#[fluffy]Okay so another matter of opinion: if someone sends both a session cookie and an Authorization header, which should take priority?
#GWG[fluffy]: Authorization header. But only opinion
FreshcollegeGirl joined the channel
#[fluffy]okay, so my immediate opinion was using the session cookie first, so that’s one vote each way so far. But I also don’t hold that opinion very strongly.
#aaronpki'm trying to think of a case when that might actually happen
#[fluffy](it is not yet deployed to beesbuzz.biz, don’t bother trying to test it in public. But feel free to clone Publ from git and checking it out on localhost!)
#Loqi[fluffy] has 14 karma in this channel over the last year (40 in all channels)
[jeremycherfas] joined the channel
#[fluffy]deploying publ.beesbuzz.biz with this reminded me of a huge problem with how Authl works that I forgot to open an issue for so I’m gonna be doing that first 😛
[tantek], FreshcollegeGirl, cweiske, [Lewis_Cowles], gRegorLove, KartikPrabhu and [chrisbergr] joined the channel
#Loqi[@jgmac1106] #OpenEd19 As a theoretical lens for our self study I drew upon Dewey's notions of democratic education. As educators we must shape the spaces of learning to meet ideals of democratic education (Dewey 1934). For Dewey democracy is a way of being, of e...
[grantcodes], gRegorLove, tsrt^ and QwertyWhoreDisco joined the channel
#[jgmac1106]I am gonna go with outside e-content for the next link dunno why, see the reply context on outside, and no real consumer of threads so it doesn't matter
Guest68814291 joined the channel
#[Lewis_Cowles]I'd go with outside e-content under the logic that the DVD, VHS, whatever only contains op-codes, not full computer-programs with UI
#[manton][aaronpk] Do you know if the Micropub check-in/location stuff is officially documented anywhere outside of OwnYourSwarm? For Micro.blog I tried to distill it down to only what I need and documented it this way for now. Feedback welcome. https://help.micro.blog/2019/api-location/
dougbeal|mb1 joined the channel
#sknebelThe location property there looks like it is missing a type?
#aaronpkeasiest way to check is to write minimal HTML to give you the parsed result you're looking for and run it thru a microformats parser to give you the JSON
#[manton]Got it, thanks. I'll update it to include a type for both those properties (h-card and h-adr, I think).
#aaronpkEh, ignore checkin unless you're trying to actually deal with checkins
#[manton]Yeah, that was part of what I was wondering... My approach for now in M.b is to allow either or both location and check-in. If there is a Foursquare venue URL but not coordinates, M.b will also attempt to use the Foursquare API to fill in the venue details, but I get rate-limited pretty quickly.
#[manton]Hopefully the help page I have now will point people in the right direction if they are writing a client. I just want to make sure it actually matches a kind of IndieWeb best practice.
#aaronpkI'd say the simpler version is to use only the checkin property for checkins, and separately describe how to include location info for posts that are not checkins with the "location" property
#aaronpkYou want to avoid people thinking the only way to include the name of a location is in the checkin property for example
#[manton]Interesting, okay. I was following OwnYourSwarm which does not put the location name in "location", I think.
#aaronpkRight, it doesn't send any location property IIRC
#[fluffy]Like the token doesn’t match the format of the one that Publ’s endpoint vends
#[jgmac1106]fluffy, thanks yeah I missed a slash in front of my /video directory, though couldn't POSSE the video like an unfurl YouTube video with Bridgy, wrote a second note only linking to video
#sknebelAhh, might have a shortcut around discovery... So not suitable for testing
#[jgmac1106]makes total sense video way too large for a tweet, now to go back and add all my rel=next and syndicated to Twitter link, and publish one post as a collection of all the notes
#[fluffy]FWIW Publ only sends the token_endpoint in a link header on the resource response, as suggested by the spec.
#[fluffy]I’m on my phone at the moment but I’ll try watching the logs from a real computing device when I manage to convince myself to get out of bed
#sknebelI think the header parsing was broken, so it can't work properly
#sknebelI'll keep you posted once I have something better to try
#[fluffy]Oh the 404 on my blog fetch was because I left off the trailing / and it misreported the redirection
#[fluffy]Cool, I’d love to get some verification that this works :)
#[snarfed][jgmac1106] video too large for bridgy as in file size too large? bridgy should handle videos up to 512 MB. let me know if it didn't!
