#dev 2019-10-30

2019-10-30 UTC
[jgmac1106] and FreshcollegeGirl joined the channel
#
[chrisbergr]
Yay, my Overland-Receiver now brings my current location to my frontpage 🙂 https://cho.bz
#
[chrisbergr]
I'm using https://github.com/predicthq/address-formatter-php to format the address according to the country. I struggle with the house number, because it is added to the road name instead of its own property.
#
Loqi
[predicthq] address-formatter-php: Address formatter for PHP
FreshcollegeGirl joined the channel
#
[chrisbergr]
There are so many variables that makes it difficult to find the number in php
#
[fluffy]
Woo I have my token endpoint working
#
[fluffy]
(After taking a nice long walk to clear my head)
FreshcollegeGirl joined the channel
#
GWG
[chrisbergr]: Interesting library
FreshcollegeGirl joined the channel
#
[fluffy]
Okay so another matter of opinion: if someone sends both a session cookie and an Authorization header, which should take priority?
#
GWG
[fluffy]: Authorization header. But only opinion
FreshcollegeGirl joined the channel
#
[fluffy]
okay, so my immediate opinion was using the session cookie first, so that’s one vote each way so far. But I also don’t hold that opinion very strongly.
#
aaronpk
i'm trying to think of a case when that might actually happen
#
aaronpk
my vote is also authorization header because it requires more intent to add that
#
[fluffy]
like… maybe someone has a feed reader that supports cookie jars AND bearer tokesn?
#
[fluffy]
and I guess in that case the bearer token is gonna be more authoritative too
#
@sanzainippou
↩️ サイズはちっちゃくて良い感じ。 インターフェイスは HDMI / USB A 2.0 / USB A 3.0 / microSUB
(twitter.com/_/status/1189356562013458434)
FreshcollegeGirl and SevenTwenty joined the channel
#
[fluffy]
… wow
FreshcollegeGirl and gRegorLove joined the channel
#
[fluffy]
okay so I think I’ve implemented everything needed for AutoAuth 🙂
#
[fluffy]
at the very least, `WWW-Authenticate` and `Authorization` are working.
#
[fluffy]
which means I’ve also done most of the hard part of Micropub.
#
[fluffy]
so now I’m tempted to, like, do that.
#
[fluffy]
(it is not yet deployed to beesbuzz.biz, don’t bother trying to test it in public. But feel free to clone Publ from git and checking it out on localhost!)
#
aaronpk
Wow cool! [fluffy]++
#
Loqi
[fluffy] has 13 karma in this channel over the last year (39 in all channels)
#
[fluffy]
One could say that in trying to break the chicken-and-egg cycle, I have now laid an egg 😉
#
[fluffy]
I’m deploying to beesbuzz.biz RIGHT NOW
#
[fluffy]
it is deployed!
#
[fluffy]
Are there any readers which support Bearer authentication? That would at least be an initial step.
#
[fluffy]
For testing, I mean.
#
jacky
[fluffy]: not to my knowledge
#
[fluffy]
well hopefully someone starts working on one 🙂
#
gRegorLove
[fluffy]++
#
Loqi
[fluffy] has 14 karma in this channel over the last year (40 in all channels)
[jeremycherfas] joined the channel
#
[fluffy]
deploying publ.beesbuzz.biz with this reminded me of a huge problem with how Authl works that I forgot to open an issue for so I’m gonna be doing that first 😛
[tantek], FreshcollegeGirl, cweiske, [Lewis_Cowles], gRegorLove, KartikPrabhu and [chrisbergr] joined the channel
#
[chrisbergr]
brutalist webdesign ftw 🙂 (beesbuzz.biz)
[frank], wolfram, [qubyte], asymptotically, [jgmac1106] and [JHSheridan] joined the channel
#
sknebel
fluffy++ awesome!
#
Loqi
fluffy has 15 karma in this channel over the last year (41 in all channels)
[xavierroy] joined the channel
#
[jgmac1106]
I want to add a rel=Next to the next note in the thred here: https://jgregorymcverry.com/notes/2019-10-30-2 would people put that inside or outside e-content? I have the u-in-reply-to with rel=prev
#
Loqi
[@jgmac1106] #OpenEd19 As a theoretical lens for our self study I drew upon Dewey's notions of democratic education. As educators we must shape the spaces of learning to meet ideals of democratic education (Dewey 1934). For Dewey democracy is a way of being, of e...
[grantcodes], gRegorLove, tsrt^ and QwertyWhoreDisco joined the channel
#
[jgmac1106]
I am gonna go with outside e-content for the next link dunno why, see the reply context on outside, and no real consumer of threads so it doesn't matter
Guest68814291 joined the channel
#
[Lewis_Cowles]
I'd go with outside e-content under the logic that the DVD, VHS, whatever only contains op-codes, not full computer-programs with UI
enricomarinoDisc, KYZITEMELOS93Dis, astrojl_matrix, DamirDiscord[m], vasaDiscord[m], sachaDiscord[m], JonwelDiscord[m], dignifiedquireDi, neilDiscord[m], DerekDiscord[m], achingbrainDisco, CantiTurtleCoin[, gorhgorhDiscord[, HerculanoDiscord, braditzDiscord[m, dunks411Discord[, rklaehn[m], AtiqDiscord[m], william_shakesDi, phynite1846[m], NatoBoram[m], cesarosum[m], godparticleDisco, CarboClanCDiscor, KisulkenDiscord[, ad87657Discord[m, drshamoonDiscord, maparent[m], CryptoEmpressDis, gorhgorh[m], zgrDiscord[m], thomasbDiscord[m, RomaricDiscord[m, EdEdorEddyDiscor, MichaelTenDiscor, zoglesby, M|NecoDiscord[m], RealityDiscord[m, GiyomuDiscord[m], deltaDiscord[m], zwelsternDiscord, kppDiscord[m]1, card[m], astraiaDiscord[m, prtfw[m], cwDiscord[m], EatsDiscord[m], marcocastignoliD, cyluDiscord[m], carsonfarmer[m], brewskiDiscord[m, Gorka[m], JohnnyMilkshakes, silent_Activist[, celsoDiscord[m]1, leoalvarezhDisco, vexlDiscord[m], robinzzzDiscord[, TionisDiscord[m], felixschlDiscord, phynite[m], WesDiscord[m], RyonezCoruscareD, wngrDiscord[m], nlkoDiscord[m], aaronpk[m], halifoxDiscord[m, M{|}Discord[m], carstenmunkDisco, ZipperSKDiscord4, mZDiscord[m], UserDiscord[m], nofwayyDiscord[m, msena3Discord[m], dindustriesDisco, lyon[m], drbhDiscord[m], rittme[m], swedneck2, itsmekntDiscord[, JerbsDiscord[m], test123Discord[m, realChainDiscord, sukarDiscord[m], weedDiscord[m], hvergara[m], fLsh42Discord[m], corylDiscord[m], tom85[m], amatuniDiscord[m, Giyomu[m], npfoss[m], foxcoolDiscord[m, circles2916[m], EugeneDiscord[m], watDiscord[m], r5723013Discord[, olizillaDiscord[, M0zAND1zDiscord[, romaricDiscord[4, iiogama[m], mapachurroDiscor, AblibuDiscord[m], peatDiscord[m], cwchristerwDisco, gmelodieDiscord[, VictorGDiscord[m, sprayDiscord[m], Senshi[m], new0neDiscord[m], RichardLittDisco, mikeal[m], raulDiscord[m], johanhermanDisco, RealSnazzy[m], Mairkur[m], freethinkingaway, Oxy[m], Sean|FortmaticDi, betamosDiscord[m, FranklinDiscord[, msena3[m], thomasDiscord[m], Hsiu-PingNichola, felixschlDiscor4, ShokuninDiscord[, jazzy-jeff^_^Dis, ptonerDiscord[m], planetary_devDis, catman[m], RDeckardDiscord[, radio_aliceDisco, mattcDiscord[m], SpaceOutlawDisco, jmank88Discord[m, DoggersUniteDisc, aeddi[m], JayWelshDiscord[, ShadowLingDiscor, oed3[m], dhenz3SpeakDisco, sander[m], DerrickFDiscord[, RickDiscord[m], malaclypsDiscord, rappelDiscord[m], PhoenixDiscord[m, yjhmelodyDiscord, capDiscord[m], TiaguilsoDiscord, AceFaceDiscord[m, DiscordBridge[m4, macerbi[m]1, sfromentDiscord[, h2Discord[m], Expherience[m], eddyDiscord[m], swedneck[GMT1]Di, PeevesDiscord[m], AuHau[m], SenshiDiscord[m], DiscordRSSDiscor, janttoDiscord[m], allgoDiscord[m], pbvieDiscord[m], farhad312Discord, johanhermanDisc4, jee[m], bushido711Discor, Rixon, baluptonDiscord[, myfreeweb1, PrabhaavDiscord[, sethforkDiscord[, jgmac1106Discord, j4y_funabashi[m], RodolfoEDiscord[, mZ[m], RockSteadyTRTLDi, AutoAIDiscord[m], placer14Discord[, PhillmacDiscord[, chrisDiscord[m], modigDiscord[m], pps96Discord[m], grvhiDiscord[m], RDeckardDiscord4, CantiTurtleCoinD, LuutheCoolDiscor, JeffMaherVegas[m, MaggieDiscord[m], WarrenDiscord[m], AuHauDiscord[m], HeishDiscord[m], foxcoolDiscord[4, tobowersDiscord[, AnthonyADiscord[, babaitDiscord[m], aphelionzDiscord, dpinnerDiscord[m, jekpopulousDisco, doorknob88Discor, jenncloudDiscord, KubeDiscord[m], Lolicon[m], leoalvarezhDisc4, CharlieRaptoreum, tadpole256Discor, wcharginDiscord[, SteffDiscord[m], maparentDiscord[, aaronpkDiscord[m, cristobalDiscor4, SirMemesALotDisc, te0dDiscord[m], SuikaDiscord[m], DioBrandonDiscor, sunk818Discord[m, Mai-HsuanKevinCh, hazDiscord[m], MairkurDiscord[m, nijynotDiscord[m, crestDiscord[m], TianyiDiscord[m], raisDiscord[m], boomshroomDiscor, chris[m]4, FusonDiscord[m], zegordoDiscord[m, obernardovieiraD, sbpDiscord[m], LordFenixNCDisco, jgmac1106[m], celsoDiscord[m], kevinbird15Disco, KevlarmonkeyDisc, RomainDiscord[m], fexra|TRTLDiscor, jessicaschilling, kanej[m], ZapierDiscord[m], gnunicornDiscord, bmiller59Discord, LokeLDiscord[m], vamsiDiscord[m], mZDiscord[m]1, Lilz|BetaMe[m], aswiththewildDis, sekiDiscord[m]1, JoejoeDiscord[m], JordanKrageDisco, nyarlathotepDisc, JungleHeartDisco, Ja3oodDiscord[m], Microsoft_techni, DevUYDiscord[m], SweatDiscord[m], DavidFalconDisco, SmileRobotDiscor, Neroprojekt5071[, dqxDiscord[m], nebulerDiscord[m, kppDiscord[m], MesaDiscord[m], gorhgorh[m]1, zazikiDiscord[m], denzukoDiscord[m, JustMaier[m], thestevewayDisco, XierumengDiscord, GabrielBadGriefD, Dazuck-3BoxDisco, FineDiscord[m], CocoonCrashDisco, UsDiscord[m], captain-nemoDisc, hubaDiscord[m], PermawebEmbedDis, KinnardDiscord[7, johanherman[m]1, catmanDiscord[m], Valium[m], koalalorenzoDisc, MisterGoreDiscor, prcDiscord[m], neohexDiscord[m], M[AXEL]JulianDis, plexusDiscord[m], jenncloud[m], xtream1101Discor, l^discordDiscord, paulmahoneDiscor, flower88Discord[, nocentDiscord[m], ClmentDiscord[m], ScottSmileyDisco, manfredDiscord[m, EdmundMDiscord[m, AXEL-Lee[m], jwheelerDiscord[, ambackDiscord[m], jamietanna[m], romaric[m], M4eekDiscord[m], TeamIanDiscord[m, ritewhose[m], vasa|dappkitDisc, n9tDiscord[m], AlekseyDiscord[m, M}Discord[m], drbh[m], ithithDiscord[m], the_nikinDiscord, kanejDiscord[m], hvergaraDiscord[, matyas_mustohaDi, jimpick[m], chmanieDiscord[m, JustMaierDiscord, Dby0Discord[m], braditzDiscord[4, boatsandhoesDisc, panDiscord[m], Keegen[m], celso[m]1, skillman623Disco, jamiedubsDiscord, JorropoDiscord[m, HeysteinDiscord[, tom85Discord[m], UsamaIrfanDiscor, Ja3ood[m], codynhatDiscord[, eddy[m], RobotLordimperia, M5511225464917[m, NatoBoramDiscord, AXEL-BrianDiscor, hyde__Discord[m], KarlDiscord[m], llllllDiscord[m], placer14[m], fozzie[m], PeciakDiscord[m], pierreboc[m], DaekiDiscord[m], gozala[m], psyonityDiscord[, bostaDiscord[m], OxyDiscord[m], Tianyi[m], sacha[m], nilocDiscord[m], cardDiscord[m], OboDiscord[m], NooooooWayyyyyDi, chmanieDiscord[4, PhiDiscord[m], M011000100111010, prtfwDiscord[m], WidgetBotiocli1[, CathyLDiscord[m], ExpherienceDisco, MachiavelaDiscor, MatthDiscord[m], pr1meDiscord[m], ivanDiscord[m], ShmultzDiscord[m, chinsuDiscord[m], rklaehnDiscord[m, doodlemaniaDisco, manfred[m], sekiDiscord[m], celso[m], TryptophanDiscor, mhzDiscord[m], iiogamaDiscord[m, OrkunDiscord[m], eshohetDiscord[m, enricomarino[m], balupton[m], bengoDiscord[m], Swedneck_, drshamoon[m], SoreGumsDiscord[, TristanDiscord[m, silent_ActivistD, andrewxhill[m], Clment[m], macerbiDiscord[m, snoopdoggydogDis, gnunicorn[m], oed3Discord[m], RockSteadyTRTL[m, OlegStotskyDisco, yabirgbDiscord[m, Bads3ctor9700[m], ecrosstexas[m], carsonfarmerDisc, ArunDiscord[m], M3baidDiscord[m], HarryTmeticDisco, M5310Discord[m], abhi_Discord[m], Akshay[m]1, sblinnDiscord[m], bitspillDiscord[, NebulousDiscord[, lauren|Microspon, new0ne[m], Rick[m], NastyEbilPiwateD, fozzieDiscord[m], SchwartzDiscord[, npfossDiscord[m], cannabysDiscord[, pierrebocDiscord, KinnardDiscord[m, dy5es41Discord[m, Kenzo3Discord[m], ksDiscord[m], cuibonobo, IgutinDiscord[m], GeorgeX2798[m], grantcodes[m], pusherDiscord[m], AXEL-Brian[m], Lilz|BetaMeDisco, M[AXEL]Darr[m], combrayDiscord[m, dafflDiscord[m], lamborghiniDisco, sfroment[m], LSJI07Discord[m], vasa[m], ShruthiDiscord[m, cristobalDiscord, CryptoEmpress[m], bekoDiscord[m], GorkaDiscord[m], sanderDiscord[m], freethinkingawa4, JeanDiscord[m], HyunwooLeeDiscor, mikealDiscord[m], CatManDoooDiscor, plindner[m], Romaric[m]1, MikeShultzDiscor, M3baidDiscord[m4, discord[m], postablesDiscord, AxieDiscord[m], dostDiscord[m], vinDiscord[m], gregjeanmartDisc, tangoDiscord[m], beko[m], malaclyps[m], iamswainDiscord[, KeegenDiscord[m], KinnardDiscord[4, thatguyDiscord[m, buztedDiscord[m], benaszabDiscord[, zoink92Discord[m, AmineDiscord[m], rittmeDiscord[m], AlepheiaDiscord[, Sm03leBr00tDisco, AraratDiscord[m], gtsDiscord[m], alphapapaactualD, gunttedDiscord[m, zcopleyDiscord[m, blxckghxstDiscor, M[AXEL]DarrDisco, aeddiDiscord[m], richtercamdenDis, JaoheahDiscord[m, BossMANDiscord[m, RealSnazzyDiscor, megadogberthehim, PamileissonDisco, cesarosumDiscord, Tianyi[m]1, gauthamDiscord[m, MissLavenderDisc, hacdiasDiscord[m, berDiscord[m], jklepatchDiscord, johanherman[m], cikavuveDiscord[, CrocodillianDisc, PermawebMatrixBr, rozgoDiscord[m], jimpickDiscord[m, lyonDiscord[m], Luna14Discord[m], Nebulous[m], andrewxhill3607[, anthony-albertor, peterkDiscord[m], ddahlDiscord[m], funwhilelostDisc, TianyiDiscord[m4, IPFSFanDiscord[m, ngamboaDiscord[m, katakotoDiscord[, M123897974564Dis, TH0RynDiscord[m], ZipperSKDiscord[, GuillaumeDiscord, M4star3starDisco, AkshayDiscord[m], [KevinMarks], [Rose], [Michael_Beckwit, [snarfed], jjuran, dougbeal|mb1, [JHSheridan] and [manton] joined the channel
#
[manton]
[aaronpk] Do you know if the Micropub check-in/location stuff is officially documented anywhere outside of OwnYourSwarm? For Micro.blog I tried to distill it down to only what I need and documented it this way for now. Feedback welcome. https://help.micro.blog/2019/api-location/
dougbeal|mb1 joined the channel
#
sknebel
The location property there looks like it is missing a type?
