#dev 2019-10-19
2019-10-19 UTC
[fluffy] and [dmitshur] joined the channel
# [dmitshur] those who have implemented your own IndieAuth (or OAuth2) authorize endpoint, I'm curious how you've implemented the "Accept" button on the consent screen. does it make a POST request to your own backend? if so, to the same endpoint or another?
# [dmitshur] how do you tell apart the POST request from your consent screen vs the POST request from the client verifying the authorization code?
# [dmitshur] I'm interested in knowing how you tell the two requests apart. One viable way seems to be to check if there's a "code" parameter, which must be present in the Authorization Code Verification request, but you can arrange for it to not be in your "Accept" button press.
# [dmitshur] so if there are code, client_id, redirect_uri params, then it's a Authorization Code Verification request. else it's a consent screen button press.
# [dmitshur] do you mean response_type?
# [dmitshur] np. thanks, that's helpful
[jgmac1106] joined the channel
# [dmitshur] interestingly, it seems different for IndieAuth specifically. the authn request has response_type=id but it's optional. there is no response_type parameter described in the Authorization Code Verification request.
# [dmitshur] response_type=code is only relevant in the authorization flow.
# [dmitshur] unfortunately, https://aaronparecki.com/oauth-2-simplified/ doesn't seem to go into detail for how the consent screen is implemented hehe. it just says "The user sees the authorization prompt <picture> If the user clicks "Allow," the service redirects the user back to your site". what happens when the user clicks the "Allow" button? 😛 I mean I know this is an internal implementation detail that can be done in a any number of ways, but I'm
# [dmitshur] looking to find out how most people do it and not try to come up with a unique way.
# [dmitshur] I'm tempted to use a different path. that way I don't have to guess a sureway to tell the two requests apart. but then I gotta invent a separate path...
[fluffy] joined the channel
# [dmitshur] yep, that makes sense and I understand.
# [dmitshur] the request that the browser makes when user (me) presses the "Accept" button vs https://indieauth.spec.indieweb.org/#authorization-code-verification
# [dmitshur] > the user’s POST can be to a different endpoint/URL/whatever, or it can have a request argument that indicates that it’s the user granting access, or whatever
# [dmitshur] this is exactly what I'm trying to decide on. the "whatever" part 😛
# [dmitshur] currently facing the problem of https://en.wikipedia.org/wiki/Overchoice
# [dmitshur] it's like trying to come up with a name for a variable... one of those time when it's really hard.
# [fluffy] so for what it’s worth, mastodon appears to just set some POST arguments to /oauth/authorize to tell it that it’s the consent grant
# [dmitshur] do you know which arguments (and values)?
# [dmitshur] does it happen to set authorize=1?
gRegorLove joined the channel
# [dmitshur] github does something like:
# [dmitshur] utf8=%E2%9C%93
# [dmitshur] authorize=1
# [dmitshur] ```
# [dmitshur] authenticity_token=<...>
# [dmitshur] client_id=<...>
# [dmitshur] state=<...>
# [dmitshur] redirect_uri=<...>
# [dmitshur] scope=
# [dmitshur] authorize=1
# [dmitshur] ```
[manton] joined the channel
# [dmitshur] hmm, confirming something. so when logging in to https://indieweb.org/, I see it uses indielogin.com. when I try to sign in with my dev website that has a WIP authorize endpoint, the client_id will be indielogin.com and there's no way I show that the original sign in request is for indieweb.org, can I.
# [dmitshur] show on the consent screen*
# [dmitshur] it makes sense, in that I _am_ allowing indielogin.com to identify me as me, and then I can only hope/trust that indielogin.com will forward that to indieweb.org. but my website can't know or make any guarantees about indieweb.org
# [dmitshur] is this an example of where using indielogin.com (instead of implementing the authz endpoint directly on your site) can be create a worse user experience?
# [dmitshur] e.g., if indieweb.org implemented indieauth itself instead of re-using indielogin.com, then my consent form can show that I'm trying to sign in to indieweb.org.
