issue. Make a dictionary, pass it to scriptable which posts it.
#
[Rose] Maybe, now the trick I tried is working in another Shortcut…
[asuh], jfoster and [grantcodes] joined the channel
#
[grantcodes] Been working on a thing the last few days! I'm building out kinda fancy micropub ui components with the goal of integrating them into all my tools: https://grantcodes.github.io/postrchild-editor/?path=/story/components--kitchen-sink
#
[grantcodes] There's a lot of fun stuff in there like searching for locations (that generate full hCards), nearby locations for checkins, url previews, fancy categories, nice media management with alt text support and probably some more stuff I'm blanking on
#
aaronpk whoa
#
aaronpk wait i'm already logged into this somehow
#
[grantcodes] Lol nah
#
aaronpk or did you use me as an example hahaha
#
Loqi nice
#
[grantcodes] I copy and pasted the syndication options from the spec 😛
#
[grantcodes] I just need to add a media upload function. Then I can attempt to make a full client on glitch that people should be able to remix pretty easily
#
aaronpk wow
#
aaronpk [Rose]: OwnYourGram now lets you completely disable polling!
#
aaronpk [Rose]: and now also https://ownyourgram.com/photos?url= works!
#
Loqi #OwnYourGram
jfoster joined the channel