#
sknebel
Micropub is just Microformats json
[Ramiro_Ruiz] joined the channel
#
aaronpk
Yeah that looks like invalid mf2 JSON
#
aaronpk
easiest way to check is to write minimal HTML to give you the parsed result you're looking for and run it thru a microformats parser to give you the JSON
#
[manton]
Got it, thanks. I'll update it to include a type for both those properties (h-card and h-adr, I think).
#
[manton]
Updated. So I guess the larger question is: if someone wanted to use location in a Micropub client, where would they start? I also found this example from Indigenous which is completely different: https://indieweb.org/Micropub-extensions#Location_checkin_information
[grantcodes] joined the channel
#
[grantcodes]
Yeah location is quite painful in mf2 in my opinion.
#
[grantcodes]
it can be a geo uri, it can be a nested h-card, there is `location` and there is `checkin`
#
aaronpk
We should probably avoid the geo: URI since it's more complicated. The only advantage is it can be sent in a form encoded request
#
aaronpk
location and checkin are totally different things
#
[grantcodes]
I know but they are easy to confuse
#
Loqi
totally
#
[grantcodes]
thanks loqi
#
Loqi
you're welcome
#
aaronpk
Eh, ignore checkin unless you're trying to actually deal with checkins
#
[manton]
Yeah, that was part of what I was wondering... My approach for now in M.b is to allow either or both location and check-in. If there is a Foursquare venue URL but not coordinates, M.b will also attempt to use the Foursquare API to fill in the venue details, but I get rate-limited pretty quickly.
#
[manton]
Hopefully the help page I have now will point people in the right direction if they are writing a client. I just want to make sure it actually matches a kind of IndieWeb best practice.
#
aaronpk
I'd say the simpler version is to use only the checkin property for checkins, and separately describe how to include location info for posts that are not checkins with the "location" property
#
aaronpk
You want to avoid people thinking the only way to include the name of a location is in the checkin property for example
#
[manton]
Interesting, okay. I was following OwnYourSwarm which does not put the location name in "location", I think.
#
aaronpk
Right, it doesn't send any location property IIRC
#
[manton]
Pretty sure it does. 🙂
#
aaronpk
the larger point here is to make sure checkins and posts with location are different things
#
[manton]
This is what I see when previewing check-ins from OwnYourSwarm: https://gist.github.com/manton/40bd7ba1cd297f51356889996448e1bd
#
aaronpk
Ah you're right i must have included that as fallback
#
[manton]
I hear what you're saying, though, and I can adjust my example.
#
[manton]
Although I kind of like that location is usually there.
#
[manton]
I need to run but I'll revisit this later. Thanks!
#
aaronpk
Really I'm just suggesting that you include a separate example with location with no checkin for the cases of adding location to regular posts
[Lewis_Cowles], [chrisbergr], [snarfed] and [schmarty] joined the channel
#
GWG
Catching up on the location
[jgmac1106] joined the channel
#
GWG
swentel added the geouri because of me to Indigenous
[tantek] joined the channel
#
sknebel
[fluffy] Zegnat has a test fetcher for autoauth at https://vanderven.se/martijn/proxy/
#
GWG
I asked for a check-in option in the client and it had to be form encoded
#
[jgmac1106]
does anyone know what I did wrong here and my video is not displaying but if I go directly to the video link it works?
#
GWG
I automatically convert geouris to h-geos
#
sknebel
But Im not quite sure if it has the last spec variant
[fluffy] joined the channel
#
[fluffy]
Oh neat, I’ll try that out
#
[jgmac1106]
fixed missing slash
#
[Lewis_Cowles]
Clicking that was magical. It just pulsated at me
#
[Lewis_Cowles]
no video, just pulsation
#
[Lewis_Cowles]
it now works
#
[fluffy]
Hmm it just returns 404 for my blog index and doesn’t even ask for any auth
#
[Lewis_Cowles]
On one hand it does what was intended. On the other the pulsating entire page was something I've not seen before
#
[fluffy]
[jgmac1106] video works fine on my iPhone
#
sknebel
[fluffy]: ok, wasn't sure if it still works
#
sknebel
I'll try to find time to test yours soon - turns out having people implement stuff provides motivation :D
#
[fluffy]
On the Publ blog it fails in a way that indicates that it’s using a single hard coded token instead of fetching a new one
#
sknebel
Shouldn't
#
[fluffy]
Like the token doesn’t match the format of the one that Publ’s endpoint vends
#
[jgmac1106]
fluffy, thanks yeah I missed a slash in front of my /video directory, though couldn't POSSE the video like an unfurl YouTube video with Bridgy, wrote a second note only linking to video
#
sknebel
Ahh, might have a shortcut around discovery... So not suitable for testing
#
[jgmac1106]
makes total sense video way too large for a tweet, now to go back and add all my rel=next and syndicated to Twitter link, and publish one post as a collection of all the notes
#
[fluffy]
FWIW Publ only sends the token_endpoint in a link header on the resource response, as suggested by the spec.
#
[fluffy]
I’m on my phone at the moment but I’ll try watching the logs from a real computing device when I manage to convince myself to get out of bed
#
sknebel
I think the header parsing was broken, so it can't work properly
#
sknebel
I'll keep you posted once I have something better to try
#
[fluffy]
Oh the 404 on my blog fetch was because I left off the trailing / and it misreported the redirection
#
[fluffy]
Cool, I’d love to get some verification that this works :)
#
[snarfed]
[jgmac1106] video too large for bridgy as in file size too large? bridgy should handle videos up to 512 MB. let me know if it didn't!
#
[fluffy]
I mean aside from the manual testing I did using gimme-a-token
#
[fluffy]
Which doesn’t actually test the AutoAuth part of it
#
[snarfed]
[jgmac1106] ah the problem isn't video size, it's that your u-video points to the post permalink, not to the video file. https://pin13.net/mf2/?url=https://jgregorymcverry.com/notes/2019-10-30-11 . feel free to retry after you fix that!
#
Loqi
[@jgmac1106] Here is my #OpenEd19 video of my presentation [video]
#
[snarfed]
(looks like bridgy reported the error message "Twitter only supports MP4 videos," hopefully you saw that 😁)
#
[fluffy]
I’m still unclear as to whether the IndieAuth endpoint needs to change, per my most recent comment on the GitHub issue
#
sknebel
The one of the requester has to, yes
dougbeal|imac joined the channel
#
[fluffy]
Okay so if I get a callback_url parameter I do need to proxy that through?
#
[fluffy]
That implies needing to change the token endpoint as well
#
[fluffy]
Or is the endpoint supposed to just send through all the parameters it gets?
#
[fluffy]
I wasn’t clear on that part either
#
sknebel
The requesters authorization endpoint manages the fetching of tokens from the resources token endpoint
#
sknebel
It gets asked by e.g. a reader to obtain a token
#
sknebel
It verifies that this reader actually is allowed to do that
#
[fluffy]
Yes but when the token endpoint gets a request is it supposed to just pass through all of the POST arguments it receives back to the authorization endpoint when verifying the code?
#
sknebel
Pretty much, yes
#
sknebel
That's just to verify the request is legit
#
[fluffy]
But are there args that shouldn’t be sent along?
#
sknebel
Don't think so
#
Loqi
[sknebel] #18 Pass data via Token Request vs Authorization Code Verification response?
