[fluffy]okay, so my immediate opinion was using the session cookie first, so that’s one vote each way so far. But I also don’t hold that opinion very strongly.
[fluffy](it is not yet deployed to beesbuzz.biz, don’t bother trying to test it in public. But feel free to clone Publ from git and checking it out on localhost!)
[fluffy]deploying publ.beesbuzz.biz with this reminded me of a huge problem with how Authl works that I forgot to open an issue for so I’m gonna be doing that first 😛
[tantek], FreshcollegeGirl, cweiske, [Lewis_Cowles], gRegorLove, KartikPrabhu and [chrisbergr] joined the channel
Loqi[@jgmac1106] #OpenEd19 As a theoretical lens for our self study I drew upon Dewey's notions of democratic education. As educators we must shape the spaces of learning to meet ideals of democratic education (Dewey 1934). For Dewey democracy is a way of being, of e...
[grantcodes], gRegorLove, tsrt^ and QwertyWhoreDisco joined the channel
[jgmac1106]I am gonna go with outside e-content for the next link dunno why, see the reply context on outside, and no real consumer of threads so it doesn't matter
[manton][aaronpk] Do you know if the Micropub check-in/location stuff is officially documented anywhere outside of OwnYourSwarm? For Micro.blog I tried to distill it down to only what I need and documented it this way for now. Feedback welcome. https://help.micro.blog/2019/api-location/
aaronpkeasiest way to check is to write minimal HTML to give you the parsed result you're looking for and run it thru a microformats parser to give you the JSON
[manton]Yeah, that was part of what I was wondering... My approach for now in M.b is to allow either or both location and check-in. If there is a Foursquare venue URL but not coordinates, M.b will also attempt to use the Foursquare API to fill in the venue details, but I get rate-limited pretty quickly.
[manton]Hopefully the help page I have now will point people in the right direction if they are writing a client. I just want to make sure it actually matches a kind of IndieWeb best practice.
aaronpkI'd say the simpler version is to use only the checkin property for checkins, and separately describe how to include location info for posts that are not checkins with the "location" property
[jgmac1106]fluffy, thanks yeah I missed a slash in front of my /video directory, though couldn't POSSE the video like an unfurl YouTube video with Bridgy, wrote a second note only linking to video
[jgmac1106]makes total sense video way too large for a tweet, now to go back and add all my rel=next and syndicated to Twitter link, and publish one post as a collection of all the notes
[fluffy]Yes but when the token endpoint gets a request is it supposed to just pass through all of the POST arguments it receives back to the authorization endpoint when verifying the code?
[fluffy]like I was writing mine specifically for the autoauth use case but it didn’t work with my indieauth endpoint (that doesn’t support autoauth), and it also feels to me like this isn’t something that necessarily needs the authentication endpoint to change, if the autoauth flow could be brokered by something else
sebselthis is, I believe, one of the points I made in Åmål: there are two endpoints that need to do very different things in IndieAuth vs AutoAuth, and I can't seem to figure out which parameters to switch on.
[fluffy]like I know the name for redirect_uri is “wrong” because there’s no browser, but… I mean the thing doing the autoauth flow is also being redirected
[fluffy]I mean I get your point, but I’m also trying to think of how it’d be easiest to make AutoAuth Just Work minimal involvement from token endpoint authors
[fluffy]so the choices are either: specify that the token endpoint must pass through all the request args back to the authentication endpoint, or give a master list of whitelisted request args and only have a really good reason for ever adding more
[fluffy]that just wasn’t clear to me from the AutoAuth spec, and the IndieAuth token grant spec was a “challenging” read, given my perspective of only recently having come into this
[fluffy]and I just want to know what to implement and how, I don’t have the long history of working in these specifications like most of the players in this space
[fluffy]and I realize that one of them is a user grant and one of them is a resource grant but both grant types boil down to “here’s an identity and a code, does the identity own the code? if so give us a token”
[fluffy]I don’t really have any qualms with just passing through all of the POST parameters as GET to the auth endpoint from my own perspective, but I would worry about a token endpoint being used as part of a reflection attack on something else.
[fluffy]the micropub case I was hoping to support was letting people make micropub requests to a blog that isn’t necessarily their own. Think guest posts or whatever.
[fluffy]Like to me, the micropub case is less “authenticate back to my own blog” and more “authenticate to a resource in a write capacity, and that resource may or may not be my own blog”
aaronpkthe benefit of a bearer token containing authorization is you can grant different ones to different applications. e.g. this micropub client can post these specific things and can't read any data
aaronpkthis is also stuff that's pretty universal among systems that use oauth, we're trying to add as little as possible to oauth to support URL identities here
[fluffy]anyway to get back to the point I was trying to clarify: is there any reasonable semantic difference between an authorization token that happens to belong to the identity broker vs. one that’s for third-party services? Because the latter case feels like it also covers the former case; micropub to your own blog isn’t fundamentally different to micropub to someone else’s blog.
