KartikPrabhu, JKing, jeremycherfas, krychu, reddDiscord[m], [manton], beko, adinbDiscord[m], [xavierroy], [Michael_Beckwit and [dmitshur] joined the channel
#[dmitshur]for RelMeAuth, what's the purpose of requiring the OAuth 2.0 site (e.g., GitHub) to link back to the user profile URL?
#[dmitshur]it doesn't seem to be strictly necessary to prove control over the URL content.
#[dmitshur]e.g., if a user claims to be "example.com" and example has rel=me link to github.com/example, and the user can sign in to GitHub as "example", then you can be sure they are "example.com" even if github.com/example doesn't link back to example.com. after all, if they can sign in to GitHub as that user, they can edit their profile's website URL field. ah, I guess I'm relying on that assumption which may not be true in the general case.
#[dmitshur]being able to sign in as GitHub user x, in theory, may not mean you can change x's user profile website URL field, so by requiring that to match, there is some sorta additional guarantee they can edit it.
#[dmitshur]I'm deciding whether to let the user sign in to github as the user they claim to be _first_ and checking their website url matches second, or vice versa. doing the github website check second means I can save on my own GitHub API rate limit quota 😛
#[dmitshur]but if they user forgot to set their website URL field, it makes a difference of whether they'll go through signing in only to see an error then, or see the error right away
#LoqiRelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site.
RelMeAuth is the technology behind web-sign-in.
Editor
Tantek Çelik (http://tante...
haywirezDiscord[ and gxt joined the channel
#aaronpk[dmitshur]: I agree that's why I dropped the rel me backlink from indielogin.com
#aaronpkit checks for the matching username rather than specifically rel=me, it really simplified a lot
cweiske joined the channel
#[dmitshur]welp, I'm currently working towards making it an clear immediate error, which hopefully prompts them to fix their GitHub website link. something like... "example.com has a rel=me link to github.com/example, but GitHub user "example" WebsiteURL is https://elsewhere.test, which doesn't match user profile URL https://example.com"
#[dmitshur]it's a bit more work for me, but it should hopefully lead to a slightly better and consistent user experience, so it seems worth it at this moment.
[tantek], [mapkyca] and KartikPrabhu joined the channel
#@soapdog↩️ gente, eu to aos poucos implementando as coisas do #IndieWeb no meu blog. Uma coisa legal é usar o https://brid.gy pra monitorar seu Instagram e pegar todas as fotos que vc posta lá e jogar no seu blog.
Vou levar todo meu conteúdo de volta pro meu blog ao longo desse ano (twitter.com/_/status/1219185378176983041)
[Marlin_Forbes] joined the channel
#[Marlin_Forbes]Some good ideas here for static hosting comments.
#Loqi[Michael Rose] Going static part 2: static comments
gxt, HenniDiscord[m], simons, [KevinMarks], [Rose], jgmac1106, [jgmac1106], [LewisCowles], [Marlin_Forbes], dietricha, jeremych_ and kbo8999Discord[m joined the channel
#@voxpelli↩️ Jag behöver verkligen inte en till chatt och kommentarsfält nyttjar jag sällan, men Twitter interagerar jag gärna på.
Köra POSSE och Webmentions för att förena Twitter och sajtens kommentarer? Med typ http://brid.gy? (twitter.com/_/status/1219248756199129088)
#@voxpelli↩️ Jag behöver verkligen inte en till chatt och kommentarsfält nyttjar jag sällan, men Twitter interagerar jag gärna på.
Köra POSSE och Webmentions för att förena Twitter och sajtens kommentarer? Med typ http://brid.gy? (twitter.com/_/status/1219248756199129088)
[Sadik_Shahadu], jgmac1106, simons, JKing, dee`, [snarfed], emersen234Discor, wossDiscord[m], [tantek], richarddavisDisc and [KevinMarks] joined the channel
#@bmann@aaronpk is Github the only "external" IndieAuth supported provider right now? Other than email / pgp?
I temporarily edit my Github profile link for different sites right now, which is not ideal. (twitter.com/_/status/1219309153790963712)
#aaronpkso in practice what i found was that i was fighting site-specific stuff like the lack of rel=me and twitter's continual anti-bot protections, so it was breaking more often than working
#aaronpkso really checking the rel=me backlink only provides one potential benefit, which is you can tell the user ahead of time that doing the twitter login will fail because their link back to their site isn't there
#aaronpkno this was true with google for a long time too
#LoqiTo use Twitter, link to your Twitter profile on your home page.
<a href="https://twitter.com/aaronpk" rel="me">twitter.com/aaronpk</a>
Make sure your Twitter account has your URL in your profile.
#aaronpkanother common complaint i heard a *lot* is that people either wanted to be able to use the same twitter account to authenticate as multiple domain names, or they didn't want to put their personal website on their github profile
#[tantek]Odd. Twitter & GH accounts are cheaper than domain names
#[dmitshur]but remembering passwords for more than 1 account isn't as cheap, plus switching accounts
#[dmitshur]Aaron, do you have an estimate for when you'll have time/bandwidth to review the PR I sent to IndieAuth? is it okay that it's 4 commits in 1 PR or would it very heplful to break it into 4 PRs?
#aaronpkanyway i'm speaking from my experience running indieauth.com for 8 years with around 7000 users and 70000 authentication events
#aaronpkalso -- in that time, the actual oauth APIs of twitter/github/google have changed extremely little if at all, whereas their websites with the rel=me link were the ones that have changed constantly
#Loqialso has -1 karma in this channel over the last year (-2 in all channels)
#aaronpk[dmitshur]: they all looked related so i can review in one go. i hope to have time this week but probably not until thursday
#[dmitshur]great, thank you very much. as a heads up, I expect the first and last commit to be more subjective and I'm happy to iterate on feedback. the middle two should be pure mechanical fixes.
#[tantek]Firefox container tabs solves the multi login problem
#[tantek]Problem when there’s no regression testing for something
jenelizabeth joined the channel
#[dmitshur]I'm refactoring my code in the direction of _always_ fetching all information about the user (from on the URL they've entered) first, then authenticating that they are that user. Even for "github.com/example" users. It's conceptually simpler and more consistent. It also lets me do all the error handling and reporting in advance of asking user to authenticate, so when they do, it's guaranteed to work.
#[dmitshur]2. I figure out all public information about them based only on the URL, including whether they have a website or GitHub linked (doing this gives me full information about what authentication methods are available)
#[dmitshur]3. I let them authenticate (IndieAuth endpoint or GitHub OAuth)
#[dmitshur]4. I confirm the authenticated user matches the URL they've entered
#[dmitshur]it leaves me with fewer code paths and special cases.
#[dmitshur]most of potential errors happen in step 2 and get reported to user right away
#[dmitshur]previously, I had slightly different code paths for: non-github URL with IndieAuth -> ..., non-github URL without IndieAuth -> ..., and github URL -> ...; it was harder to follow what was happening.
#[dmitshur]e.g., it was less clear what to do when fetching a github profile fails... if I authed via IndieAuth, then maybe it's not a fatal problem, but if authed via RelMeAuth then it's absolutely fatal.
#[dmitshur]I should emphasize, most of the simplification of this change is in the error handling, not that much in the happy path.
#[dmitshur]the only complication is... if user enters example.com, I discover everything about them, then they auth via IndieAuth and in the end their authz endpoint reports that their canonical user profile URL is actually example.com/something/else, which may have a different avatar, github account, etc.