#
[fluffy]
I was whitelisting them due to an abundance of caution
#
[fluffy]
But it sounds like I shouldn’t.
#
sknebel
No, whitelisting is fine
#
sknebel
Making sure you don't accidentally allow part of some changes protocol you never intended to support
#
sknebel
Issue 18 above is about which way to do that
#
sknebel
Because autoauth kind of does it the opposite way from indieauth
#
[fluffy]
Then is there a list of all the parameters that need to be whitelisted to support the known token grant flows at this time?
KartikPrabhu joined the channel
#
[fluffy]
This confusion is what’s at the core of my most recent opened issue.
#
sknebel
Well, right now we only have indieauth and autoauth
#
sknebel
I feel like this might be another argument for doing the change from 18 though
#
[fluffy]
do you know how many token endpoints implement things in a way that’s compatible with autoauth?
#
sknebel
I don't think any would automatically just work with autoauth
#
[fluffy]
like I was writing mine specifically for the autoauth use case but it didn’t work with my indieauth endpoint (that doesn’t support autoauth), and it also feels to me like this isn’t something that necessarily needs the authentication endpoint to change, if the autoauth flow could be brokered by something else
#
sknebel
So you'd prefer another broker endpoint over using the authorization endpoint?
#
[fluffy]
no, I just think it’d be a useful option
#
sebsel
this is, I believe, one of the points I made in Åmål: there are two endpoints that need to do very different things in IndieAuth vs AutoAuth, and I can't seem to figure out which parameters to switch on.
#
[fluffy]
and this could be helped by using redirect_uri instead of callback_url, and still requiring client_id
#
sknebel
It's not a redirect uri, so reusing that name sounds bad
#
[fluffy]
like I know the name for redirect_uri is “wrong” because there’s no browser, but… I mean the thing doing the autoauth flow is also being redirected
#
[fluffy]
to a callback 🙂
#
sknebel
It's not being redirected
#
[fluffy]
who makes the request to the callback_url?
#
sebsel
no indeed, it's a separate POST request to the callback_url.
#
sknebel
It has a callback that gets called
#
[fluffy]
I mean I get your point, but I’m also trying to think of how it’d be easiest to make AutoAuth Just Work minimal involvement from token endpoint authors
#
[fluffy]
as far as I understand, the token endpoint doesn’t/shouldn’t really care the purpose for which it’s vending a token
#
[fluffy]
so the choices are either: specify that the token endpoint must pass through all the request args back to the authentication endpoint, or give a master list of whitelisted request args and only have a really good reason for ever adding more
#
[fluffy]
https://github.com/PlaidWeb/Publ/blob/f1baa08baa2e1bc7cf771b35ec457fc3784f7aea/publ/tokens.py#L38 is where Publ’s token endpoint does the whitelisting. If I’m instead just supposed to make the validation request with all of the POST parameters converted to GET parameters, that’s fine
#
[fluffy]
that just wasn’t clear to me from the AutoAuth spec, and the IndieAuth token grant spec was a “challenging” read, given my perspective of only recently having come into this
#
sknebel
The token endpoint plays somewhat of a different role in indieauth and autoauth
#
[fluffy]
and I just want to know what to implement and how, I don’t have the long history of working in these specifications like most of the players in this space
#
[fluffy]
I suspect that most people who want to join in on this stuff feel similarly
#
Loqi
[sebsel] #17 Should the token endpoint be shared with normal IndieAuth?
#
sknebel
Whitelist sounds fine if you don't want to explcitly split into indieauth and autoauth at that point
#
sebsel
Introducing another rel-value would make explicit that it is indeed another kind of token endpoint.
#
[fluffy]
I want this endpoint to serve dual roles in both autoauth and indieauth
#
[fluffy]
I was hoping to use it for e.g. supporting MicroPub as well
#
[fluffy]
and I realize that one of them is a user grant and one of them is a resource grant but both grant types boil down to “here’s an identity and a code, does the identity own the code? if so give us a token”
#
[fluffy]
at least as I understand it
#
[fluffy]
I don’t really have any qualms with just passing through all of the POST parameters as GET to the auth endpoint from my own perspective, but I would worry about a token endpoint being used as part of a reflection attack on something else.
#
[fluffy]
Which was my primary concern when I went with a whitelist approach.
#
sknebel
The difference is that in indieauth, the token endpoint and authorization endpoint belong to the same person
#
[fluffy]
sure…
#
sknebel
If "your" auth endpoint tells you "please make a token for XYZ with scope Y", you can trust that it has verified that with the user
#
sknebel
In autoauth, any persons with endpoint can come and ask the token endpoint "token for xyz please!"
#
[fluffy]
the micropub case I was hoping to support was letting people make micropub requests to a blog that isn’t necessarily their own. Think guest posts or whatever.
#
[fluffy]
Like to me, the micropub case is less “authenticate back to my own blog” and more “authenticate to a resource in a write capacity, and that resource may or may not be my own blog”
#
sknebel
Which the token endpoint might want to think about a bit more - e.g. I'd it really wants to give post-scope tokens to randoms
#
[fluffy]
like it just seems like a matter of convenience/coincidence that so far the user and token endpoints have been owned by the same person
#
[jgmac1106]
snarfed, Bridgy didn't show me the error, but I forgot to check logs, it is an mp4 video, probably too big
#
[fluffy]
I’m fine with giving post-scope tokens to randoms, they still need an authorized identity to post 🙂
#
sknebel
That is also a way of implementing it :)
#
[fluffy]
token identifies the user as http://bob.example.com/ but that doesn’t mean that user has permission to post.
#
[fluffy]
This also fits in with the read permissions model for Publ, so it was a natural fit
#
[fluffy]
like, simply being authenticated doesn’t mean you have full read access to everything
SevenTwenty joined the channel
#
[snarfed]
[jgmac1106] huh, no error? you used the web UI? or via webmention?
#
[fluffy]
all the token (or session cookie) gives you is a user identity; Publ still looks up what that identity has access to when presenting data.
#
[snarfed]
[jgmac1106] regardless, no, the error was (is) that your u-video doesn't point to the video file itself
#
sknebel
A bearer token is also meant to be an authorization, but you can do it that way
#
[fluffy]
It seems like bearer tokens that encode authorization would be even trickier to support and I don’t see what the gain would be
#
[fluffy]
are you supposed to get separate bearer authorization for every separate resource?
#
[fluffy]
I see the authorization as being for “all the resources available to this user”
#
[fluffy]
which is just a slight semantic difference from “this token identifies the user”
#
[fluffy]
(and not a difference in implementation)
#
aaronpk
the benefit of a bearer token containing authorization is you can grant different ones to different applications. e.g. this micropub client can post these specific things and can't read any data
#
[fluffy]
sure, and that’s not in conflict either, like the bearer token contains scope/realm/whatever
#
aaronpk
but you just said "bearer tokens that encode authorization would be even trickier to support and I don’t see what the gain would be"
#
[fluffy]
I meant resource-level authorization, sorry I’m being imprecise
#
[fluffy]
Publ’s bearer tokens specifically include ‘me’ and ‘scope’ at present
#
[fluffy]
with the realm implied to be the Publ site
#
[fluffy]
if I ever have a use case for adding realm it’s trivial to do
#
aaronpk
this is also stuff that's pretty universal among systems that use oauth, we're trying to add as little as possible to oauth to support URL identities here
#
aaronpk
you'll find plenty of people asking these same questions about any authentication/authorization system
#
[fluffy]
I mean, what the token actually authorizes is an implementation detail of the token itself
#
[fluffy]
and is also fairly off-track from where my questions started
#
aaronpk
or even more specifically an implementation defail of the thing that is verifying the token
#
[fluffy]
well yeah
#
[jgmac1106]
snarfed should I have put the u-video on the source and not the video element? view-source:https://jgregorymcverry.com/notes/2019-10-30-11
#
Loqi
[@jgmac1106] Here is my #OpenEd19 video of my presentation [video]
#
[fluffy]
anyway to get back to the point I was trying to clarify: is there any reasonable semantic difference between an authorization token that happens to belong to the identity broker vs. one that’s for third-party services? Because the latter case feels like it also covers the former case; micropub to your own blog isn’t fundamentally different to micropub to someone else’s blog.
#
[fluffy]
Both of them are up to the blog deciding whether the user is authorized to do so.
#
aaronpk
can you rephrase the question using terms that are defined in the various specs?