[fluffy]anyway. in Publ it was easier for the token to be a proxy for “this user is logged in with this scope” and then still just checking if the user is authorized to do the thing they’re trying to do
sknebelso to explicitly go back to the question again: A whitelist is probably fine. otherwise you could check if it explicitly matches the possible parameter combinations for the various specs (where e.g. redirect_uri and callback_url in one request would be forbidden)
[fluffy]Okay, and to go back to my original concern, it means that if another protocol comes about, it needs to be explicitly supported by the token endpoint.
[fluffy]A thing that would be useful for these specs is just like… a list of which parameters should or must be passed through, for each one. It would make implementing that part of it a lot easier for people who don’t want to wade through a billion related specs.
[fluffy]> The authorization endpoint will validate that the code corresponds with the given parameters (including the value or absence(!) of realm). If it does, a HTTP 200 response is returned, otherwise an OAuth 2.0 error response.
gRegorLoveI would expect AutoAuth's authorization code verification response to be the same as IndieAuth unless otherwise stated. Latter specifies a JSON response.
[fluffy]I am totally fine with the specification being: if the response provides values, they override the values being verified. Otherwise use the values that were sent in for verification.
[snarfed]indieweb (if not indieauth etc) generally expect at least a full domain per user, not just paths, right? lots of tools depend on that, whether explicitly or implicitly
gRegorLove"Clients MUST use the resulting `me` value... with the following condition: The resulting profile URL MUST have a matching domain of the initially-entered profile URL.
LoqiURL design is the practice of deliberately designing URLs, in particular, permalinks, typically for a better UX for everyone who creates, reads, and shares content https://indieweb.org/url
[fluffy]but anyway I feel like there’s a big security concern in the spec where it makes it seem like example.com/~alice is a valid response for a verification request to the endpoint published at example.com/~bob
aaronpkgRegorLove: i don't think that is explicit in the spec, because the spec uses a definition of "domain" that does not distinguish between subdomains and ccTLDs
[fluffy]the fact that URLs historically reflected the underlying filesystem and so many path resolution things are based on that doesn’t help things at all
[fluffy]How about: must accept the response’s “me,” given the following conditions: 1. the scheme either matches or is converted from http to https; 2. the path begins with the same path, provided that there is a / separating the original path and any additions
[fluffy]I feel like this is important enough for me to write a CVE against Authl. I don’t think anyone else is using it but it still seems like a better safe than sorry thing
[fluffy]But I don’t want to post it as a public disclosure until I have a fix, because otherwise anyone could use this to log in to my own website as me and see all my private posts.
[manton][aaronpk] Back on location, just to be sure I understand... I'll add an example that is location-only with no check-in. But if someone is sending a check-in, is it appropriate to require that the coordinates be sent in location, or should they be included in check-in?
aaronpkthe "location" property is meant to say "this is where the post was created" like the "published" property says "this is when the post was published"
aaronpkin fact I might go so far as to say a checkin post should feature the location as the primary content, adding the text content the user typed as supplementary information
[manton]The way I'm handling this right now is that I add the venue name to the post content so that it shows up consistently in all themes. It's not _exactly_ correct but it means everything just works, and then the user can edit the theme to do something special when there is location information.
[manton]Long-term I will probably need to update all the themes to better support this, but I wanted something that worked out of the box for everyone.
[Lewis_Cowles]!tell tantek I now have a visual indicator for offline pages which when clicked reloads the page for the user. If it exists, then they get their page. If not, then they get the offline page still. Have you tested 404 functionality?
Loqi[tantek]: [Lewis_Cowles] left you a message 9 minutes ago: I now have a visual indicator for offline pages which when clicked reloads the page for the user. If it exists, then they get their page. If not, then they get the offline page still. Have you tested 404 functionality?
[tantek][Lewis_Cowles] ++ that sounds pretty cool. I like the idea of explicit UI to indicate to users that they're viewing a cached version and the option to refresh from network.
