#dev 2020-01-20

2020-01-20 UTC
KartikPrabhu, JKing, jeremycherfas, krychu, reddDiscord[m], [manton], beko, adinbDiscord[m], [xavierroy], [Michael_Beckwit and [dmitshur] joined the channel
#
[dmitshur]
for RelMeAuth, what's the purpose of requiring the OAuth 2.0 site (e.g., GitHub) to link back to the user profile URL?
#
[dmitshur]
it doesn't seem to be strictly necessary to prove control over the URL content.
#
[dmitshur]
e.g., if a user claims to be "example.com" and example has rel=me link to github.com/example, and the user can sign in to GitHub as "example", then you can be sure they are "example.com" even if github.com/example doesn't link back to example.com. after all, if they can sign in to GitHub as that user, they can edit their profile's website URL field. ah, I guess I'm relying on that assumption which may not be true in the general case.
#
[dmitshur]
being able to sign in as GitHub user x, in theory, may not mean you can change x's user profile website URL field, so by requiring that to match, there is some sorta additional guarantee they can edit it.
#
[dmitshur]
I'm deciding whether to let the user sign in to github as the user they claim to be _first_ and checking their website url matches second, or vice versa. doing the github website check second means I can save on my own GitHub API rate limit quota 😛
#
[dmitshur]
but if they user forgot to set their website URL field, it makes a difference of whether they'll go through signing in only to see an error then, or see the error right away
#
[dmitshur]
the algorithms described at http://microformats.org/wiki/RelMeAuth suggest checking for reciprocal link before starting OAuth auth
#
Loqi
RelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site. RelMeAuth is the technology behind web-sign-in. Editor Tantek Çelik (http://tante...
haywirezDiscord[ and gxt joined the channel
#
aaronpk
[dmitshur]: I agree that's why I dropped the rel me backlink from indielogin.com
#
aaronpk
it checks for the matching username rather than specifically rel=me, it really simplified a lot
cweiske joined the channel
#
[dmitshur]
welp, I'm currently working towards making it an clear immediate error, which hopefully prompts them to fix their GitHub website link. something like... "example.com has a rel=me link to github.com/example, but GitHub user "example" WebsiteURL is https://elsewhere.test, which doesn't match user profile URL https://example.com"
#
[dmitshur]
it's a bit more work for me, but it should hopefully lead to a slightly better and consistent user experience, so it seems worth it at this moment.
[tantek], [mapkyca] and KartikPrabhu joined the channel
#
@edent
Ooh! Lobsters implements WebMention! #redecentralize https://t.co/J1mFk7T0uo
(twitter.com/_/status/1219160570202664960)
[Rose] joined the channel
#
beko[m]
What is Lobsters?
#
Loqi
Lobsters is an open source, technology-focused link-aggregation site similar to Hacker News https://indieweb.org/Lobsters
KartikPrabhu joined the channel
#
@soapdog
↩️ gente, eu to aos poucos implementando as coisas do #IndieWeb no meu blog. Uma coisa legal é usar o https://brid.gy pra monitorar seu Instagram e pegar todas as fotos que vc posta lá e jogar no seu blog. Vou levar todo meu conteúdo de volta pro meu blog ao longo desse ano
(twitter.com/_/status/1219185378176983041)
[Marlin_Forbes] joined the channel
#
[Marlin_Forbes]
Some good ideas here for static hosting comments.
#
Loqi
[Michael Rose] Going static part 2: static comments
gxt, HenniDiscord[m], simons, [KevinMarks], [Rose], jgmac1106, [jgmac1106], [LewisCowles], [Marlin_Forbes], dietricha, jeremych_ and kbo8999Discord[m joined the channel
#
@voxpelli
↩️ Jag behöver verkligen inte en till chatt och kommentarsfält nyttjar jag sällan, men Twitter interagerar jag gärna på. Köra POSSE och Webmentions för att förena Twitter och sajtens kommentarer? Med typ http://brid.gy?