#
[snarfed]
no, the u-video's location is fine, the *href* is wrong. it needs to be /videos/OpenEd19Presentation.mp4
#
aaronpk
"authorization token" isn't defined anywhere so i don't know what you mean
#
aaronpk
also "identity broker"?
#
[fluffy]
Not easily. I’m not fluent in the spec’s language.
#
aaronpk
we have "authorization code", "access token", "resource owner", "authorization server"...
krychu joined the channel
#
[fluffy]
identity broker meaning, like, the indieauth endpoint
#
[fluffy]
by authorization server do you mean the thing that vends codes or the thing that vends tokens?
#
[fluffy]
there’s the auth_endpoint and there’s the token_endpoint
#
aaronpk
"authorization server" in OAuth contains both the authorization endpoint and token endpoint
#
[fluffy]
yeah, and that’s to OAuth’s detriment
#
[fluffy]
IndieAuth rightfully separates them out into separate concerns
#
aaronpk
let me check something... UMA should have a similar issue
#
[fluffy]
the authorization endpoint verifies identity. the token endpoint uses that to vend a token which can be used to verify authorization.
#
[fluffy]
The verification of authorization can happen at the token grant time, or it can happen by the thing that’s consuming the token.
#
[fluffy]
I don’t see those as different cases as far as the IndieAuth and AutoAuth protocols should be concerned.
#
[fluffy]
Publ does the latter because it was easier for what I’m trying to do with Publ.
#
[fluffy]
Because the authorization is user-level, not resource-level.
#
[fluffy]
resources then do their own checking for whether the user is authorized to the resource.
#
aaronpk
interestingly, this description of UMA sets out basically the same problem as we're trying to solve https://medium.com/@dewni.matheesha/user-managed-access-uma-2-0-bcecb1d535b3
#
[fluffy]
and sorry I’m being imprecise again
#
[fluffy]
anyway. in Publ it was easier for the token to be a proxy for “this user is logged in with this scope” and then still just checking if the user is authorized to do the thing they’re trying to do
#
[fluffy]
rather than the token being a blanket authorization for “yeah the user with this token can read anything on the site”
#
sknebel
so to explicitly go back to the question again: A whitelist is probably fine. otherwise you could check if it explicitly matches the possible parameter combinations for the various specs (where e.g. redirect_uri and callback_url in one request would be forbidden)
[calumryan] joined the channel
#
[fluffy]
Okay, and to go back to my original concern, it means that if another protocol comes about, it needs to be explicitly supported by the token endpoint.
#
[fluffy]
Which I’m not sure if it’s a good thing or a bad thing. But it’s a thing.
#
[fluffy]
A thing that would be useful for these specs is just like… a list of which parameters should or must be passed through, for each one. It would make implementing that part of it a lot easier for people who don’t want to wade through a billion related specs.
#
aaronpk
that's exactly what the documentation on the wiki in each page (token endpoint, authorization endpoint) does
#
aaronpk
it's just that nobody has written that for autoauth yet, because we're not even sure it's the right model yet
#
[jgmac1106]
Duhhh.thanks for being my personal tutor once again... Snarfed++
#
Loqi
Snarfed has 51 karma in this channel over the last year (94 in all channels)
#
[fluffy]
okay, that’s fair.
#
[fluffy]
It makes it a lot harder to figure out what to do to help break the chicken-egg cycle though 🙂
#
aaronpk
in general i find it easier to write these things up at the same time as i'm implementing them
#
[tantek]
^^^ this
#
aaronpk
so i can't promise to write anything until i actually get around to building this
#
[fluffy]
sure, I guess I’m just relying on someone else to have built a thing
#
aaronpk
and i also can't promise when that will be, because i've got a few other indieweb priorities i'm focusing on too
#
aaronpk
welcome to the bleeding edge!
#
sknebel
ah, hm, actually the response might be an issue with just passing the parameters through
#
sknebel
[fluffy]: can you please comment on issue 18 with your use case?
#
Loqi
[mapbox] leaflet-image: leaflet maps to images
#
jacky
while I was trying to figure out how to render checkins using lwa
#
jacky
I want map images but I didn't want to grab a token
#
sknebel
[fluffy]: so one difference I see too is the response to the verification request
#
jacky
this makes it super dependent on JavaScript though :(
#
sknebel
in indieauth you need to take the scopes from the response to the verification request, in autoauth they're for now in the request
#
sknebel
how do you handle that right now?
#
sknebel
(or do you not handle indieauth authorization yet?)
#
[fluffy]
In Indieauth authorization it takes the scopes from the response.
#
[fluffy]
I thought the scopes would also come from the response in the autoauth case?
#
[fluffy]
ok then I’m glad we had this conversation!
#
[fluffy]
so how does the scope get verified?
#
[fluffy]
or is it just a yes-or-no?
#
[fluffy]
like “yes this code is valid for these scopes” or “no this code is not valid for …” okay I just answered my own question
#
sknebel
the authorization endpoint checks and says just "NO" if anything is wrong about the passed-through values
#
[fluffy]
asking the question gave me that answer but it’s good to verify that 🙂
#
[fluffy]
… fitting.
#
sknebel
and I've been double-checking the spec for all your question, so even more verification :D
#
[fluffy]
anyway opened https://github.com/PlaidWeb/Publ/issues/304 to track things that come up
#
Loqi
[fluffy-critter] #304 Token endpoint doesn't support AutoAuth
#
[fluffy]
> The authorization endpoint will validate that the code corresponds with the given parameters (including the value or absence(!) of realm). If it does, a HTTP 200 response is returned, otherwise an OAuth 2.0 error response.
#
[fluffy]
okay wait so:
#
[fluffy]
does this mean that there’s no JSON data returned on an AutoAuth response?
#
[fluffy]
or is the AutoAuth code verification response content simply undefined?
#
sknebel
content undefined
#
sknebel
for a postive response
#
[fluffy]
that definitely complicates the implementation then
#
aaronpk
how does checking for a 200 response complicate it?
#
[fluffy]
It complicates knowing whether to parse the response for JSON data or not
#
[fluffy]
having to know up front whether it’s an IndieAuth or an AutoAuth request, which in turn front-loads more logic on the token endpoint
KartikPrabhu joined the channel
#
[fluffy]
also I note that the autoauth Authorization Code Verification example sends an Accept: application/json
#
[fluffy]
but if the response is undefined, doesn’t that imply that Accept is wrong?
#
[fluffy]
(anyway gotta idle for a bit)
#
sknebel
yeah, that's a bit odd. although I think generally maybe expecting a json response if any is ok
#
sknebel
but no promise about the content
#
gRegorLove
I switch on the parameter `callback_url` in my token endpoint
#
[tantek]
has anyone else implemented offline support since IWC Brighton? (2019-10-20)
SevenTwenty joined the channel
#
gRegorLove
I would expect AutoAuth's authorization code verification response to be the same as IndieAuth unless otherwise stated. Latter specifies a JSON response.
#
gRegorLove
I'm pretty sure that's what mblaney does with his part of our AutoAuth demo.
#
gRegorLove
Though yes, my AutoAuth code only checks the HTTP 200 response
#
[fluffy]
Yeah it simplifies the token endpoint considerably if there’s a guarantee that the response is valid JSON.
#
[fluffy]
I am totally fine with the specification being: if the response provides values, they override the values being verified. Otherwise use the values that were sent in for verification.
#
[fluffy]
Wait no that’s terrible
#
[fluffy]
That means the auth endpoint would be able to override the identity.
#
gRegorLove
Also simplifies because it's what authorization_endpoints already respond with
#
jacky
didn't know there was an offline session
#
jacky
considers adding this to koype
#
[fluffy]
‘me’ should never be overridden.
#
gRegorLove
[fluffy], which "response" are you referring to there? I'm getting a bit lost :)
#
[fluffy]
The code verification response.
#
[fluffy]
I could make a rogue authorization endpoint that responds to all code verifications with “yes I am in fact aaronpk.com thanks for asking”
#
gRegorLove
Ah. Yeah the authorization code response could have a different, canonical `me`, but you shouldn't use that for AutoAuth
#
[fluffy]
You shouldn’t use that for ANYTHING
#
[fluffy]
now I need to double check that I didn’t heck this up in Authl
#
[fluffy]
(I don’t think I did)
#
[fluffy]
… I hecked it up in Authl
#
gRegorLove
spec says you must verify matching domain in that `me` to the initially entered profile URL https://indieauth.spec.indieweb.org/#differing-user-profile-urls-p-3
#
gRegorLove
But otherwise it could be different scheme/subdomain
#
[fluffy]
okay so that’s… fun. Does it need to also accept subdomains?
