#dev 2020-07-29

2020-07-29 UTC
[tantek], [chrisaldrich], peterrother, fredcy_, Rixon, nekr0z, oodani, plindner[m], Summer[m], Salt[m], edrex, samwilson, jalcine[m], jamietanna[m], JK_na, marinin[m], nickodd and [jeremycherfas] joined the channel; nickodd left the channel
#
[jeremycherfas] !tell zegnat The dev of Bibliogram said Rss structure will depend on other instances being up to date and they also advised using an HTML parser. I did a bit of research and it may not be too difficult. I looked at php simple HTML dom parser. Would that be a good one to choose to learn?
#
Loqi Ok, I'll tell them that when I see them next
#
Zegnat Good morning [jeremycherfas]! I am not familiar with “simple HTML dom parser”. I would recommend looking at a parser that PHP ships with. Either DOMDocument or SimpleXML. Those are also the most likely to be used by other projects if you are looking for examples. (The php-mf2 parser uses DOMDocument.)
#
Loqi Zegnat: [jeremycherfas] left you a message 1 hour, 4 minutes ago: The dev of Bibliogram said Rss structure will depend on other instances being up to date and they also advised using an HTML parser. I did a bit of research and it may not be too difficult. I looked at php simple HTML dom parser. Would that be a good one to choose to learn?
swentel, [mapkyca], [jgmac1106] and moppy joined the channel
#
swentel Indigenous can now be translated online, if anyone wants to help out adding a new language, or improve the existing English strings, more than welcome at https://crowdin.com/project/indigenous :)
#
swentel (currently only Android strings, but most of them will apply to the iOS version too)
#
Ruxton swentel: do you have common custom icons between those apps? Many years back I put togehter a script to build iconsets for Android and iOS from a stack of individual SVG's, meaning we could just change the icon repo, rebuild and import them in
#
swentel Ruxton, I've just taken over the iOS project, need to look at the icons which are used in it. However, sounds like a good idea to have a common set which are use for both!
#
swentel The android version currently is a bit of mix too of png and svg, would be good to make that consistent as well.
#
Ruxton swentel: check this out, it's old but using inkscape and svg_stack, i produce Android, IOS & a web stylesheet all from the same source - https://gist.github.com/Ruxton/dfd6c21ff7939c09cff18b05a7cc78d8
#
swentel Ruxton, bookmarked thanks! great there's an OS switch to determine the binary, so can test quickly on linux too
#
Ruxton yaeh, cos I use OSX all day, but the build server ran Ubuntu ;P
#
swentel hehe :)
KartikPrabhu joined the channel
#
jbove swentel++ For multi-lingual support. Dank je wel ;-)
#
Loqi swentel has 26 karma in this channel over the last year (46 in all channels)
#
swentel Graag gedaan ;-)
#
jbove swentel: <nl-be>Ik heb een Crowdin account en heb het al voor ManyVerse gebruikt. Ik zal dan in de loop van de komende dagen ook een steentje bijdragen bij de vertaling van Indigenous.</nl-be>
#
swentel jbove, cool!
#
Zegnat swentel, jbove: <nl-NL>ooit op een blauwe maandag hebben sebsel en ik #indieweb-nl geclaimd. Om indieweb.nl te matchen. Dus als we het over vertalingen willen hebben ...</nl-NL> ;)
dckc and [jeremycherfas] joined the channel
#
[jeremycherfas] Thanks zegnat. I will look at SimpleXML, which I have used a little before. Good reason to learn more about it.
#
Zegnat It should definitely be an easy way to parse the RSS feed itself, which hopefully is valid XML, and should easily let you get the contents of the description element.
#
Zegnat Then you will have to do some testing to see if the HTML inside there is parsable by SimpleXML or if you need a real HTML parser
#
Ruxton fus
#
[jeremycherfas] I use it now to get the XML file as a string and then turn that into JSON for further processing. So might even be able to avoid some steps. But I also think I want to get this working using strpos() as now, even though it is not perfect, and then iterate.
marinin[m] left the channel
#
swentel there's the actual public invite link btw: https://crowdin.com/project/indigenous/invite/public?show_welcome&d=f96bb15097617a94d765f3f95c7ed7331225908
#
swentel hope it works like well forever :)
#
swentel *here's
#
Zegnat [jeremycherfas]: iterating sounds great! And if you have something that already works today, why not start using it. Perfection is the enemy of good and all that :D
#
Zegnat If any PHP devs have a moment for a minimal PR review, not sure how many of us follow these microformats repos, it would be much appreciated: https://github.com/microformats/microformats-parser-website-php/pull/11
[mapkyca] joined the channel
#
swentel hmm: is $page['error'] always set or not? might throw a notice otherwise. And related, does it make sense then if there's an error to still keep on parsing?
#
Zegnat It is always set.
#
Zegnat I do not know if there might be cURL error codes that would still allow HTML to come through? Didn’t think there was any harm in trying to parse the output
#
swentel Looks fine to me then, you can always iterate when cases pop up where it's really not relevant to parse.
[tantek] joined the channel
#
[tantek] Any rust devs can speak to this? Is there really a lot of FB / Ptr recruitment? https://twitter.com/smdiehl/status/1288106450707873794
#
@smdiehl Palantir and Facebook are the largest employers of Rust engineers in the world. Rust Community: What exactly is the point of all of your long codes of conduct and community guidelines if the primary use for your language is the creation of a nightmare surveillance state? (twitter.com/_/status/1288106450707873794)
KartikPrabhu, [Rose], [jgmac1106], gxt, joshghent and [argovaerts] joined the channel
#
Summer[m] Hi IndieWeb! I've been working on a Micropub client lately. Someone I know is having issues with login and I'm wondering if that's an isolated incident or points to a bigger, possibly common, issue.
