#[Aaron_Klemm]Is there any way/place to test my indieauth token endpoint?
#[Aaron_Klemm]I get a 401 error loading endpoint.php in my browser, but I'm not sure that's a bad thing. Indigenous still gives me the Token Endpoint not found error. It might help to try it somewhere else as the configuration seems correct as I've checked it over several times.
#[Aaron_Klemm]After discovering Known, I guess it's likely I'll replace the auth and the token endpoint with the Known provider, but if that's a bad idea, please advise.
[fluffy] and KartikPrabhu joined the channel
#ZegnatGood morning [Aaron_Klemm]! It is fine to use whatever indieauth is built-in to known. Several people use it. What is the URL you are trying to login with? Did you add the token endpoint link to the html of that page?
swentel joined the channel
#swentelquick question re: micropub?q=source&url={url} - the 'content' property is an array right, not an object with optionally 'text' or 'html' ?
#[grantcodes]Depends on how you've got them set up. Mine I can just pass in a mf2 object, it shows the appropriate inputs based on the properties and then updates the mf2 object when inputs are changed.
#[grantcodes]Then if it's an update I think I normally compare start and end property values and send a replace request since it's generally easier than the other update types
jamietanna joined the channel
#jamietannaaaronpk: what are your thoughts on extending Telegraph to return the `Location` header from the downstream Webmention server when a post is syndicated? Just spotted that it doesn't (and it's called out in docs, I just didn't read them well enough) but would be useful to be able to then use it to know where that Webmention was syndicated to
#jamietannaSome webmention servers seem to return the URL in the $.url in the response body, so I could parse the Telegraph `$.http_body` as JSON, and then if that's there, use it, but given the `Location` header can be used too, that'd be nice, too!
#swentel[grantcodes], I need to parse the response and decided based on the properties to open a specific activity which has the properties available for it
#swentelbut I'm thinking to change my screens, now they are 10 different ones, instead I just want a single screen where you can then toggle new inputs
#jamietannaActually while we're talking about Indigenous - I recently set up https://www-api.jvt.me/micropub?q=categories (unauthenticated) but when enabling it with Indigenous' settings for categories autocomplete, I don't seem to see anything
#Loqi[Zegnat] Leaving aside the question of whether IndieNews is doing the right thing with that `Location` header…
If Telegraph were to pass on the webmention endpoint’s `Location` header I would expect for it to be some sort of “external status” prope...
#ZegnatIt always gets a little murky when Webmentions are used for some specific other task, like syndication in this case.
#ZegnatI don’t think there is any specification for the status page themselves. Otherwise Telegraph could actually poll it and know when asynchronous handling is done
[schmarty], loicm, jamietanna and [Aaron_Klemm] joined the channel
#[Aaron_Klemm]Good morning, [Zegnat]! I do have the endpoint linked from the URL I'm trying to login with: https://aaronklemm.me/
#[Aaron_Klemm]Possible problems are my php+nginx isn't configured correctly, the the selfauth index.php and an info.php page work in that directory. Also perhaps Indigenous has a bug after all, but at the moment I'm out of ideas for further debugging my php setup and also unclear where else I could test my endpoint.
swentel joined the channel
#[Aaron_Klemm]And of course I could have something wrong in my mintoken setup, though your install instruction were clear and concise, so not sure what i might have missed.
#[Aaron_Klemm]If that's unexpected, it will be good to know and I'll focus on that problem.
#ZegnatGET requests, like a browser would do, always require a Bearer token. So getting a 401 is pretty much expected.
#ZegnatThe WWW-Authenticate response header will contain more information about the 401, in accordance with the HTTP spec.
#ZegnatMintoken is really, uuh, minimal, so it never exposes any more information than absolutely neccessary. Which is a bit of a pain when debugging ;)
#Zegnat[Aaron_Klemm]: the endpoint seems to work. If I submit a faulty bearer token, I get the expected error message back
#GWGDoes anyone return a WWW-Authenticate in an IndieAuth endpoint?
#swentelcould be possible symfony adds a standard message
#Zegnat[Aaron_Klemm]: you could test doing the manual requests for a token with help of https://gimme-a-token.5eb.nl/ and see if you end up with a token. If you can get through those steps, it might be a bug in Indigenous.
#ZegnatUpon a cursory reading of the IndieAuth spec, I guess WWW-Authenticate could have OAuth error messages in case you reply with a 40[013] on the verification step. But I do not see much other reason to put it in place for other requests
#swentel(in case there's a meaningful one of course, I know I haven't made those perfect yet)
#[Aaron_Klemm]iOS, and everything checked out at manual token request tool Zegnat listed so I think I can move on assuming the Indigenous on iOS is causing the problem. Thank y'all!
#GWGI have issues with meaningful error messages in debugging IndieAuth
#ZegnatThat is goo bad [Aaron_Klemm] :( If Mintoken was not issueing the token I could have looked into why
#ZegnatAny Indigenous iOS users with any guesses what might be up? What does it require?