#
[fluffy]
okay, anyone got a fun python oneliner for verifying that? 😛
#
aaronpk
wait no
#
[fluffy]
also what about things like… multiple subdomain users on the same domain, or example.com/alice vs example.com/bob ?
#
[fluffy]
example.com/bob could point to a rogue authorization_endpoint that says “I am in fact example.com/alice”
#
aaronpk
it's supposed to only let the endpoint change the scheme and path
#
[snarfed]
slightly more than one line
KartikPrabhu joined the channel
#
aaronpk
[fluffy]: yes that is a valid consideration
#
[fluffy]
seems like changing the path is dangerous?
#
aaronpk
generally the domain is considered authoritative
#
aaronpk
if users have the ability to define the authorization endpoint per path then that's a potential attack vector
#
[fluffy]
counterpoint: tilde.club
#
gRegorLove
section 7.1 I linked has examples with diff subdomain and paths
#
aaronpk
gRegorLove: re-reading that i see your confusion
#
aaronpk
but those are two separate examples
#
aaronpk
"user.example.net" -> "https://user.example.net/" and "example.net" -> "https://example.net/username"
#
[snarfed]
indieweb (if not indieauth etc) generally expect at least a full domain per user, not just paths, right? lots of tools depend on that, whether explicitly or implicitly
#
aaronpk
[snarfed]: kinda sorta
#
gRegorLove
"Clients MUST use the resulting `me` value... with the following condition: The resulting profile URL MUST have a matching domain of the initially-entered profile URL.
#
[fluffy]
okay so is it fair to say that it’s okay if the response *augments* the identity URI, or changes the scheme, but *changing* the URL is bad?
#
gRegorLove
Maybe being pedantic but that seems to permit different subdomain
#
aaronpk
oh boy here we go
#
aaronpk
what is URL
#
Loqi
URL design is the practice of deliberately designing URLs, in particular, permalinks, typically for a better UX for everyone who creates, reads, and shares content https://indieweb.org/url
#
[fluffy]
and how do you verify subdomain when it comes to ccTLDs?
#
aaronpk
no no no this is my point
#
aaronpk
there was never an intention to blur the lines between subdomains and ccTLDs
#
Loqi
[Tantek Çelik] How many ways can you slice a URL and name the pieces?
#
aaronpk
the problem is in the naming of the URL components
#
[fluffy]
okay wait I reread
#
aaronpk
in the indieauth spec, "domain" refers to: 'host' 'hostname' 'domain' 'internet domain' depending on which url spec you read
#
[fluffy]
matching domain as in the entire part between scheme and path
#
[fluffy]
not as in subdomain
#
aaronpk
subdomains do not exist in this model
#
[snarfed]
(ah, sure, by "full domain" above, i misspoke, i meant "domain" as in ^ this)
#
aaronpk
but [fluffy] you have a point
#
[fluffy]
but anyway I feel like there’s a big security concern in the spec where it makes it seem like example.com/~alice is a valid response for a verification request to the endpoint published at example.com/~bob
#
aaronpk
if the user enters a URL with a path, then it seems like a consumer should not allow the path to become less specific
#
aaronpk
tho i am not clear on how to phrase that in spec terminology
#
aaronpk
and that is also definitely a change from what is currently written
#
[fluffy]
I’m not even clear on whether scheme changes should be accepted, frankly
#
aaronpk
although all the examples conform given conform to that behavior
#
aaronpk
there are definitely valid reasons for scheme changes, at least from http to https
#
[fluffy]
maybe: The resulting path must start with the original requested path
#
aaronpk
i guess that phrasing does cover "" -> "/"
#
gRegorLove
sorry to introduce that confusion, though glad to clarify it for myself. Is that in one of the references in the spec?
#
[fluffy]
yeah but it also covers example.com/bob -> example.com/bob_is_a_turd
#
aaronpk
heh oops yeah
#
aaronpk
needs a better definition but i like the idea
#
aaronpk
gRegorLove: i don't think that is explicit in the spec, because the spec uses a definition of "domain" that does not distinguish between subdomains and ccTLDs
#
[fluffy]
maybe something something “adds a path component”
#
aaronpk
gotta dig into the URL spec to find the right words. the problem is the URL spec is a giant mess
#
[fluffy]
yeah 😕
#
aaronpk
i think this is the generally accepted spec right now, but it does kinda depend who you ask https://url.spec.whatwg.org
#
[fluffy]
the fact that URLs historically reflected the underlying filesystem and so many path resolution things are based on that doesn’t help things at all
#
aaronpk
also talk about specs that are difficult to read wow
#
[fluffy]
yeah jeeze
#
aaronpk
"Let url be the result of running the basic URL parser on input with base, and encoding override as provided"
#
[fluffy]
that’s even worse than RFC-ese
#
aaronpk
"If url’s scheme is not "blob", return url." wtf
#
[fluffy]
it almost reads like a patent filing
#
aaronpk
totally
[Lewis_Cowles] joined the channel
#
[Lewis_Cowles]
[tantek] 50/50, I put my serviceworker on just now
#
[Lewis_Cowles]
editor is WiP
#
[fluffy]
How about: must accept the response’s “me,” given the following conditions: 1. the scheme either matches or is converted from http to https; 2. the path begins with the same path, provided that there is a / separating the original path and any additions
#
[fluffy]
(and 3. the complete host name/domain matches)
#
[fluffy]
the wording on 2 could definitely be made less clunky though
#
[snarfed]
dealing with paths in users' web site URLs in bridgy overlapped lots of this and was definitely similarly complicated, i hit a number of the same issues. https://github.com/snarfed/bridgy/issues/644 , https://github.com/snarfed/bridgy/issues/629, https://github.com/snarfed/bridgy/issues/652
#
Loqi
[snarfed] #644 support multiple users on same domain
#
aaronpk
can you open an issue on the indieauth spec for this? it's definitely worth discussing further
#
aaronpk
i'm not sure on the exact wording yet but the idea is solid
[Sonny] joined the channel
#
[Sonny]
what do you guys recommend for a dead simple tool to make a local http server available on the Web?
#
[Sonny]
temporarly*
#
aaronpk
probably better to keep that discussion somewhere easier to keep up on in a thread
#
[Sonny]
[snarfed] thanks, does not appear to be opensource anymore 😞
#
[snarfed]
didn't realize that was a requirement?
#
[snarfed]
it's still a good tool
#
aaronpk
is "dead simple" a requirement?
#
aaronpk
I use SSH tunnels, which is open source, but is not dead simple
#
[Sonny]
indeed, it's for documentation/testing so any user willing to give it a try
#
aaronpk
still unclear on why open source is a requirement
#
aaronpk
"open source" and "dead simple" tend to not correlate very well
#
[Sonny]
it's not a requirement but would prefer something users can install through dnf/apt/...
#
aaronpk
i question the assumption that anything command line based is "dead simple" :D
#
Loqi
[fluffy-critter] #35 Improve validation rules for the response 'me'
#
aaronpk
if your users are willing to use the command line then you should probably just use ssh tunnelling
#
[snarfed]
benefit of ngrok is that users don't need to install anything at all, just web based
#
aaronpk
thx [fluffy]
#
[Sonny]
alright, dead simple for command line users then 🙂 thanks you both I'll recommend multiple solutions and they'll pick
#
[fluffy]
anyway meanwhile I gotta fix me some Authl code
#
[fluffy]
I feel like this is important enough for me to write a CVE against Authl. I don’t think anyone else is using it but it still seems like a better safe than sorry thing
#
[snarfed]
CVE wow
#
[snarfed]
much...wow
#
[fluffy]
But I don’t want to post it as a public disclosure until I have a fix, because otherwise anyone could use this to log in to my own website as me and see all my private posts.
#
[fluffy]
which would be, you know. bad.
#
aaronpk
doesn't the "C" in "CVE" stand for "common"? I think being unsure of whether anyone else is even using it makes it not common :-)
#
[fluffy]
haha good point
[manton] joined the channel
#
[manton]
[aaronpk] Back on location, just to be sure I understand... I'll add an example that is location-only with no check-in. But if someone is sending a check-in, is it appropriate to require that the coordinates be sent in location, or should they be included in check-in?