#
Summer[m] The source code is available here - https://github.com/hirusi/Celestial/
#
Summer[m] Can you folks please try and login here - https://micropub-celestial.herokuapp.com/ - and let me if the login itself goes ok?
[grantcodes] joined the channel
#
[grantcodes] Yep I got an application error at /login/token
#
Summer[m] Oh noes. Let me check the server logs
#
Summer[m] Ok I see this error - We received an access token but not the access token type from the token endpoint.
#
Summer[m] IndieAuth spec itself is quiet on this. I imagined the token type is mandatory to be sent from the server.
#
Summer[m] Let me try and see if OAuth spec says something about this.
#
Summer[m] https://tools.ietf.org/html/rfc6749#section-5.1
#
Summer[m] So the `token_type` parameter is `REQUIRED` by the spec. Not something I would like to "fix" in that case.
#
Summer[m] But your auth server responded with the code and we were able to make a request to the token server with the code, so that is good news. The code verification from the auth server is the step where this other person is facing an error.
#
Zegnat I think token_type is required for IndieAuth too
#
Zegnat What implementations of a token_endpoint do not return a token_type? What are you using for your token_endpoint, [grantcodes]?
#
[grantcodes] I have a diy token endpoint. So there's a good chance it's not correct
#
Zegnat Summer[m]: I also got an application error. Let me just double check to make sure I really do return token_type. Anything new in the logs?
#
Summer[m] Zegnat give me a minute please
#
Zegnat No problem :) You can probably test it yourself. Just login to your app with the domain https://sink.zegnat.net/
#
Summer[m] Ahh, got it. You are receiving the same error that this other person is!
#
Summer[m] `invalid json response body at https://sink.zegnat.net/micropub reason: Unexpected token h in JSON at position 0`
#
Summer[m] Is it returning JSON - can you check please?
#
Summer[m] Ok let me try
#
swentel oh, that's the login page I saw in my feed a few days ago, that's a totally awesome page
#
swentel Summer[m], also got an application error (from realize.be)
#
Zegnat Summer[m]: well, if this is the token request step, it should be returning JSON, yes. But I am not sure what “token h” would be :/
#
Summer[m] @swe
#
Summer[m] @swentel I see this error for realize.be: `The authorization server did not return any scope.`
#
Summer[m] I really need to figure out howto get these error pages working correctly again... they worked until they didn't. Probably my focus for this week.
[mapkyca] joined the channel
#
Summer[m] OK, so I'll deploy an additional log command, give me a few mins please. and then can someone please try again? Especially if you're getting unexpected token error
#
Summer[m] At least i'll see what the response is
#
Zegnat Happy to do it again :) Always happy to see new posts of interesting new micropub clients coming in to sink.zegnat.net
#
[grantcodes] Hmm never saw that `token_type` thing before
#
Zegnat [grantcodes]: https://indieauth.spec.indieweb.org/#access-token-response
#
Summer[m] I'm really trying to go 100% by the spec, so it can be a pain but I think it can move the movement forward better 😅
#
swentel I'm returning scope too afaics
#
Zegnat It would not surprise me if it goes largely ignored within IndieWeb. Because other specs, like Micropub, already specify they want their authorization handled through Authorization Bearer headers. And if everyone already does that, no need to actually check token type
#
[grantcodes] Yeah I saw that now and seems I have to dig 2 specs deeper to find out what it actually is
#
[grantcodes] https://tools.ietf.org/html/rfc6749#page-49 ?
#
Summer[m] That' a good point Zegnat. Perhaps I can fall back to Bearer if one is not received.
#
Zegnat Summer[m]: that is safe to do for Micropub. Everything not Bearer-token is not compliant with the MP spec: https://micropub.spec.indieweb.org/#authentication-0
#
[grantcodes] Guess I can just hardcode `token_type: 'Bearer'` into my endpoint in that case as well
#
Zegnat If your token endpoint is only going to validate the token if it is submitted as authorization: bearer, then, yes
#
Zegnat Honestly I do not run into a whole lot of other token_types. But OAuth is extendible, so there are probably plenty out there.
#
Zegnat [grantcodes]: the actual spec I would link is https://tools.ietf.org/html/rfc6749#section-5.1 rather than the page on types. 5.1. Successful Response is what requires a token_type whenever you grant a token.
#
Zegnat Summer[m]: I am still getting Application error. Anything new about my JSON?
#
Summer[m] Sorry I haven't pushed yet! I's nearly uploaded
KartikPrabhu joined the channel
#
Summer[m] It's*
#
Zegnat Oh, I thought you did when you wrote. Coolio. Just ping when it is up
#
Summer[m] I'll ping here again once the additional logging command is in
#
Summer[m] Yes, will do, thank you so much! :)
#
Zegnat For what it is worth, when I use https://gimme-a-token.5eb.nl/ to continue from the redirect URL that fails on Celestial I seem to get valid JSON back for my token
#
Zegnat But I might be missing something somewhere. I should update the token endpoint to Mintoken at some point. That provider is written with way higher spec compliance in mind.