#[fluffy]I mean aside from the manual testing I did using gimme-a-token
#[fluffy]Which doesn’t actually test the AutoAuth part of it
#sknebelThe requesters authorization endpoint manages the fetching of tokens from the resources token endpoint
#sknebelIt gets asked by e.g. a reader to obtain a token
#sknebelIt verifies that this reader actually is allowed to do that
#[fluffy]Yes but when the token endpoint gets a request is it supposed to just pass through all of the POST arguments it receives back to the authorization endpoint when verifying the code?
#sknebelMaking sure you don't accidentally allow part of some changes protocol you never intended to support
#sknebelIssue 18 above is about which way to do that
#sknebelBecause autoauth kind of does it the opposite way from indieauth
#[fluffy]Then is there a list of all the parameters that need to be whitelisted to support the known token grant flows at this time?
KartikPrabhu joined the channel
#[fluffy]This confusion is what’s at the core of my most recent opened issue.
#sknebelWell, right now we only have indieauth and autoauth
#sknebelI feel like this might be another argument for doing the change from 18 though
#[fluffy]do you know how many token endpoints implement things in a way that’s compatible with autoauth?
#sknebelI don't think any would automatically just work with autoauth
#[fluffy]like I was writing mine specifically for the autoauth use case but it didn’t work with my indieauth endpoint (that doesn’t support autoauth), and it also feels to me like this isn’t something that necessarily needs the authentication endpoint to change, if the autoauth flow could be brokered by something else
#sknebelSo you'd prefer another broker endpoint over using the authorization endpoint?
#sebselthis is, I believe, one of the points I made in Åmål: there are two endpoints that need to do very different things in IndieAuth vs AutoAuth, and I can't seem to figure out which parameters to switch on.
#[fluffy]and this could be helped by using redirect_uri instead of callback_url, and still requiring client_id
#sknebelIt's not a redirect uri, so reusing that name sounds bad
#[fluffy]like I know the name for redirect_uri is “wrong” because there’s no browser, but… I mean the thing doing the autoauth flow is also being redirected
#[fluffy]I mean I get your point, but I’m also trying to think of how it’d be easiest to make AutoAuth Just Work minimal involvement from token endpoint authors
#[fluffy]as far as I understand, the token endpoint doesn’t/shouldn’t really care the purpose for which it’s vending a token
#[fluffy]so the choices are either: specify that the token endpoint must pass through all the request args back to the authentication endpoint, or give a master list of whitelisted request args and only have a really good reason for ever adding more
#[fluffy]that just wasn’t clear to me from the AutoAuth spec, and the IndieAuth token grant spec was a “challenging” read, given my perspective of only recently having come into this
#sknebelThe token endpoint plays somewhat of a different role in indieauth and autoauth
#[fluffy]and I just want to know what to implement and how, I don’t have the long history of working in these specifications like most of the players in this space
#[fluffy]I suspect that most people who want to join in on this stuff feel similarly
#Loqi[sebsel] #17 Should the token endpoint be shared with normal IndieAuth?
#sknebelWhitelist sounds fine if you don't want to explcitly split into indieauth and autoauth at that point
#sebselIntroducing another rel-value would make explicit that it is indeed another kind of token endpoint.
#[fluffy]I want this endpoint to serve dual roles in both autoauth and indieauth
#[fluffy]I was hoping to use it for e.g. supporting MicroPub as well
#[fluffy]and I realize that one of them is a user grant and one of them is a resource grant but both grant types boil down to “here’s an identity and a code, does the identity own the code? if so give us a token”
#[fluffy]I don’t really have any qualms with just passing through all of the POST parameters as GET to the auth endpoint from my own perspective, but I would worry about a token endpoint being used as part of a reflection attack on something else.
#[fluffy]Which was my primary concern when I went with a whitelist approach.
#sknebelThe difference is that in indieauth, the token endpoint and authorization endpoint belong to the same person
#sknebelIf "your" auth endpoint tells you "please make a token for XYZ with scope Y", you can trust that it has verified that with the user
#sknebelIn autoauth, any persons with endpoint can come and ask the token endpoint "token for xyz please!"
#[fluffy]the micropub case I was hoping to support was letting people make micropub requests to a blog that isn’t necessarily their own. Think guest posts or whatever.