#[Aaron_Klemm]Well, I just re-installed the app and get a new error: "Micropub Endpoint not found" so that's enough progress to keep me going into the rabbit hole.
#swentelhmm yeah, it doesn't find all endpoints here too
#[Aaron_Klemm]It must've been caching the response when the token endpoint wasn't available, so now that's solved, and I don't have a "micropub" endpoint yet.
#swentelyou only defined authorization and token enpoint
#jackyit looks like you can suggest URLs as the realm
#swentel(android can, let me quickly check the ios source)
#jamietannaI also return on i.e. `insufficient_scope`: `Www-Authenticate: Bearer error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token.", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"`
#ZegnatAlthough I have noticed some issues with debugging tools. I think a coworker was using Postman for HTTP testing the other day and it would not expose the response headers on a 4xx page at all. So he had to constantly switch to curl
#aaronpkIf you just add a placeholder micropub endpoint you should be able to sign in, it just won't be able to do anything like post, but you should at least get past the login stage
#aaronpkah right now i remember the problem with that issue
#aaronpkwatchtower doesn't actually look for microformats at all, it just cares about whether the page has changed
#aaronpki wonder if i should move the feed fetching into Aperture
#aaronpkwould make it easier for other people to set up aperture :)
swentel joined the channel
#ZegnatI guess you could look into https://github.com/aaronpk/Watchtower/issues/1 instead, and have it stop polling in case a websub endpoint is advertised. Then bridgy could advertise a (dummy) websub endpoint and Watchtower would not have to poll at al
#Loqi[aaronpk] #1 subscribe to WebSub hubs if available
SpencerDub and swentel joined the channel
#swentelhmm so xray strips dangerous tags, which makes sense
#swentelin this case, I'm seeing it from rss feeds
#swenteland an iframe was stripped, even though it's fine (vimeo player)
#swentelwould it make sense to try and extract and add it to video property for instance? (although I don't know if vimeo urls can work with video tag)
#aaronpki don't think they can, most video players that use iframes do that so they can embed their JS players that include tracking and such
#aaronpki could see possibly adding an explicit list of allowed iframe domains to enable certain things to work, but i'd probably also make that an opt-in flag for the thing using xray
#swentelI'd love to see how feed.ly handles it (as that rss import there works)
#swentel[snarfed], question for you too, does granary, when parsing a twitter feed, know if the account is private or not? If so, do we have an an mf2 class to put that on the the author h-card?
#swentelwould help me to block actions in my feed I don't want to like/reply/repost such a tweet for instance on my site, potentially exposing info
hs0ucy joined the channel
#[snarfed]swentel, yes! and no clue if we have that in mf2. not that i know of
#[snarfed]it's very necessary for bridgy though so that it only backfeeds known public stuff
#swentel[snarfed], and if I reply to a private account, and push to brid.gy, does it arrive?
#[snarfed]oh, sorry, _reply_ to a private account. yeah that should work
[tantek], gRegorLove, geoffo, leg, petermolnar and [fluffy] joined the channel
#[fluffy]Speaking of which, does bridgy have any support for autoauth or whatever? Currently there’s no way for bridgy to send me notifications for twitter or mastodon responses to my private posts because the webmention to bridgy never happens.
#[fluffy]I need to add token or autoauth support to pushl for that to happen of course.
#[fluffy]Heck, are there any indieauth endpoints that support autoauth yet?
#ZegnatAFAIK there is only one implementation that has successfully negotiated autoauth?
#Zegnatsknebel: do you remember if we ended up demoing it on video?
#[fluffy]yeah. last tim eI worked on this stuff I had Publ accepting c2s-flow bearer tokens but I never figured out how to validate my s2s implementation.
#[fluffy]except by seeing that it almost certainly isn’t correct 😛
#ZegnatYeah, a lot of stuff needs to come together just right. And even then there are still parts of the brainstormy spec that feel kinda shoehorned in? Like the use of WWW-Authenticate and so on? A lot of stuff based on using existing tech, but not in a way any of it was actually being used by itself
#aaronpki wish there was some way to make it have fewer moving parts
#ZegnatHmm, we have video from Berlin 2018, which is where it was demod, but not sure we have video of the demos
#[fluffy]oh wait actually I did add bearer token support to pushl, I just never got around to using it in anything 😛
#[fluffy]because I wanted to wait until I had an idea of how to actually grant the tokens, and I wanted it to actually be useful for anything (which it currently isn’t)
#[fluffy]since the webmention validation step will just get a 401, because nobody implements autoauth 😛
#sknebelZegnat: I feel like we demoed it at intros of something too
#sknebelI should at least take time to validate that my examples still work and match the current document
#[fluffy]From a pragmatic standpoint my current ad-hoc thing (show a stub entry to atom and twitter, ask people to log in to see it) has been Good Enough but it isn’t, y’know, great.
#ZegnatConveniently we started the demos with the proto AutoAuth
#ZegnatOh, and within a minute it looks like seb got volunteered to keep scribing the whole thing to IRC. Good times!