#
@johnjohnston ↩️ There are 2 microblogs: 1. a community of blogs and 2 a hosting service. I participate in the first for free. Comment s on my posts on http://micro.blog are sent back to my blog by webmentions. (twitter.com/_/status/1288453233850056707)
#
Summer[m] OK I also see mblaney.xyz with a similar error while verifying the code from the auth server. Seems to be a very common error then!
#
Summer[m] New release almost there... I'm on a really slow connection as far as upload speeds go...
#
Summer[m] New release is up. Can you folks please try now?
#
Summer[m] I should be able to see a raw-er response and figure out what is going wrong.
#
Loqi I agree
#
Zegnat on my way
#
Summer[m] Am I able to share a large-ish snippet of code here? Does that work well with IRC?
#
Zegnat I do not remember. I think if you use some sort of Matrix embed then yes, because we get a link. If you just paste it as text it’ll look real weird.
#
Zegnat Application error triggered
#
Summer[m] Yes, I mean within triple backticks
#
Zegnat I do not recall how the matrix bridge handles those. The bridge is not operated by us.
#
Zegnat I would recommend just putting it in a paste store somewhere. gist.github.com or similar
#
Summer[m] Alright, so this is what I have
#
Summer[m] https://gist.github.com/hirusi/7f8e23ae75cf0cc7524206577ae6d44d
#
Summer[m] I'm not sure why it says 404...that's absurd
#
Summer[m] I seem to have no trouble with `https://indieauth.com/auth` as the `authorization_endpoint` and `https://tokens.indieauth.com/token` as the `token_endpoint`
#
Zegnat You should definitely not be getting a 404 on that URL. I don’t think I even have any routes configured for 404, haha
#
Loqi I agree
#
Zegnat At work and I do not have docker available here, so sadly have no quick way to clone and run Celestial to poke around at the moment
#
Summer[m] That's okay. 🙂
#
Summer[m] I expect the pace of development to slow down from this point on. But it'd be lovely if you are able to test locally and see what's really wrong.
lahacker joined the channel
#
Summer[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/ZJpsjeBpNycIgkRxLUiSeHgr >
#
Zegnat That should work. But if the logging you added is to be believed, there was no response body at all to parse? In which case that would have been the problem?
#
Zegnat Not 100% sure of the behaviour of `.json()` if the response body is empty
[manton] joined the channel
#
[manton] Catching up… Where does it say that token_type is required? I don’t see that in the spec.
#
Summer[m] Another error I am seeing is this: `The authorization server did not return your canonical URL.` -- when using the Micropub sink. Basically the `me` parameter is missing too.
#
Zegnat [manton]: https://tools.ietf.org/html/rfc6749#section-5.1
#
Summer[m] Zegnat:
#
Summer[m] I'll have to consult node-fetch for that. Give me am inute.
#
Zegnat Summer[m]: the me is hardcoded in Sink, IIRC. So that can’t really go wrong. I think the issue is, from https://gist.github.com/hirusi/7f8e23ae75cf0cc7524206577ae6d44d, that the response size is 0.
#
[manton] [Zegnat] But not required in IndieAuth.
#
Summer[m] manton, IndieAuth is built on top of OAuth 2.0 so I would imagine the example here is built following the same idea - https://indieauth.spec.indieweb.org/#example-15
#
Zegnat IndieAuth does not specify any of the response properties. Not even access_token. Because it offloads all of that to the OAuth RFC: https://indieauth.spec.indieweb.org/#access-token-response
#
[manton] I don’t think we can assume that anything required in OAuth is also required in IndieAuth. For example, client_secret is required in OAuth, but not used in IndieAuth.
#
Zegnat Huh? I don’t think client_secret is required?
#
Summer[m] No, but the IndieAuth spec in this scenario is specifically referencing parts of the OAuth spec
#
Summer[m] > If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [RFC7159] object containing the OAuth 2.0 Bearer Token [RFC6750], as well as a property me, containing the canonical user profile URL for the user this access token corresponds to. For example:
#
Zegnat only client_id is required, [manton], as with IndieAuth: https://tools.ietf.org/html/rfc6749#section-4.1.1
#
[manton] Hmm. I was thrown off by the giant REQUIRED next to client_secret. 🙂
#
Zegnat You mean in https://tools.ietf.org/html/rfc6749#section-2.3.1 ? Or where? That is a whole different OAuth flow
#
Zegnat And this is why we really need a test suit, haha
#
[manton] IndieAuth is all about bearer tokens, so I guess I don’t see the value in requiring token_type. But I’ll defer to others.
#
Zegnat I have poked around a little, Summer[m], but I think I really need to be able to wait until I can run Celestial locally so I can actually see what kind of requests it is making. I have no idea why it would not be getting to the token :(
#
aaronpk good morning scrollback
#
Summer[m] No worries, Zegnat. I'll be glad whenever you are able to get back! :)
#
Summer[m] But it seems you must be right, maybe there is no response body to convert to JSON which is odd.
#
Zegnat You must somehow really be ending up at a 404. But this is the first time I see that, and plenty micropub clients have been tested against sink. So I am unsure what makes yours different.
#
Zegnat Summer[m]: any way to run without Redis, or is that a hard dependency? (I thought I would just clone the repo and see if `npm start` did the trick :P)
#
Zegnat good morning aaronpk ;)
#
[manton] I’m getting an application error after signing in with Celestial too, by the way. It’s in /login/callback where Micro.blog is passing back an access token and state.