#[fluffy]Like to me, the micropub case is less “authenticate back to my own blog” and more “authenticate to a resource in a write capacity, and that resource may or may not be my own blog”
#sknebelWhich the token endpoint might want to think about a bit more - e.g. I'd it really wants to give post-scope tokens to randoms
#[fluffy]like it just seems like a matter of convenience/coincidence that so far the user and token endpoints have been owned by the same person
#[jgmac1106]snarfed, Bridgy didn't show me the error, but I forgot to check logs, it is an mp4 video, probably too big
#[fluffy]I’m fine with giving post-scope tokens to randoms, they still need an authorized identity to post 🙂
#aaronpkthe benefit of a bearer token containing authorization is you can grant different ones to different applications. e.g. this micropub client can post these specific things and can't read any data
#[fluffy]sure, and that’s not in conflict either, like the bearer token contains scope/realm/whatever
#aaronpkbut you just said "bearer tokens that encode authorization would be even trickier to support and I don’t see what the gain would be"
#[fluffy]I meant resource-level authorization, sorry I’m being imprecise
#[fluffy]Publ’s bearer tokens specifically include ‘me’ and ‘scope’ at present
#[fluffy]with the realm implied to be the Publ site
#[fluffy]if I ever have a use case for adding realm it’s trivial to do
#aaronpkthis is also stuff that's pretty universal among systems that use oauth, we're trying to add as little as possible to oauth to support URL identities here
#aaronpkyou'll find plenty of people asking these same questions about any authentication/authorization system
#Loqi[@jgmac1106] Here is my #OpenEd19 video of my presentation [video]
#[fluffy]anyway to get back to the point I was trying to clarify: is there any reasonable semantic difference between an authorization token that happens to belong to the identity broker vs. one that’s for third-party services? Because the latter case feels like it also covers the former case; micropub to your own blog isn’t fundamentally different to micropub to someone else’s blog.
#[fluffy]Both of them are up to the blog deciding whether the user is authorized to do so.
#aaronpkcan you rephrase the question using terms that are defined in the various specs?
#[fluffy]anyway. in Publ it was easier for the token to be a proxy for “this user is logged in with this scope” and then still just checking if the user is authorized to do the thing they’re trying to do
#[fluffy]rather than the token being a blanket authorization for “yeah the user with this token can read anything on the site”
#sknebelso to explicitly go back to the question again: A whitelist is probably fine. otherwise you could check if it explicitly matches the possible parameter combinations for the various specs (where e.g. redirect_uri and callback_url in one request would be forbidden)
[calumryan] joined the channel
#[fluffy]Okay, and to go back to my original concern, it means that if another protocol comes about, it needs to be explicitly supported by the token endpoint.
#[fluffy]Which I’m not sure if it’s a good thing or a bad thing. But it’s a thing.
#[fluffy]A thing that would be useful for these specs is just like… a list of which parameters should or must be passed through, for each one. It would make implementing that part of it a lot easier for people who don’t want to wade through a billion related specs.
#aaronpkthat's exactly what the documentation on the wiki in each page (token endpoint, authorization endpoint) does
#aaronpkit's just that nobody has written that for autoauth yet, because we're not even sure it's the right model yet
#[jgmac1106]Duhhh.thanks for being my personal tutor once again... Snarfed++
#LoqiSnarfed has 51 karma in this channel over the last year (94 in all channels)
#Loqi[fluffy-critter] #304 Token endpoint doesn't support AutoAuth
#[fluffy]> The authorization endpoint will validate that the code corresponds with the given parameters (including the value or absence(!) of realm). If it does, a HTTP 200 response is returned, otherwise an OAuth 2.0 error response.
#gRegorLoveI would expect AutoAuth's authorization code verification response to be the same as IndieAuth unless otherwise stated. Latter specifies a JSON response.
#gRegorLoveI'm pretty sure that's what mblaney does with his part of our AutoAuth demo.
#gRegorLoveThough yes, my AutoAuth code only checks the HTTP 200 response
#[fluffy]Yeah it simplifies the token endpoint considerably if there’s a guarantee that the response is valid JSON.
#[fluffy]I am totally fine with the specification being: if the response provides values, they override the values being verified. Otherwise use the values that were sent in for verification.
#aaronpk"user.example.net" -> "https://user.example.net/" and "example.net" -> "https://example.net/username"
#[snarfed]indieweb (if not indieauth etc) generally expect at least a full domain per user, not just paths, right? lots of tools depend on that, whether explicitly or implicitly
#gRegorLove"Clients MUST use the resulting `me` value... with the following condition: The resulting profile URL MUST have a matching domain of the initially-entered profile URL.