# [dmitshur] I tried the 3 example apps that support IndieAuth listed at https://indieweb.org/IndieAuth#How_to and they're all using indielogin.com 😞
# [dmitshur] the only non-indielogin.com client_id I was able to find so far was indieauth.com, via the "Try it now" sample at the bottom of https://indieauth.com/setup
KartikPrabhu and [Lewis_Cowles] joined the channel
# [Lewis_Cowles] How are others dealing with synonyms?
# [Lewis_Cowles] I have a heavyweight solution using a database, but I don't want any part of my main site to be database-driven. I'm thinking of using symbolic links, but then it doesn't really help discoverability
# [Lewis_Cowles] The problem I am trying to solve is redirection based on deliberately chosen other words.
BenLubar joined the channel
# [Lewis_Cowles] Like if I used to talk about graceful degredation, but I meant progressive enhancement, and a frontend person I worked with, pointed out, I'm an idiot because they are not the same
# [Lewis_Cowles] Then I would be able to rename the references, check it made sense and maintain a symbolic link, rather than setup a 30X redirect in a web-server I may wish to migrate away from later
[aaronpk] joined the channel
BenLubar_, [Rose] and mblaney joined the channel
mblaney and [christophe194] joined the channel
# [christophe194] /
KartikPrabhu, discord[m]2, [KevinMarks] and [tantek] joined the channel
gxt, [Lewis_Cowles], [barryf], [frank], [tonz], [jgmac1106] and [dmitshur] joined the channel
# [dmitshur] Curious to see the spec you’re working on if/when there are public artifacts
# [dmitshur] [aaronpk] Ah, right, I did get that mixed up. I meant to say “using indielogin.com instead of implementing an IndieAuth consumer themselves” there. As I understand, it’s related to why you were hesitant to give me access to it. Thanks again for confirming. :)
# [dmitshur] That’s ok, I’m still curious to see
# [dmitshur] thanks!
# [dmitshur] I haven’t looked at the impl details but the problem statement reads nicely, and confirms what we discussed above
# [dmitshur] I’m looking forward to adding my site to a new subsection under https://indieweb.org/IndieAuth#IndieWeb_Examples of people who implemented an IndieAuth consumer on their sites... will I be the first one, or am I missing an existing section elsewhere?
# [dmitshur] (After I finish it of course)
# [dmitshur] Yep, specially consumer
# [dmitshur] I’m working on both, but consumer seems to be more rarely implemented on one’s personal site directly.
# [dmitshur] But I want to do it to 1) learn and 2) provide a better client_id and hence user experience to those signing in
# [dmitshur] and 3) I promised my use of indielogin.com was temporary
# aaronpk this would be the section to look at https://indieweb.org/IndieAuth#IndieAuth_Clients
# aaronpk ah darn I was hoping https://unicyclic.com implemented from scratch but it uses indieauth.com too
# [dmitshur] But that section isn’t entirely what I’m looking for. Eg it lists indieweb.org yet that site doesn’t impl indieauth consumer directly, it uses indielogin.com service
# [dmitshur] That’s why I want to start a new list... I wish it already existed, so if I finish my stuff, it’s my chance to help the next person who chooses to do this too
# [dmitshur] noted, thanks. I’ll take a look
# [dmitshur] ty
# [dmitshur] Oh, quick question while you’re here. I noticed indielogin.com doesn’t serve an h-app card. The indieauth spec says it “should”:
# [dmitshur] It’s within spec not to, but I was wondering why doesn’t it? Is it just an unfinished TODO? Or just not very important?
# [dmitshur] > The HTML on the client_id URL SHOULD be marked up with [h-app] Microformat to indicate the name and icon of the application.
# [dmitshur] IndieAuth.com has one.
# [dmitshur] I see, thanks. Don’t consider this a request to implement it sooner, I just asked to understand better.
# [dmitshur] It has a small benefit in that it serves as a distinct test case for the consent screen presentation. :p
[frank], [tonz], [jacek], [fluffy], [snarfed], [schmarty] and dougbeal|mb1 joined the channel
# [schmarty] listening in on the Shortcuts session at IWC Brighton. i like the approach that Rose uses for micropub building blocks in Shortcuts.