#
Zegnat Yep, that is where login stops for me too. I get back to the redirect URL, but it cannot successfully fetch a token
#
aaronpk realistically token_type isn't actually useful anymore even in OAuth 2
KartikPrabhu joined the channel
#
aaronpk the idea was that some systems might want to use something other than bearer tokens, but in practice that never happened, bearer tokens were good enough for most people
#
Zegnat Makes sense, as they are opaque data strings to begin with
#
Summer[m] Ahh, no you would need to follow the dev docs here - https://github.com/hirusi/Celestial/blob/master/docs/development.md
#
aaronpk there's some work being done now to use "proof of possession" tokens (which require some additional secret or certificate that is used along with the token), but since Bearer tokens are everywhere, all these extensions are essentially extending Bearer tokens
#
aaronpk so token_type=Bearer will continue to be returned forever, even if the token isn't strictly a Bearer token anymore because it requires something in addition to the token to use it
#
aaronpk (this is all in the OAuth 2 context)
#
Summer[m] uploaded an image: Screenshot from 2020-07-29 19-07-26.png (52KB) < https://matrix.org/_matrix/media/r0/download/matrix.org/catKBTstEBKDWqYTiuflIuSF >
#
Summer[m] Manton, I'm looking at the logs for you... here's what I see.
#
[manton] Thanks! Interesting. Looking at why that might happen…
#
Summer[m] So your server is the only one to send a 200 OK response, with JSON, and with a proper error.
#
Summer[m] That is, with the `content-type` set to `application/json`
#
Zegnat Summer[m]: I just really didn’t want to go through the hassle of setting up Docker on my work machine. Haha.
#
Summer[m] Zegnat, I opted for Docker because I know I'd like to host multiple services on a single VPS. I also didn't want to bother with installing redis on my computer as a system package for just one tool...
#
aaronpk Summer[m]: i got an application error on the redirect too fyi
#
[manton] I think that error only happens if Micro.blog can’t find the access token. And I’ve confirmed that the token is there that I see in the callback URL. Is it possible that it’s not being passed as a code parameter back to the POST to verify?
#
Summer[m] Whoops. Looks like something is terribly broken on my end then. :)
#
Summer[m] Let me check manton
#
Zegnat You may want to log the outgoing HTTP request too, and not just the response you get. That has saved me at least a hundred times from debugging hell.
#
[manton] Thanks! I think we’re making progress. 🙂 It has been a while since I’ve reviewed this code, so this is helpful for me too.
#
Zegnat (Sadly not every framework makes it easy to log HTTP requests because they are burried behind layers of abstraction :( )
#
Summer[m] That's an excellent idea Zegnat. I'll make sure to get that up today.
#
Summer[m] Aaron, I receive the following from you.
#
Summer[m] uploaded an image: Screenshot from 2020-07-29 19-11-42.png (56KB) < https://matrix.org/_matrix/media/r0/download/matrix.org/tyoVhusEyjiobNWnUHlXzIyL >
#
Summer[m] Again, this is another 200 OK response with `application/json`
#
Summer[m] I'm going to spend the next half hour combing through my authorization code.
#
Summer[m] It's completely possible I've screwed up somewhere
#
Summer[m] ^ That's at the auth code verification step.
#
Zegnat Wait ... why are you doing an authentication verification?
#
Zegnat Should you not be doing a token exchange?
#
aaronpk Aha
#
Zegnat might be thinking of the wrong flow ... but...
#
aaronpk yes if you are trying to get an access token you just do it and don't also try to verify the auth code
#
aaronpk and there is no scope returned in auth code verification anyway
#
Zegnat Sink will definitely fail then. Sink can never verify authentication, because it can literally only do Micropub (no authentication, only create-authorization)
#
Zegnat Summer[m]: are you maybe doing https://indieauth.spec.indieweb.org/#authorization-code-verification instead of https://indieauth.spec.indieweb.org/#token-request ?
dckc, [Rose] and [jgmac1106] joined the channel
#
Zegnat Hmm. Reading more of the Celestial code, I am not sure if this is supposed to be accepted by OAuth at all. If I understand https://github.com/hirusi/Celestial/blob/master/src/routes/authentication.ts correctly it will first do a verification request of the code, and only if that succeeds it does the next step where it uses the exact same `code` value again to do the token request.
#
Zegnat I think I would have that fail on the merit of `code` being single use
#
aaronpk yep
#
aaronpk (tho technically oauth doesn't *require* single-use authorization codes, it just highly recommends it 😉)
#
Zegnat Well it seems like a bad idea for a consuming application to think it can reuse it, no matter what oauth requires :P
#
aaronpk yes indeed
#
aaronpk oh wait! I misremembered! the spec does require single-use codes, but in practice some servers did not do that
#
aaronpk because if you have a very distributed authorization server, keeping track of whether a code has been used already introduces centralization
#
Zegnat “some servers” being indieauth.com? If Celestial works with indieauth.com+tokens.indieauth.com that one apparently allows it :P
#
aaronpk https://tools.ietf.org/html/rfc6749#section-4.1.2
#
Zegnat I do not remember exactly what parts of ia.c were stateless. tokens.ia.c is obviously completely stateless, but I forget about ia.c
#
Summer[m] was afk, just reading through
#
Zegnat From my reading, the code used at https://github.com/hirusi/Celestial/blob/master/src/routes/authentication.ts#L279 (auth verification request) and at https://github.com/hirusi/Celestial/blob/master/src/routes/authentication.ts#L414 (actual token exchange) are the same. So that is reuse.