#LoqiURL design is the practice of deliberately designing URLs, in particular, permalinks, typically for a better UX for everyone who creates, reads, and shares content https://indieweb.org/url
#[fluffy]but anyway I feel like there’s a big security concern in the spec where it makes it seem like example.com/~alice is a valid response for a verification request to the endpoint published at example.com/~bob
#aaronpkif the user enters a URL with a path, then it seems like a consumer should not allow the path to become less specific
#aaronpkneeds a better definition but i like the idea
#aaronpkgRegorLove: i don't think that is explicit in the spec, because the spec uses a definition of "domain" that does not distinguish between subdomains and ccTLDs
#[fluffy]maybe something something “adds a path component”
#aaronpkgotta dig into the URL spec to find the right words. the problem is the URL spec is a giant mess
#[fluffy]the fact that URLs historically reflected the underlying filesystem and so many path resolution things are based on that doesn’t help things at all
#aaronpkalso talk about specs that are difficult to read wow
#[fluffy]How about: must accept the response’s “me,” given the following conditions: 1. the scheme either matches or is converted from http to https; 2. the path begins with the same path, provided that there is a / separating the original path and any additions
#[fluffy](and 3. the complete host name/domain matches)
#[fluffy]the wording on 2 could definitely be made less clunky though
#[Sonny]alright, dead simple for command line users then 🙂 thanks you both I'll recommend multiple solutions and they'll pick
#[fluffy]anyway meanwhile I gotta fix me some Authl code
#[fluffy]I feel like this is important enough for me to write a CVE against Authl. I don’t think anyone else is using it but it still seems like a better safe than sorry thing
#[fluffy]But I don’t want to post it as a public disclosure until I have a fix, because otherwise anyone could use this to log in to my own website as me and see all my private posts.
#[manton][aaronpk] Back on location, just to be sure I understand... I'll add an example that is location-only with no check-in. But if someone is sending a check-in, is it appropriate to require that the coordinates be sent in location, or should they be included in check-in?
#[manton][aaronpk] I think you are saying either/or and not both. Just want to be sure.
#[manton]I like the simplicity of "if there are coordinates, always put them in location" but I can see your point too.
#aaronpk[manton]: My intent in OYS was to include all the location info in only the checkin property
#aaronpki wil have to look at my commit history to figure out why I added the location property
#aaronpkthe "location" property is meant to say "this is where the post was created" like the "published" property says "this is when the post was published"
#[manton]Micro.blog blurs the lines a little between post types. We'll see how people use it and then can adjust if we need to.
#aaronpkImagine a post with only the checkin property
#aaronpkit needs to look like a post, not like an empty post with a location tag
#aaronpkin fact I might go so far as to say a checkin post should feature the location as the primary content, adding the text content the user typed as supplementary information
#[manton]The way I'm handling this right now is that I add the venue name to the post content so that it shows up consistently in all themes. It's not _exactly_ correct but it means everything just works, and then the user can edit the theme to do something special when there is location information.
#[manton]Long-term I will probably need to update all the themes to better support this, but I wanted something that worked out of the box for everyone.
#[manton]Unfortunately it means the MF2 isn't really preserved right now unless the user edits the template to provide their own HTML, though.
[tonz] joined the channel
#[Lewis_Cowles]!tell tantek I now have a visual indicator for offline pages which when clicked reloads the page for the user. If it exists, then they get their page. If not, then they get the offline page still. Have you tested 404 functionality?
#Loqi[tantek]: [Lewis_Cowles] left you a message 9 minutes ago: I now have a visual indicator for offline pages which when clicked reloads the page for the user. If it exists, then they get their page. If not, then they get the offline page still. Have you tested 404 functionality?
#[tantek]aaronpk++ for the recommendations of how to display a checkin post - can you add that to /checkin#How_to perhaps as a subsection?
#Loqiaaronpk has 53 karma in this channel over the last year (199 in all channels)
#[tantek][Lewis_Cowles] ++ that sounds pretty cool. I like the idea of explicit UI to indicate to users that they're viewing a cached version and the option to refresh from network.