[tantek]btw speaking of Medium (per meta conversation), I noticed (and adactio pointed out explicitly) that he's putting "Originally posted at..." links at *both* the top and bottom of syndicated copies of blog posts
[tantek]this is so that if you end up reading the Medium copy of an article, you immediately see the link to the original and click through read it there instead
[tantek]or if you end up reading it down to the end on Medium, and want to cite it, you see the link to the original and at least have a chance of clicking through and citing that original post instead of the Medium copy
aaronpksome sites will let you see the top bit of a post, or wait a few seconds before popping up an interstitial, so having the link at the top gives viewers a nice "out" to see the full post on your own site
aaronpkso you just got the "me" response that says "I am https://example.com/eve" and then you go look at that URL for something and ask it "did you really just sign in here" and it could confirm
[fluffy]I ran into a lot of trouble with that in the OpenID 1.x days, when I used an OpenID signin to a forum and it saw my URL as http://beesbuzz.biz/fluffy and at one point that was getting normalized to https://beesbuzz.biz/fluffy/ and I couldn’t log in anymore.
aaronpk[fluffy]: you want to be able to support a user typing in just the host name example.com and ending up with the user-specific URL https://example.com/user
[fluffy]Authl’s identity handlers all deal with their own normalization, so like if I sign in by Twitter it normalizes to https://twitter.com/fluffy#993171 (for reasons)
[KevinMarks]So in strict mode the client restarts the auth with the new extended url? Which should be quick they're logged in and cookied if they aren't spoofing
aaronpkthis is pretty well described in the indieauth spec currently, are you suggesting something there needs to change? or are you asking a clarifying question?
[fluffy]anyway Authl’s initial identity normalization is just like… fetch the identity page, and use its final URL as the initial identity. Well, I think. Let me verify that 🙂
[fluffy]okay yeah in Authl, the initial identity URL is just the final post-redirection URL for the page, if it wasn’t grabbed by a thing that gives a URL match.
[fluffy]to use the examples there: user enters username.example, which gets a temporary redirect to example.com, which gets a permanent redirect to example.com/username
[fluffy]but the previous sentence “If an HTTP permament redirect (HTTP 301 or 308) is encountered, the client MUST use the resulting URL as the canonical profile URL” implies that it would be example.com/username
aaronpkGWG: the current version of the php indieauth client shoudl be implementing these rules. it's used by (most) of my active projects. (i think there are a couple i havent updated yet like maybe teacup)
[fluffy]so another question, while we’re on the subject: what should the scheme matching rules in response vs. profile URL be? I discovered after rolling out the Publ change that my auth endpoint was giving my identity as http://beesbuzz.biz/ rather than https://beesbuzz.biz/ all this time
[chrisbergr] Yay, my Overland-Receiver now brings my current location to my frontpage 🙂 https://cho.bz
@sanzainippou ↩️ サイズはちっちゃくて良い感じ。
インターフェイスは
HDMI / USB A 2.0 / USB A 3.0 / microSUB (twitter.com/_/status/1189356562013458434)
gRegorLove [fluffy]++
[jgmac1106] I want to add a rel=Next to the next note in the thred here: https://jgregorymcverry.com/notes/2019-10-30-2 would people put that inside or outside e-content? I have the u-in-reply-to with rel=prev
[Lewis_Cowles] I'd go with outside e-content under the logic that the DVD, VHS, whatever only contains op-codes, not full computer-programs with UI
[manton] [aaronpk] Do you know if the Micropub check-in/location stuff is officially documented anywhere outside of OwnYourSwarm? For Micro.blog I tried to distill it down to only what I need and documented it this way for now. Feedback welcome. https://help.micro.blog/2019/api-location/
[grantcodes] Yeah location is quite painful in mf2 in my opinion.
[fluffy] like I was writing mine specifically for the autoauth use case but it didn’t work with my indieauth endpoint (that doesn’t support autoauth), and it also feels to me like this isn’t something that necessarily needs the authentication endpoint to change, if the autoauth flow could be brokered by something else
sebsel This is a related point then: https://github.com/sknebel/AutoAuth/issues/17
aaronpk interestingly, this description of UMA sets out basically the same problem as we're trying to solve https://medium.com/@dewni.matheesha/user-managed-access-uma-2-0-bcecb1d535b3
jacky TIL about https://github.com/mapbox/leaflet-image
Loqi URL design is the practice of deliberately designing URLs, in particular, permalinks, typically for a better UX for everyone who creates, reads, and shares content https://indieweb.org/url
[tantek] aaronpk++ for the recommendations of how to display a checkin post - can you add that to /checkin#How_to perhaps as a subsection?
@bixtweets Do @wordpressdotcom blogs send webmentions in and of themselves, or only if you have a paid package and install a plugin? (twitter.com/_/status/1189661414127833088)
@schnarfed ↩️ also https://brid.gy/ adds (free) webmention support to http://wp.com blogs: https://brid.gy/about#blogs (twitter.com/_/status/1189666566293483520)
[KevinMarks] On more specific path, can you filter out example.com/alice becoming example.com/alice/../eve
@fluffy Publ: Development Blog: Publ 0.5.8, Authl 0.3.1, and IndieAuth security http://publ.beesbuzz.biz/blog/18-Publ-0-5-8-Authl-0-3-1-and-IndieAuth-security (twitter.com/_/status/1189683260202221568)