#
Summer[m] Oh I seeee! Dang :D
#
Summer[m] Sorry I'm totally new to OAuth as well as backend in general. I remember I had accidentally implemented Authentication first, then realized what I really needed was Authorization, and must have screwed up there with the `code` re-use.
#
Summer[m] Looking at https://indieauth.spec.indieweb.org/#authorization now and it's obvious it doesn't have a section on code verification...
#
aaronpk i've been thinking about collapsing those two sections so there's just one description
#
Zegnat And the verification request checks for scopes in the response. Not sure if it is a must... aaronpk you do not seem to respond with scopes there? I guess because you have a build-in token endpoint so you never need to respond with scopes to verifications?
#
aaronpk the only difference is whether you get an access tokeon back
#
aaronpk checks the source code
#
Summer[m] Honestly I was just really confused with the Authentication and Authorization but I chalked that up entirely to me being new to this.
#
Summer[m] sections but I *
#
aaronpk that's a good indication that the two separate sections might not be as helpful as we thought they would be
#
Summer[m] I can't make a comment on that... for me personally, even a little section explaining where I might use one and where the other is good enough.
#
Summer[m] That is, before we delve into either one in detail
shoesNsocks joined the channel
#
Summer[m] So I'll work on this + falling back to Bearer token type instead of complaining. Is there anything else I might need to fix while still keeping the spec in mind?
#
Zegnat Unsure. Depends what you are trying to cover...
#
Zegnat Note that error messages from token endpoint might be in WWW-Authenticate headers, and not in response body?
#
aaronpk i thought the response body from the token endpoint was always defined
#
Summer[m] Is that a use case in general or specific to IndieAuth?
#
Zegnat General.
#
Zegnat I am 99.99% sure I took that from OAuth specs
#
Zegnat https://github.com/Zegnat/php-mintoken/blob/5f508fb285ef334dfe37170f1ebaeed8d78130c8/endpoint.php#L221-L239
#
Zegnat aaronpk: ^^^
#
Zegnat But I found lots of things either not defined or badly defined for token endpoint responses, aaronpk. So maybe I missed an entire RFC :P Half my issues are about unknown behaviour: https://github.com/Zegnat/php-mintoken/issues
#
Summer[m] Also, can I just say, you folks have been super helpful and patient with this. ❤️
#
aaronpk okay Zegnat confirmed my website correctly includes scope in the access token response, and does not include it in authoriztaion code verification (because scope doesn't mean anything there)
#
aaronpk also my own authorization codes are one-time use
#
Zegnat aaronpk: yeah. But I think IndieAuth spec says that token endpoints do an access token verification request to learn what scopes they are allowed to grant? So if you were to use an external token endpoint it would never learn about scopes?
#
aaronpk correct, but i never do that
#
aaronpk that's an optional part of the spec if you want your two endpoints to be interchangeable
#
Zegnat Yep, was just confirming how optional it was. Because that is the reason you could not log in to Celestial. It did not see scopes when it did the verification request.
#
Zegnat From Sink it got a straight up 404, because Sink does not ship with verification at all :P
#
aaronpk even if it could, celestial wouldn't have been able to do anything, because the followup requets for an access token would have failed
#
Zegnat Honestly I am still not sure it was worth writing the spec in such a way that token endpoints could exist in a decoupled way ...
#
aaronpk i am reconsidering that now as well :)
#
Zegnat I feel like that split has confused a lot of people, and in reality we see very little modularity.
#
aaronpk maybe something to consider for the next version
#
Zegnat It may only be selfauth and ia.c that are forcing people to be modular :P
[schmarty] joined the channel
#
[schmarty] in favor of expecting token+auth endpoints to be the same (or use a proprietary mechanism to talk)?
#
Summer[m] I'm sorry but not being very familiar with OAuth in general, a lot of this goes over my head, but I would say it would be good to open an issue while we're on the subject so we can follow it up later at any popups :)
#
aaronpk yes in fact we have a popup scheduled :)
#
aaronpk [schmarty]: not the same URL, but yes part of the same software, or have their own way of talking too each other
#
Zegnat [schmarty]: yeah, I would prefer them to be the same because in general they often end up being the same. (And when they are the same, the “talking” no longer needs speccing because it is a plumbing decision behind the scenes)
#
aaronpk like in reality, tokens.indieauth.com and indieauth.com are running on the same machine so they could be sharing a redis database instead of talking to each other via http
#
Zegnat goes to make sure we have an issue for discussing this
#
Zegnat yeah, but tokens.ia.c can also be used by selfauth users. Although I am not sure how many make use of that.
#
aaronpk oh look i already made a note about collapsing the two authn/authz sections https://github.com/indieweb/indieauth/issues/42
#
Zegnat Probably more likely they are running tokens.ia.c next to selfauth, than running mintoken
#
Summer[m] aaronpk: honestly something like that would be super amazing. :D
#
aaronpk sorry something like what?
#
Summer[m] Merging them together and having them talk internally instead of over HTTP
#
aaronpk ah
#
[schmarty] while we're talking about it the indieauth pop-up is scheduled for Aug 8: https://events.indieweb.org/2020/08/indieauth-pop-up-session-6xlxgeCEMgv8
#
aaronpk yeah some endpoints already do talk internally instead of HTTP (like my website and wordpress)
#
Zegnat Writing up an issue now for dropping communication between endpoints from the spec
#
aaronpk 👍
#
Zegnat Also have RSVPd to the pop-up. Really looking forward to getting on a call with the lot of you again! :D
#
[schmarty] for what it is worth i think it is worth preserving and referencing the notes on that mechanism for allowing separate auth and token software to communicate
#
[schmarty] i have a theory that selfauth and mintoken would not be the same without it!