#Loqi[Lewis_Cowles] has 5 karma in this channel over the last year (10 in all channels)
#[tantek]btw speaking of Medium (per meta conversation), I noticed (and adactio pointed out explicitly) that he's putting "Originally posted at..." links at *both* the top and bottom of syndicated copies of blog posts
#[tantek]this is so that if you end up reading the Medium copy of an article, you immediately see the link to the original and click through read it there instead
#[tantek]or if you end up reading it down to the end on Medium, and want to cite it, you see the link to the original and at least have a chance of clicking through and citing that original post instead of the Medium copy
#[tantek]is anyone else putting "Originally published at ... " links at BOTH the top and bottom of syndicated copies of blog posts?
#aaronpksome sites will let you see the top bit of a post, or wait a few seconds before popping up an interstitial, so having the link at the top gives viewers a nice "out" to see the full post on your own site
#aaronpkso you just got the "me" response that says "I am https://example.com/eve" and then you go look at that URL for something and ask it "did you really just sign in here" and it could confirm
#aaronpkyou can't fix the URL when the code is returned because nothing at that point can be trusted
#[fluffy]that final verification step sounds potentially onerous to implement
#aaronpki agree, i'm not saying this is a good idea
#sknebelIf you get a code and a me URL, and you need to go to an endpoint discovered from that URL, what's the trust problem?
krychu joined the channel
#[fluffy]I ran into a lot of trouble with that in the OpenID 1.x days, when I used an OpenID signin to a forum and it saw my URL as http://beesbuzz.biz/fluffy and at one point that was getting normalized to https://beesbuzz.biz/fluffy/ and I couldn’t log in anymore.
#[fluffy]so I mean I do like the allowances for some amount of normalization
#aaronpk[fluffy]: you want to be able to support a user typing in just the host name example.com and ending up with the user-specific URL https://example.com/user
#aaronpkthis is why we want to let the server handle the normalization, rather than the client
#[fluffy]true, and I support that in Authl, but that’s at the endpoint discovery phase
#aaronpkletting the client handle it leads to that issue in OpenID
#aaronpk[fluffy]: it doesn't work in the discovery phase because that only works for single user sites
#[fluffy]Authl’s identity handlers all deal with their own normalization, so like if I sign in by Twitter it normalizes to https://twitter.com/fluffy#993171 (for reasons)
#aaronpkuser1 enters "example.com" and ends up as "https://example.com/user1", user2 enters "example.com" and ends up as "https://example.com/user2"
#[KevinMarks]So in strict mode the client restarts the auth with the new extended url? Which should be quick they're logged in and cookied if they aren't spoofing
#aaronpkthis is pretty well described in the indieauth spec currently, are you suggesting something there needs to change? or are you asking a clarifying question?
#[fluffy]anyway Authl’s initial identity normalization is just like… fetch the identity page, and use its final URL as the initial identity. Well, I think. Let me verify that 🙂
#[KevinMarks]You said "add a step at the end" - is that what you meant?
#[fluffy]okay yeah in Authl, the initial identity URL is just the final post-redirection URL for the page, if it wasn’t grabbed by a thing that gives a URL match.
#aaronpkhopefully the examples provide an explanation for why it's useful
#[fluffy]makes sense. I could probably implement that in Authl.
#[fluffy]what about a multi-step redirect, like a -> b -> c, where b->c is permanent but a->b is temporary?
#[fluffy]should it just stop updating once it hits the first temporary?
#aaronpkno i think it follows all redirects until it no longer hits a redirect
#aaronpkyou need to follow all redirects in order to get to the final document to actually find the HTML tags
#[fluffy]Yes, of course, but I mean, for the updating the user ID
#[fluffy]to use the examples there: user enters username.example, which gets a temporary redirect to example.com, which gets a permanent redirect to example.com/username
#[fluffy]but the previous sentence “If an HTTP permament redirect (HTTP 301 or 308) is encountered, the client MUST use the resulting URL as the canonical profile URL” implies that it would be example.com/username
#GWGaaronpk, do any of your IndieAuth run services actually update the url on a permanent redirect?
#aaronpkGWG: the current version of the php indieauth client shoudl be implementing these rules. it's used by (most) of my active projects. (i think there are a couple i havent updated yet like maybe teacup)
#[fluffy]I think a sentence like “If there are multiple redirections, use the last URL before the first temporary redirect”
#aaronpkok yeah it looks like that section needs some clarification on precedence
#[fluffy]so another question, while we’re on the subject: what should the scheme matching rules in response vs. profile URL be? I discovered after rolling out the Publ change that my auth endpoint was giving my identity as http://beesbuzz.biz/ rather than https://beesbuzz.biz/ all this time