#[fluffy]someday I also need to get around to implementing micropub for Publ, which was the other reason I added bearer token support
#Zegnatgoes on an IWC video binge to feel connected with everyone
#KartikPrabhuso.... had an online conference today. The "people" set the "watch now" links to appear just before the presentations were live. And.... somehow it was all tied to EDT, so people in the midwest and west coast never got the "watch now" links :P
#Zegnataaronpk: I really want to have a look at autoauth again after taking a refresher on oauth.xyz, just to see if there is any streamlining we can borrow
#ZegnatI don’t know what objects are available in AC. I just saw someone running around collecting peaches in a random YT video, so going with that
#[fluffy]peaches are a rare fruit that become quite readily available once you start cultivating them, so, take that for what it’s worth
#[fluffy]bamboo shoots might work better, because once you plant them you run the risk of your entire island being taken over by bamboo without reasonable care being taken.
#[fluffy]… we’re talking about Animal Crossing materials being allegories for communication protocols, right?
#sknebelaaronpk mentioned a few times that we should a video explaining IndieAuth and AutoAuth with people for the different roles, passing things around
#aaronpkmy coworker made a game for that for oauth
#[tantek]GWG, we still need to recreate it! Feels like something we should have as a challenge for every Summit until its an "everpresent" thing that "just works" with modern solutions
#[tantek]I wonder what it would take to get micro.blog as a SWAT0 participant as player A, B, or C
#aaronpkhaha i don't know who that was but we completed it!
#aaronpkit's actually meant to be something we use while on a zoom call with people, but nice to know it mostly works even without someone walking through it
#ZegnatI was thinking I had to join in when it said Google had to take action, as there were only players for Pat and Yelp.
#aaronpkif a source document is recognized as having microformats, i "upgrade" to a much more strict verification process where it requires the microformats content contains a link, rather than just anywhere on the page
#aaronpkin other words, it looks at the parsed mf2 tree rather than the HTML of the source document
#aaronpki guess the idea is that it cuts out noise of webmentions from page navigation and such
#aaronpkhowever, if the source document's microformats are broken, like is the case in many wordpress installs, for example if the blog post contents does not have e-content, this then causes the verification to fail even though there is a link in the blog post
#aaronpkso i guess the question is should I not be doing that more strict version of webmention verification because of these edge cases?
#jackytbh the stricter case is something I do as well because I keep a 'copy' of mf2 for context presentation
#jacky_but_ if there's a way to run the parser again and just consume it all then yeah
#[tantek]better to fail early than get only one step further and then face weirder failures
#jackyjust pulls very barebones info about a page if the mf2 seems 'off'
#aaronpkwell the reason this came up is someone filed an issue saying why is it saying no link is found when there is a link
#aaronpkbut yeah like jacky said, if it passes webmention verification but then returns an mf2 document that doesn't contain the link, that seems weird too
#jackyyeah b/c IIRC a url is like _needed_ for an entry (or even a card)
#LoqiPost or posts may refer to individual pieces of content published on an indieweb site such as notes, articles, & responses, or the act of creating the aforementioned content (present tense), or Posts about the IndieWeb https://indieweb.org/entry
#Loqi[Tantek Çelik] h-entry is a simple, open format for episodic or datestamped content on the web. h-entry is often used with content intended to be syndicated, e.g. blog posts. h-entry is one of several open microformat standards suitable for embedding data in HTML.
...
#jacky_tbh_ in this case, I think it's okay to be strict about needing mf2
#ZegnatI guess that fallback depends: do you usually accept webmentions from non-mf2 pages?
#jackyI can see that fallback opening a can of worms in the future like [tantek] mentioned
#ZegnatThen it seems to make sense to demote (?) it to a normal mention again
#aaronpkyes it accepts non mf2 webmentions, but if the page says there is mf2 then it requires stricter verification
#aaronpkif it fails that strict verification and i fall back to html validation then i might as well not do strict verification at all
#jackyyeah then failing hard (and hinting as to why) should be good (because then they can fix that)
#aaronpkyeah maybe the answer here is just a better error message
#jackyis also being slightly selfish and wanting people to fix their MF2 :)
#jackyI know my site generates some wonky forms of it too
#[tantek]this is false: "then i might as well not do strict verification at all", because when something passes "strict verification", that's when you bother to actually treat it as more meaningful than "just" a "mention"
#ZegnatWhat does it do if there is an h-card but no h-entry? Weird hypothetical there, but that means the page includes mf2, just not for articles.
#ZegnatSomething I could see happen if people just slowly add mf to their pages.
#[tantek]the earlier people get a signal that they have bugs to fix, usually the cheaper it is to fix it
#Zegnataaronpk: do you do synchronous webmention checking? If not: how do you communicate failure in a good way if you have just answered with a 201 Created?
#aaronpkyeah i'm leaning towards making this error message better
#aaronpkZegnat: see the screenshot in the linked issue :)
#aaronpk(even though in this particular case there isn't much that can be done, because the source document is on wordpress.com and they were migrating their blog anyway)