#
aaronpk so there's a lot of precedent in OAuth itself for this kind of thing
#
aaronpk the new access token spec for example actually defines an access token format to define a format that's shared between resource servers and authorization servers
#
[schmarty] and i appreciate the idea of swapping out one bit without affecting the other
#
aaronpk it only is relevant to you if your resource server is not tightly coupled to your authorization server
#
aaronpk e.g. github is just one big rails app so all their endpoints are built in and can share data internally
#
Zegnat Alternatively, if HTTP comms are dropped from the spec, I might actually sit down to update selfauth and merge mintoken into it, [schmarty] ;) pros and cons
#
[schmarty] haha but aaronpk i can barely (if at all) keep up with the indieauth and other indieweb specs
#
[schmarty] much less what's going on in other OAuth specs
#
[schmarty] zegnat: maybe!
#
aaronpk but something like Okta which provides the authorization server separately now needs to give your resource server a way to verify access tokens
#
Zegnat Summer[m]: apologies if the conversation suddenly leaped above your head, passionate people in here :D But do keep asking questions while you implement IndieAuth. We are all happy to help, and eager to learn from what is hard to do so we can improve the spec
#
aaronpk so it's useful to define a format for this but it's only relevant in certain cases
#
aaronpk so oauth does this with extensions
#
[schmarty] obviously i am Just Talking here since i haven't built it yet but i think there is a user-benefits argument to allow and encourage separation
#
aaronpk so my recommendation would be to do the same, where this is not part of indieauth core, but we define an extension to say "if you want to decouple your auth and token endpoints, then here's a pattern you can use to have them talk to each other"
#
Zegnat I guess the question then is how important it is for IndieAuth-the-spec to try and spec auth-token-communications.
#
Summer[m] Zegnat: absolutely, I'll try and finish my rewrite and see how it goes.
#
Zegnat That makes a lot of sense to me aaronpk. Then something like selfauth could say “we implement extension-abc so you can use a token endpoint even if we do not ship one ourselfs”
#
[schmarty] because e.g. i could decide that i want a different authentication experience and swap out my authorization endpoint without affecting my existing tokens and workflow
#
Summer[m] In general, I did open an issue on the Micropub spec repo as well where I encountered language that might be confusing.
#
Summer[m] Atleast, it was confusing to me.
#
[schmarty] aaronpk: totally agree that it should be moved to an extension. i just don't want to lose it!
KartikPrabhu joined the channel
#
aaronpk (side note Zegnat it looks like indieauth.com's authorization codes are encrypted JWTs and are not stored anywhere which is why they're reusable until they expire)
#
Zegnat time limited but not use limited. Then we know why Celestial works with ia.c + tokens.ia.c :)
#
aaronpk i should cache the code in redis for 60 seconds to prevent them from being reusable tho
#
Loqi definitely
oodani_ joined the channel
#
Zegnat I am slightly spacing out, it is the end of my work-day and I am packing my stuff. But here is an issue to go off of: https://github.com/indieweb/indieauth/issues/44
[jeremycherfas] and [chrisaldrich] joined the channel
#
aaronpk Zegnat++
#
Loqi Zegnat has 24 karma in this channel over the last year (66 in all channels)
#
Zegnat Alright. Closing laptop, time to walk home. Online again in an hour or so.
#
[jeremycherfas] Enjoy the walk.
#
[jeremycherfas] I’m doing likewise.
#
aaronpk alright indieauth.com auth codes are one-time use now too :)
#
@iamhirusi ↩️ Here's an excellent summary of the discussion in an issue - https://github.com/indieweb/indieauth/issues/44 (twitter.com/_/status/1288491547583901696)
KartikPrabhu, [Murray] and [fluffy] joined the channel
#
Zegnat So the results of this conversation are a ticket on GitHub and breaking Summer[m]'s working example with indieauth.com? Hahaha
#
Loqi rofl
#
aaronpk lol sorry
#
Summer[m] Haha :D
#
[schmarty] some spec ambiguity was resolved!!
#
Summer[m] Well... it was broken either way!
[argovaerts] and justache joined the channel
#
Summer[m] Alright, two fixes up. Defaults to Bearer token types, and fixed authorization flow. 🙂
#
Summer[m] Still, it will likely fail if your Micropub endpoint does not respond to configuration requests. That's probably the next obvious pain point to solve.
#
Summer[m] Based on the logs alone, the Sink also responds well to everything now, but my application fails purely on account of not getting valid config data!
#
Zegnat Oh that could be true. I wonder if Sink might predate all the config fanciness. Haha
#
Summer[m] So what is a Micropub client supposed to do if it cannot query for supported post types? Do I just show everything and then fail those requests individually if it is not supported?
#
Summer[m] * So what is a Micropub client supposed to do if it cannot query for supported post types? Do I just show everything and then fail publishing requests individually if it is not supported?
#
Summer[m] (oops - just remembered again Matrix -> IRC does not handle edits well)
[tw2113] and dckc joined the channel
#
Zegnat I do not think that Micropub-core has any concept of support or unsupported post types. So I would show all.
#
Zegnat Where is the spec for supported post types anyway? Link? Maybe I need to open a repo for sink so I can track this and implement...