#
[manton]
[aaronpk] I think you are saying either/or and not both. Just want to be sure.
#
[manton]
I like the simplicity of "if there are coordinates, always put them in location" but I can see your point too.
#
aaronpk
[manton]: My intent in OYS was to include all the location info in only the checkin property
#
[manton]
Got it.
#
aaronpk
i wil have to look at my commit history to figure out why I added the location property
#
aaronpk
the "location" property is meant to say "this is where the post was created" like the "published" property says "this is when the post was published"
#
[tantek]
it should be ok
#
aaronpk
the "checkin" property is meant to be part of the contents of the post
#
[manton]
I've updated my help page with 2 separate examples: https://help.micro.blog/2019/api-location/
#
aaronpk
Cool, better!
#
[manton]
Great, thanks!
#
aaronpk
I would go one step further and make it clear that by using the "checkin" property you're making a checkin post tho!
#
aaronpk
Rather than just "if you have a venue name"
#
[manton]
Good point.
#
[manton]
I'll just say: "If you are making a check-in post with venue information..."
#
aaronpk
Posts with a "checkin" property are meant to be displayed completely different from photos with only a "location" property
#
aaronpk
that works
#
[manton]
Micro.blog blurs the lines a little between post types. We'll see how people use it and then can adjust if we need to.
#
aaronpk
Imagine a post with only the checkin property
#
aaronpk
it needs to look like a post, not like an empty post with a location tag
#
aaronpk
in fact I might go so far as to say a checkin post should feature the location as the primary content, adding the text content the user typed as supplementary information
#
[manton]
The way I'm handling this right now is that I add the venue name to the post content so that it shows up consistently in all themes. It's not _exactly_ correct but it means everything just works, and then the user can edit the theme to do something special when there is location information.
#
[manton]
Long-term I will probably need to update all the themes to better support this, but I wanted something that worked out of the box for everyone.
#
[manton]
Unfortunately it means the MF2 isn't really preserved right now unless the user edits the template to provide their own HTML, though.
[tonz] joined the channel
#
[Lewis_Cowles]
!tell tantek I now have a visual indicator for offline pages which when clicked reloads the page for the user. If it exists, then they get their page. If not, then they get the offline page still. Have you tested 404 functionality?
#
Loqi
Ok, I'll tell them that when I see them next
KartikPrabhu joined the channel
#
[tantek]
what is a checkin?
#
Loqi
[tantek]: [Lewis_Cowles] left you a message 9 minutes ago: I now have a visual indicator for offline pages which when clicked reloads the page for the user. If it exists, then they get their page. If not, then they get the offline page still. Have you tested 404 functionality?
#
Loqi
A checkin is the action of checking into a location and sharing that information https://indieweb.org/checkin
[qubyte] joined the channel
#
[tantek]
aaronpk++ for the recommendations of how to display a checkin post - can you add that to /checkin#How_to perhaps as a subsection?
#
Loqi
aaronpk has 53 karma in this channel over the last year (199 in all channels)
#
[tantek]
[Lewis_Cowles] ++ that sounds pretty cool. I like the idea of explicit UI to indicate to users that they're viewing a cached version and the option to refresh from network.
#
Loqi
[Lewis_Cowles] has 5 karma in this channel over the last year (10 in all channels)
#
[tantek]
definitely add your design thinking on that to a new (sub)section in /offline#Brainstorming
[benatwork] joined the channel
#
[tantek]
btw speaking of Medium (per meta conversation), I noticed (and adactio pointed out explicitly) that he's putting "Originally posted at..." links at *both* the top and bottom of syndicated copies of blog posts
#
[tantek]
this is so that if you end up reading the Medium copy of an article, you immediately see the link to the original and click through read it there instead
#
[tantek]
or if you end up reading it down to the end on Medium, and want to cite it, you see the link to the original and at least have a chance of clicking through and citing that original post instead of the Medium copy
#
[tantek]
is anyone else putting "Originally published at ... " links at BOTH the top and bottom of syndicated copies of blog posts?
#
aaronpk
That is a good idea
#
aaronpk
some sites will let you see the top bit of a post, or wait a few seconds before popping up an interstitial, so having the link at the top gives viewers a nice "out" to see the full post on your own site
Guest52268 joined the channel
#
[fluffy]
Implemented a fix for the identity URL thing, based on the proposed “more specific path” thing rather than the spec as currently written. https://github.com/PlaidWeb/Authl/pull/48
#
Loqi
[fluffy-critter] #48 Verify the identity URL
#
[fluffy]
This also includes a rogue indieauth authorization_endpoint which can be used to test other implementations.
#
@bixtweets
Do @wordpressdotcom blogs send webmentions in and of themselves, or only if you have a paid package and install a plugin?
(twitter.com/_/status/1189661414127833088)
#
@bixtweets
↩️ (I am trying to test some things on Microblog but I need somewhere to post that will send webmentions so I can see something.)
(twitter.com/_/status/1189662214736642048)
#
sknebel
mh, media uploads from quill on my phone are still weird
[jgmac1106], [manton], gRegorLove_ and [KevinMarks] joined the channel
#
[KevinMarks]
On more specific path, can you filter out example.com/alice becoming example.com/alice/../eve
#
aaronpk
that was one of the examples fluffy gave in the issue
#
sknebel
The path restriction feels like the wrong tool to me - I would prefer verification against an endpoint at the URL ...
#
sknebel
I think
#
aaronpk
which url?
#
sknebel
The identity url
#
sknebel
So it needs to be returned earlier
#
sknebel
E.g. if you got the code and the URL, you could look up endpoints at the URL, and verify the code against them?
#
aaronpk
hm, that's a pretty big change
#
sknebel
Didn't we use to return it there, and got rid of it because it was duplicated?
#
sknebel
Don't quite remember
#
aaronpk
we got rid of it because it couldn't be trusted at that point
#
aaronpk
so it was more misleading than anything
#
aaronpk
if someone can give you an auth code and tell you where to verify it, then they can do whatever
#
[fluffy]
yeah like, SelfAuth can be used to spoof whatever identity you want as it turns out
#
[fluffy]
I didn’t actually need to implement my own spoofing server
#
[fluffy]
(but I was glad for the exercise and having something trivially locally-testable)
#
sknebel
If where you verify is the identity you assume at the end, then that would be fine right? Ie you do not allow changes after that point
#
sknebel
Probably should think about this when I'm less sleepy
#
aaronpk
yeah a verification step at the very end could work
#
[fluffy]
what, like, verifying that the endpoint you’re talking to is the one advertised by the final id url?
#
aaronpk
like if you add a step at the end,
#
sknebel
Don't need to add a step if you fix the URL at the time the code is returned
#
sknebel
I think
#
aaronpk
so you just got the "me" response that says "I am https://example.com/eve" and then you go look at that URL for something and ask it "did you really just sign in here" and it could confirm
#
aaronpk
you can't fix the URL when the code is returned because nothing at that point can be trusted
#
[fluffy]
that final verification step sounds potentially onerous to implement
#
aaronpk
i agree, i'm not saying this is a good idea
#
aaronpk
but it's theoretically possible
#
Loqi
fluffy has 16 karma in this channel over the last year (42 in all channels)
#
[fluffy]
I think the best approach is to just, like, require an exact match on the id URL, or use the id URL as originally entered or whatever
#
aaronpk
we've seen many cases where letting the server normalize the URL is beneficial
#
aaronpk
so we're not going back to an exact match of what the user entered
#
[fluffy]
maybe using the canonical URL of the endpoint discovery request then?
#
aaronpk
that doesn't work for multi-user sites
#
[fluffy]
like if someone enters http://example.com/foo and it redirects to https://example.com/foo/ that’s what you use?
#
[fluffy]
but normalizations can change too
#
sknebel
If you get a code and a me URL, and you need to go to an endpoint discovered from that URL, what's the trust problem?
krychu joined the channel
#
[fluffy]
I ran into a lot of trouble with that in the OpenID 1.x days, when I used an OpenID signin to a forum and it saw my URL as http://beesbuzz.biz/fluffy and at one point that was getting normalized to https://beesbuzz.biz/fluffy/ and I couldn’t log in anymore.