(twitter.com/_/status/1219248756199129088)
#
@voxpelli
↩️ Jag behöver verkligen inte en till chatt och kommentarsfält nyttjar jag sällan, men Twitter interagerar jag gärna på. Köra POSSE och Webmentions för att förena Twitter och sajtens kommentarer? Med typ http://brid.gy?
(twitter.com/_/status/1219248756199129088)
#
@kompilatorpod
↩️ Jag hör vad du säger, tänker att det är en ganska hög tröskel att regga sig på en tjänst bara för att kommentera. http://Brid.gy såg intressant ut, ska undersöka närmare!
(twitter.com/_/status/1219250019137720322)
[Sadik_Shahadu], jgmac1106, simons, JKing, dee`, [snarfed], emersen234Discor, wossDiscord[m], [tantek], richarddavisDisc and [KevinMarks] joined the channel
#
[KevinMarks]
This post expresses well the differences between the parser view and the content view of data interchange http://lexi-lambda.github.io/blog/2020/01/19/no-dynamic-type-systems-are-not-inherently-more-open/
simons joined the channel
#
@bmann
↩️ added, although logging in reminded me I have an IndieAuth question for you that I'll start a new thread on https://events.indieweb.org/2020/01/work-on-your-writing-coworking-BiEa288umQuz
(twitter.com/_/status/1219308091570839553)
#
@bmann
@aaronpk is Github the only "external" IndieAuth supported provider right now? Other than email / pgp? I temporarily edit my Github profile link for different sites right now, which is not ideal.
(twitter.com/_/status/1219309153790963712)
jenelizabeth joined the channel
#
@aaronpk
↩️ The wiki actually uses https://indielogin.com when you log in, which supports GitHub as well as Twitter and some other options. If your site says to use http://indieauth.com then yes, GitHub is the only external authentication provider supported by http://indieauth.com.
(twitter.com/_/status/1219309600106663936)
superjen96, jeneliza_ and simons joined the channel
#
@aaronpk
↩️ I apologize for the horrible confusion due to how I named these, but http://indielogin.com is not a replacement for http://indieauth.com from a user's point of view, only from the PoV of a website trying to authenticate users.
(twitter.com/_/status/1219314998310129664)
gRegorLove, simons, leg and Nuve joined the channel; henkvuitton left the channel
#
GWG
!tell [snarfed] Problem solved
#
Loqi
Ok, I'll tell them that when I see them next
[tantek] joined the channel
#
[tantek]
[dmitshur] less site specific code (when you “just” depend on rel=me rather than site-specific username lookup)
[dmitshur] joined the channel
#
[dmitshur]
makes sense.
#
aaronpk
you have to have site-specific code to complete the oauth flow
#
[tantek]
The less site specific code the better
#
[tantek]
That’s the point
#
aaronpk
so in practice what i found was that i was fighting site-specific stuff like the lack of rel=me and twitter's continual anti-bot protections, so it was breaking more often than working
#
[tantek]
It’s not a Boolean
#
aaronpk
plus you have to check the logged-in username after the oauth flow anyway
#
aaronpk
to make sure it matches the twitter URL you were looking for
#
[dmitshur]
I don't think you _have_ to
#
[tantek]
Twitter is an extra special case 🙄
#
aaronpk
so really checking the rel=me backlink only provides one potential benefit, which is you can tell the user ahead of time that doing the twitter login will fail because their link back to their site isn't there
#
aaronpk
no this was true with google for a long time too
#
aaronpk
back in the google plus days
#
[tantek]
“Only” a chance a better UX
#
[tantek]
Which is worth it
#
aaronpk
go write a rel-me-auth provider and run it in production for a few years and come back and tell me how it goes ;-)
#
[tantek]
With anything identity related
#
[tantek]
I did for a long time
#
aaronpk
s/provider/consumer
#
aaronpk
this rel-me backlink problem is why twitter is disabled on indieauth.com and why i dropped google from there a long time ago too
#
[dmitshur]
trade-offs 🙂
#
aaronpk
notice that twitter has been working flawlessly on indielogin.com for a while now
#
aaronpk
plus i don't think the UX is worse. it's probably better because it requires fewer steps for the user
#
aaronpk
one config step -- add your twitter link to your website https://indielogin.com/setup#twitter
#
Loqi
To use Twitter, link to your Twitter profile on your home page. <a href="https://twitter.com/aaronpk" rel="me">twitter.com/aaronpk</a> Make sure your Twitter account has your URL in your profile.