#
Summer[m] Oh it's an extension. https://indieweb.org/Micropub-extensions#Query_for_Supported_Vocabulary
#
Summer[m] So you don't need to implement it as such
#
Summer[m] Oh wait, config is should in the spec - https://www.w3.org/TR/micropub/#h-configuration
#
Summer[m] post types are optional. just an extension.
#
craftyphotons jamietanna[m]: aha so does your backend use your actual Hugo git repo as its data store then? I'm gonna use `slug` and `aliases` in that way too but I'm taking a more decoupled approach with my site where Hugo ends up being more of just a publish destination and my system of record is my postgres database behind a Rails app
#
craftyphotons Oh oops I need to get used to the commands around here :) Sorry for the incoming dupe..
#
craftyphotons !tell @jamietanna aha so does your backend use your actual Hugo git repo as its data store then? I'm gonna use `slug` and `aliases` in that way too but I'm taking a more decoupled approach with my site where Hugo ends up being more of just a publish destination and my system of record is my postgres database behind a Rails app
#
Zegnat Ah, the way th extension is on the wiki I could not even implement it in Sink, because Sink supports _all_ types. Both current and tomorrow's.
[LewisCowles] joined the channel
#
[schmarty] yeek i am not a fan of that extension as-is.
#
[schmarty] it uses post-type in a prescriptive rather than descriptive way
#
[schmarty] that sections claims it is "reverse Post Type Discovery" but this feels like an obfuscation of the fact that micropub is about sending properties
#
[schmarty] so it's not clear from this proposal that, for example, if my micropub endpoint says it supports "article" that it expects a micropub client to send data for "name" and "content".
dckc joined the channel
#
[schmarty] (i think this is a side effect of folks wanting "post type" to explicitly declare what an entry "is", whereas microformats actually describes what and entry "has")
#
aaronpk there's such a draw towards explicit post types! I think it's mainly from developers though, because it simplifies coding. but in reality most post creation UIs don't work that way anymore!
#
[schmarty] it feels like it comes up in a lot of discussions and proposals (and implementations, since i seem implementations listed for this extension)
#
[schmarty] i almost wish we had a wiki template to drop into discussions that link to whatever docs we have about why to avoid explicit types
#
aaronpk what is post type?
#
Loqi Post or posts may refer to individual pieces of content published on an indieweb site such as notes, articles, & responses, or the act of creating the aforementioned content (present tense), or Posts about the IndieWeb https://indieweb.org/post_type
#
jacky sees a lot of scrollback
#
jacky immediately declares bankruptcy
#
craftyphotons After the discussion yesterday I've successfully gotten away from explicit post types in the database of my fledgling backend for my site
#
craftyphotons I just have an `#entry_type` method now that I'm going to try to keep aligned with the post type discovery algorithm for the purpose of differentiating templates for things, but we'll see how much I even need that as I evolve the site
#
craftyphotons Like I _do_ want my articles to use a different layout than say, notes and photos
#
craftyphotons Everything now is just an Entry in my backend though
#
jacky yeah that's how I do it for mine as well
#
jacky I do cache the post type against the record so I can do quicker lookups (easier than walking all of my files that match something)
#
craftyphotons I was debating retaining that in my database as well just so I could add a table filter by type via the database query in my backend's index view
#
aaronpk i also index the discovered post type, but i'm not sure i actually use it for anything
#
craftyphotons But then basically not allowing it to be mutated by hand, and recomputing every time a record gets updated
#
aaronpk my layouts are based on whatever properties the posts contain
#
craftyphotons The only thing I've thought of so far is that filter on my backend aaronpk, because on the frontend I'm just stuffing them into the appropriate Hugo section when the backend commits to the repo
#
craftyphotons But yeah instead of a post type filter, maybe my backend index will just have faceted search for the different props instead
#
Zegnat Latest version of my own blog system did not have any concept of post types. There were entries with a bunch of entries. The rendering to HTML may be different based on what properties. But that is because I was doing the Facebook way: everything starts as a text-only entry and then you can add on stuff.
#
craftyphotons I was actually planning on doing a mostly activity stream looking layout for everything except the full content of articles on my site
#
jacky my layouts are based on that column
#
jacky I also use it for making post-type-specific feeds
#
jacky this is also why I've leaned to the separate h-page thing mentioned (since I didn't want to carry all of the functionality that entries have into pages)
#
Summer[m] As a developer, I wouldn't mind implementing a discovery algo and a single publishing page. I know the Micropub server I use does this as well. It doesn't have different endpoints for diff types
#
Summer[m] It just makes sense
#
Summer[m] But honestly it's so much easier for the user to see a specific post type/page and go "Oh okay, I'm writing a note!" Or "I wanna publish a Photo so let me click on Photo"
#
aaronpk but it's *not* though, just go look at twitter
#
aaronpk as a user you say "I want to post something" and then you decide whether to also attach a photo, or make a poll, or upload a gif
#
aaronpk you don't first say "i'm going to post a photo" and switch in to the photo posting workflow
#
Summer[m] Maybe, but that's what I would do 😅
#
aaronpk suspects that's the programmer Summer showing through ;-)
#
Summer[m] :D
#
Zegnat Yeah, that is why I love the Facebook UI, aaronpk.
#
Zegnat I went to check-in to a restaurant last weekend. Then I decided I also wanted to tag everyone I was with. Then when drinks had been served I decided to add a picture of the all of us to it.