# [schmarty] one shortcut per important piece of info. "IndieAuth" outputs a micropub auth token. "Micropub Endpoint" outputs the URL of her site's micropub endpoint.
# [schmarty] simplifies their use when you actually need the value in a given Shortcut
# [schmarty] sebsel mentioned the approach that i am trying - combining those nicely abstracted individual Shortcuts, and then making a single "Micropub Post" shortcut that takes in the properties for a post and hides away all the details of constructing and sending the post.
[jgmac1106], KartikPrabhu, jfoster and [dmitshur] joined the channel
# [schmarty] Hahaha
# [schmarty] dmitshur++
[dougbeal], [Michael_Beckwit, [Rose], [Lewis_Cowles] and jfoster joined the channel
# [schmarty] argh, that's frustrating :]
# [schmarty] err :[
# GWG https://timeago.org/ - Anyone have any alternative js libraries for this purpose? Found this by searching.
# myfreeweb GWG: https://github.com/github/time-elements
# myfreeweb well, you didn't say you wanted not to do that :)
# myfreeweb i prefer doing everything via custom elements and not having a "site script" at all
KartikPrabhu joined the channel
fLsh42Discord[m] joined the channel
# [schmarty] what time is it for adactio?
# [schmarty] the pre-hack-day hack time is paying off 😄
evantravers joined the channel
# [schmarty] 😄
[qubyte] joined the channel
[snarfed] joined the channel
# Loqi [aaronpk] ah darn I was hoping https://unicyclic.com implemented from scratch but it uses indieauth.com too
# aaronpk there is an example here: https://micropub.net/draft/#json-syntax
# [Rose] Working IndieAuth Shortcut: https://www.icloud.com/shortcuts/24f7b4eb708b4aa094a8d0fc2b5fdcaf
gRegorLove joined the channel
# Loqi It looks like we don't have a page for "Zegnat’s page where I can see what I posted to a micropub endpoint" yet. Would you like to create it? (Or just say "Zegnat’s page where I can see what I posted to a micropub endpoint is ____", a sentence describing the term)
# Loqi Sink is an experimental site by Martijn van der Ven that allows anyone with an IndieAuth enabled URL to post to it using any Micropub client https://indieweb.org/Sink
# @aaronpk ↩️ Sorry, that was my fault! The error should have said that there was no link found, and that's because Twitter URLs can't be used when http://webmention.io is handling the request. I just fixed http://webmention.io tho! (twitter.com/_/status/1185674675377987584)
dougbeal|mb1 joined the channel
[dougbeal] joined the channel
# @aaronpk ↩️ It'd be great if you could drop a Twitter link into someone's webmention form, but that'll take me a while to figure out. In the mean time if that person is using https://brid.gy it'll work without anyone doing any manual work. (twitter.com/_/status/1185675826685067264)
# @aaronpk ↩️ It'd be great if you could drop a Twitter link into someone's webmention form, but that'll take me a while to figure out. In the mean time if that person is using https://brid.gy it'll work without anyone doing any manual work. (twitter.com/_/status/1185675826685067264)
[tantek] joined the channel
# [dougbeal] [Rose]: is there a shortcut enabled PGP app? 👹
# [dougbeal] I think I would trust iCloud Keychain with my private key 🤔
[asuh], jfoster and [grantcodes] joined the channel
# [grantcodes] Been working on a thing the last few days! I'm building out kinda fancy micropub ui components with the goal of integrating them into all my tools: https://grantcodes.github.io/postrchild-editor/?path=/story/components--kitchen-sink
# [grantcodes] There's a lot of fun stuff in there like searching for locations (that generate full hCards), nearby locations for checkins, url previews, fancy categories, nice media management with alt text support and probably some more stuff I'm blanking on
# [grantcodes] Lol nah
# [grantcodes] I copy and pasted the syndication options from the spec 😛
# [grantcodes] I just need to add a media upload function. Then I can attempt to make a full client on glitch that people should be able to remix pretty easily
# aaronpk [Rose]: and now also https://ownyourgram.com/photos?url= works!
jfoster joined the channel