#
aaronpk
another common complaint i heard a *lot* is that people either wanted to be able to use the same twitter account to authenticate as multiple domain names, or they didn't want to put their personal website on their github profile
#
[tantek]
Odd. Twitter & GH accounts are cheaper than domain names
#
aaronpk
being logged in to multiple is not cheap
#
aaronpk
cost of switching account context
#
[dmitshur]
but remembering passwords for more than 1 account isn't as cheap, plus switching accounts
#
[dmitshur]
Aaron, do you have an estimate for when you'll have time/bandwidth to review the PR I sent to IndieAuth? is it okay that it's 4 commits in 1 PR or would it very heplful to break it into 4 PRs?
#
aaronpk
anyway i'm speaking from my experience running indieauth.com for 8 years with around 7000 users and 70000 authentication events
#
aaronpk
also -- in that time, the actual oauth APIs of twitter/github/google have changed extremely little if at all, whereas their websites with the rel=me link were the ones that have changed constantly
#
Loqi
also has -1 karma in this channel over the last year (-2 in all channels)
#
aaronpk
[dmitshur]: they all looked related so i can review in one go. i hope to have time this week but probably not until thursday
#
[dmitshur]
great, thank you very much. as a heads up, I expect the first and last commit to be more subjective and I'm happy to iterate on feedback. the middle two should be pure mechanical fixes.
#
[tantek]
Firefox container tabs solves the multi login problem
[jeremycherfas] joined the channel
#
[tantek]
Yeah the markup changes are a real thing
#
[tantek]
Problem when there’s no regression testing for something
jenelizabeth joined the channel
#
[dmitshur]
I'm refactoring my code in the direction of _always_ fetching all information about the user (from on the URL they've entered) first, then authenticating that they are that user. Even for "github.com/example" users. It's conceptually simpler and more consistent. It also lets me do all the error handling and reporting in advance of asking user to authenticate, so when they do, it's guaranteed to work.
jgmac1106 and superjen96 joined the channel
Julian and jenelizabeth joined the channel
#
[dmitshur]
yep, I'm really liking the simplification this approach brings. now my entire sign in flow boils down to (omitting some minor details):
#
[dmitshur]
1. user enters their URL
#
[dmitshur]
2. I figure out all public information about them based only on the URL, including whether they have a website or GitHub linked (doing this gives me full information about what authentication methods are available)
#
[dmitshur]
3. I let them authenticate (IndieAuth endpoint or GitHub OAuth)
#
[dmitshur]
4. I confirm the authenticated user matches the URL they've entered
#
[dmitshur]
it leaves me with fewer code paths and special cases.
#
[dmitshur]
most of potential errors happen in step 2 and get reported to user right away
#
[dmitshur]
previously, I had slightly different code paths for: non-github URL with IndieAuth -> ..., non-github URL without IndieAuth -> ..., and github URL -> ...; it was harder to follow what was happening.
#
[dmitshur]
e.g., it was less clear what to do when fetching a github profile fails... if I authed via IndieAuth, then maybe it's not a fatal problem, but if authed via RelMeAuth then it's absolutely fatal.
#
[dmitshur]
I should emphasize, most of the simplification of this change is in the error handling, not that much in the happy path.
#
Loqi
I agree
#
[dmitshur]
the only complication is... if user enters example.com, I discover everything about them, then they auth via IndieAuth and in the end their authz endpoint reports that their canonical user profile URL is actually example.com/something/else, which may have a different avatar, github account, etc.
#
[dmitshur]
oh well, I can manage with that.
jgmac1106 joined the channel
#
@hjelle_brian
"Dunnuld, as you know, there is a microsub hidden behind the reeds on the Potomac. When you #TrumpResign, we will shuttle you safely back to the Motherland."
(twitter.com/_/status/1219403482957934592)