#
Summer[m] Would anyone to like to weigh in here? It appears this is correct, but thought I could use an experienced set of eyes :)
#
Summer[m] https://github.com/idno/indiepub/issues/23
#
aaronpk ah yeah, an early version of indieauth used form-encoded responses
#
aaronpk but it hasn't been that way for quite some time, i think Known might be the only one left that still does that
#
aaronpk it'd be great to fix up Known's indieauth support, it hasn't been touched in a long time
#
Summer[m] PHP is not my first language, I just skimmed through the code and thought this was incorrect. I can't really offer a fix here unfortunately. I don't know if this is maintained.
#
aaronpk known is maintained, but i know they don't have a lot of bandwidth for it
[pfefferle] joined the channel
#
Summer[m] Ok... guess I'll leave it there for now. 🤷‍♀️
#
Summer[m] Literally 5 hours ago - https://github.com/idno/indiepub/pull/22 🙂
#
aaronpk oh whoa
#
Summer[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/sxaBrTtQczGYvJYYrAoBzKjm >
#
Summer[m] OK, confirmed. They tried to refresh so that was a code re-use causing a verification error.
gxt and [chrisaldrich] joined the channel
#
[schmarty] Hahaha Flask::IndieAuth still wants form-encoded responses. I rediscovered this recently moving my personal notes site. I need to fix it. 😭
#
Loqi awesome
[spieper] joined the channel
#
hirusi[m] This beats me... if a Micropub client is to be able to update or delete an entry, then it should be able to fetch a list of entries from the server right?
#
aaronpk yes and no
#
aaronpk there are other ways to find the URL, like user action
#
hirusi[m] Sorry what do you mean by user action her?
#
hirusi[m] here*
#
aaronpk like i have a bookmarklet where i can click it and it drops me in to quill to edit the post given that url
#
aaronpk or there's a browser extension that injects edit buttons into the website itself
#
aaronpk but also: https://github.com/indieweb/micropub-extensions/issues/4
#
hirusi[m] Ohh I see
[tw2113] joined the channel
#
hirusi[m] I imagined when I started on this project that this would be something that would be possible within the core spec... just being able see a list of posts and click edit/delete next to it.
#
Loqi [EdwardHinkle] #4 Query for Post List
#
aaronpk the core spec started out just to create posts, it wasn't originally a full CRUD lifecycle
#
aaronpk that got us pretty far, so now we're adding the rest as extensions
shrysr joined the channel
#
hirusi[m] Well, at least this is a stable extension. 🙂
[Ana_Rodrigues] and [tb] joined the channel
#
[tb] Took things one step further thanks to these discussions and renamed Entry to Post in my backend 😄
#
[tb] Naming is Hard(tm)
#
Zegnat Oof, that Known issue giving me flashbacks to when I wrote conneg for selfauth. I think since then I have only ever copied my implementation from there into all my other projects
#
aaronpk here's a thought... do we know if there are any clients left that expect the form-encoded response?
#
aaronpk if there aren't any, can we just drop it completely?
#
Zegnat Hmm. Unsure. Would have to be pretty old, surely?
#
aaronpk or trying to work with Known
#
Zegnat IndieWeb specs: officially around long enough to create legacy issues? ;)
#
aaronpk heh
#
GWG aaronpk: What are you hoping will come out of the popup next week?
#
aaronpk https://github.com/indieweb/indieauth/milestone/1
#
GWG All good stuff
#
aaronpk although now that we're talking about it, it would be nice to identify and officially drop anything that still uses form-encoded responses
#
Zegnat aaronpk: wondering if we could add this to indieauth.next? It seems to be the one issue with the most checks of implementations that we have: https://github.com/indieweb/indieauth/issues/19
#
aaronpk ah yeah
#
Zegnat Drop form-encoded, drop me parameter, drop decoupling. If we just drop half the spec, we can add all the new things without changing our word count <3
jamietanna joined the channel
#
aaronpk lol
#
jamietanna !tell craftyphotons yeah my Hugo site is treated as the source-of-truth for everything, so any queries my Micropub server does is interacting with the repo and parsing any files out of it, or parsing any pre-built files on the public website
#
Loqi Ok, I'll tell them that when I see them next
#
GWG What about #18 and #23?
#
aaronpk 18 (accept headers) would be unneccesary if there's no more form-encoded responses
#
GWG aaronpk: I am including 18 for that reason. We can close it
#
GWG And client discovery?
#
GWG Zegnat: Have you thought about that since your initial deep dive?
#
aaronpk client info discovery is trickier, but also doesn't affect as much
#
GWG aaronpk: Do you have an alternative thought to what is proposed?
#
aaronpk no
#
aaronpk haven't thought about it
#
GWG Just curious... maybe I will review Zegnat's thoughts and suggest something
geoffo joined the channel
#
craftyphotons !tell jamietanna Aha gotcha! This is something I really love about IndieWeb so far, the broad range of architectures/system designs from individual to individual and the attitude that there's no such thing as One True Architecture
#
Loqi Ok, I'll tell them that when I see them next
#
Loqi craftyphotons: jamietanna left you a message 1 hour, 25 minutes ago: yeah my Hugo site is treated as the source-of-truth for everything, so any queries my Micropub server does is interacting with the repo and parsing any files out of it, or parsing any pre-built files on the public website
leg, [KevinMarks] and [grantcodes] joined the channel
#
[KevinMarks] Can you see from logs if any servers are still doing the form encoded version?
#
aaronpk i don't think i have logs like that right now, but i could add logging to quill
[tb], [chrisaldrich], geoffo and [fluffy] joined the channel