#
[fluffy]
so I mean I do like the allowances for some amount of normalization
#
aaronpk
[fluffy]: you want to be able to support a user typing in just the host name example.com and ending up with the user-specific URL https://example.com/user
#
aaronpk
this is why we want to let the server handle the normalization, rather than the client
#
[fluffy]
true, and I support that in Authl, but that’s at the endpoint discovery phase
#
aaronpk
letting the client handle it leads to that issue in OpenID
#
aaronpk
[fluffy]: it doesn't work in the discovery phase because that only works for single user sites
#
[fluffy]
Authl’s identity handlers all deal with their own normalization, so like if I sign in by Twitter it normalizes to https://twitter.com/fluffy#993171 (for reasons)
#
aaronpk
user1 enters "example.com" and ends up as "https://example.com/user1", user2 enters "example.com" and ends up as "https://example.com/user2"
#
[fluffy]
oh I see what you mean now
#
[fluffy]
I was assuming that in this case http://example.com would redirect to the actual user like https://example.com/user1/
#
[fluffy]
like if you load that URL itself
#
[KevinMarks]
So in strict mode the client restarts the auth with the new extended url? Which should be quick they're logged in and cookied if they aren't spoofing
#
aaronpk
[KevinMarks]: strict mode?
#
aaronpk
this is pretty well described in the indieauth spec currently, are you suggesting something there needs to change? or are you asking a clarifying question?
#
[fluffy]
anyway Authl’s initial identity normalization is just like… fetch the identity page, and use its final URL as the initial identity. Well, I think. Let me verify that 🙂
#
[KevinMarks]
You said "add a step at the end" - is that what you meant?
#
[fluffy]
… for some reason my indieauth handler is using the endpoint URL as the initial identity?! well that’s clearly wrong…
#
[fluffy]
oh wait no my API is just misdocumented
#
[fluffy]
forgot to fix a thing 😛
#
[KevinMarks]
There's an implied 301 in there so the client should remember the extended url, not the one as originally entered?
#
[fluffy]
oh wait! haha no I’m dumb
#
[fluffy]
okay yeah in Authl, the initial identity URL is just the final post-redirection URL for the page, if it wasn’t grabbed by a thing that gives a URL match.
#
[fluffy]
so if you try to sign in via http://example.com and that redirects to https://example.com/alice then that’s what the final identity is validated against
#
aaronpk
[fluffy]: that section i linked above might be a good read, it talks about the different kinds of redirects and how to handle them
#
[fluffy]
ok, interesting. That’s a lot more complicated.
#
[fluffy]
so basically, a permanent redirect should update the base identity URL, but a temporary one should not?
#
aaronpk
hopefully the examples provide an explanation for why it's useful
#
[fluffy]
makes sense. I could probably implement that in Authl.
#
[fluffy]
what about a multi-step redirect, like a -> b -> c, where b->c is permanent but a->b is temporary?
#
[fluffy]
should it just stop updating once it hits the first temporary?
#
aaronpk
no i think it follows all redirects until it no longer hits a redirect
#
aaronpk
you need to follow all redirects in order to get to the final document to actually find the HTML tags
#
[fluffy]
Yes, of course, but I mean, for the updating the user ID
#
[fluffy]
to use the examples there: user enters username.example, which gets a temporary redirect to example.com, which gets a permanent redirect to example.com/username
#
aaronpk
does the second paragraph here answer that? https://indieauth.spec.indieweb.org/#discovery-by-clients
#
[fluffy]
obviously endpoint discovery happens at example.com/username but what’s the me value?
#
aaronpk
if not, we need to update that paragraph
#
[fluffy]
It doesn’t, no
#
[fluffy]
I mean it implies that in the above example the `me` would be example.com/username
#
[fluffy]
even though the first redirect to `example.com` is temporary
#
aaronpk
"If an HTTP temporary redirect (HTTP 302 or 307) is encountered, the client MUST use the previous URL as the profile URL"
#
[fluffy]
yes, but what if that’s not the last redirect?
#
aaronpk
so the profile url in your example would be "username.example"
#
aaronpk
at least that's how i would interpret that
#
sknebel
But the previous sentence also has a MUST
#
[fluffy]
but the previous sentence “If an HTTP permament redirect (HTTP 301 or 308) is encountered, the client MUST use the resulting URL as the canonical profile URL” implies that it would be example.com/username
#
GWG
aaronpk, do any of your IndieAuth run services actually update the url on a permanent redirect?
#
aaronpk
GWG: the current version of the php indieauth client shoudl be implementing these rules. it's used by (most) of my active projects. (i think there are a couple i havent updated yet like maybe teacup)
#
[fluffy]
I think a sentence like “If there are multiple redirections, use the last URL before the first temporary redirect”
#
aaronpk
ok yeah it looks like that section needs some clarification on precedence
#
[fluffy]
yeah that’s what I was getting at 🙂
#
[fluffy]
should I open another issue?
#
aaronpk
if you have real world examples to demonstrate that would be helpful
#
aaronpk
the examples in the "redirect examples" section right now are all based on real world website configurations
#
Loqi
[fluffy-critter] #36 Ambiguity in handling redirections
#
aaronpk
[fluffy]++ now you are getting first hand experience seeing why having more eyes on the spec helps it overall
#
Loqi
[fluffy] has 17 karma in this channel over the last year (43 in all channels)
#
[fluffy]
yeah absolutely
#
[fluffy]
so another question, while we’re on the subject: what should the scheme matching rules in response vs. profile URL be? I discovered after rolling out the Publ change that my auth endpoint was giving my identity as http://beesbuzz.biz/ rather than https://beesbuzz.biz/ all this time
#
Loqi
fluffy
#
[fluffy]
and so when I tried signing in as https: it failed when it tried to downgrade to http:
#
aaronpk
that is supposed to be already described by the redirect rules
#
[fluffy]
yeah but there’s no redirection involved here
#
aaronpk
oh you serve your website on both?
#
[fluffy]
http doesn’t redirect to https or vice-versa; but when logging in as https, SelfAuth was responding with http
#
aaronpk
whichever you consider canonical is the one your authorization endpoint should respond with
#
[fluffy]
yeah and I made that change, but the quesiton is about validating the me URL
GabeDiscord[m] joined the channel
#
[fluffy]
I would sign in as https://beesbuzz.biz/ and the endpoint would be discovered from that page and so on, but the endpoint would reply with a me of http://beesbuzz.biz/
#
Loqi
fluffy
#
[fluffy]
before, Authl just accepted it (because it accepted everything from the endpoint)
#
[fluffy]
after I added a validation step, Authl stopped accepting that becuase it saw the scheme downgrade from https to http as a violation
#
aaronpk
yes that would be an error
#
aaronpk
not because of the downgrade specifically
#
aaronpk
just because they don't match
#
aaronpk
http->https would fail too
#
aaronpk
that's the reason for adding all that language around redirect handling
#
[fluffy]
yeah but the redirect handling assumes that one scheme is redirected to.
#
[fluffy]
I treat https as canonical (via rel=“canonical”) but I’m purposeful about *not* doing a redirect to https.
#
[fluffy]
except when someone logs in, anyway
#
aaronpk
yeah that's gonna be tricky
#
aaronpk
that feels like a super edge case
#
[fluffy]
for public content I want to be friendly to transparent squid proxies, basically
#
aaronpk
you probably want the https URL to be the one associated with logging in to stuff
#
[fluffy]
yeah…
[jgmac1106] joined the channel
#
aaronpk
so you should probably just get in the habit of typing in the https URL when signing in to stuff
#
[fluffy]
oh, I already was in the habit
#
aaronpk
(if you're not willing to redirect http to https which would otherwise cover that case)
#
[fluffy]
I have no idea how things were working before, on a lot of stuff
#
[fluffy]
well the other issue was that SelfAuth was misconfigured to always say http 🙂
#
[fluffy]
so anything that was strictly verifying the scheme would have failed.
#
[fluffy]
as it started to do in Publ/Authl
#
[fluffy]
obviously that was a misconfiguration on my part
#
[fluffy]
but now that my reported identity URL has changed from http to https, how much stuff is going to break?
#
aaronpk
yeah that's a different problem
#
[fluffy]
will I find that my monocle/aperture subscriptions are all hecked up?
#
[fluffy]
at least indieweb.org seemed to be scheme-agnostic
#
@schnarfed
↩️ you just need to send a webmention, right? both of those should work. receivers like http://micro.blog don't special case "blog platforms" vs any other senders. alternatively, feel free to jump into https://indieweb.org/discuss and ask one of us to send a wm, we'd be happy to!
(twitter.com/_/status/1189688566374223872)
[tantek] joined the channel