#dev 2020-08-11

2020-08-11 UTC
[fluffy] joined the channel
#
aaronpk it seems my comment on that gem stirred some life into it again! https://github.com/omniauth/omniauth-oauth2/pull/131
#
Loqi [jessedoyle] #131 OAuth2 - PKCE
#
jacky lol gotta stroke the flames
[tantek], geoffo and [tb] joined the channel
#
[tb] Alright got my initial spike finished — this isn't wired up into the actual OmniAuth strategy yet but the tests all pass 🙂 https://github.com/craftyphotons/omniauth-indieauth/commit/c50bec502e32c7182078056c27bb05609e36dea7
#
[tb] Still needs a bit of a refactor but this canonicalizes profile URLs and discovers from both link headers as well as link tags with priority to headers
#
[tb] Also rationale for nokogiri instead of something else — 1) it's still the best HTML parser out there for Ruby AFAIK 2) it's what the microformats Ruby gem uses which I suspect I'll be adding here as well to parse the h-card out of the profile
sp1ff and nickodd joined the channel
#
aaronpk Wow nice
#
aaronpk you should be able to extract some test cases from the spec for the canonicalization step which is probably the trickiest bit
#
Loqi it is probable
#
[tb] Yeah as you can see I'm doing a very simplistic thing on the canonicalization hehe
#
[tb] > For ease of use, clients _MAY_ allow users to enter just a hostname part of the URL, in which case the client _MUST_ turn that into a valid URL before beginning the IndieAuth flow, by prepending a either an `http` or `https` scheme and appending the path `/`. For example, if the user enters `example.com`, the client transforms it into `http://example.com/` before beginning discovery.
#
[tb] That's the part I'm still noodling on an efficient way to do
#
[tb] And I suppose there needs to be an option for that in the strategy to choose whether to prepend `http` vs `https` — or perhaps even ping at both and prioritize the `https` URL if it succeeds
#
aaronpk what i've been doing is trying https and if that fails fall back to http
[Jose_Leiva], dopplergange and [fluffy] joined the channel
#
[fluffy] I’m going to change Authl to fit the new IndieAuth standard. Since SelfAuth still requires a scope for a code request and I expect this to be a point of contention for a while, I’ve opted to start requesting a fictional scope of `read:id`. Is that a good idea or is there something more appropriate?
#
[fluffy] Like I’m not actually requesting read access to one’s posts or whatever, I just want to ensure that the ID matches. And I figure it’s similar to Mastodon’s `read:accounts` scope.
#
[fluffy] or would it be reasonable to just request a scope of `id` or `me` or something?
#
aaronpk i think we were tossing around the idea of a "profile" scope
#
[fluffy] then that’s what I’ll go with
#
GWG aaronpk: There were two things
#
aaronpk but now that you mention it, "me" does make some amount of sense
#
aaronpk for the minimal case where the only piece of information returned is the "me" URL
#
GWG When I originally started discussing profile returns, you suggested it shouldn't need a scope for basic profile info.
#
[fluffy] I mean technically there’s no need for a scope to read one’s profile when the whole point to the me URL is that it is the profile
#
aaronpk yeah i'm not sure requiring a scope is correct
#
GWG But I'm not sure what we settled on on Saturday
#
[fluffy] Authl does now parse the mf2 from the profile page
#
aaronpk this wasn't an explicit point of discussion
#
aaronpk but this is worth adding to the list for the next session
#
[fluffy] my understanding from the latest change is that requesting a code with no scope is equivalent to requesting an id before
#
aaronpk yes
#
[fluffy] but it also seems harmless for Authl to just request a code it doesn’t use
#
aaronpk how can you not use a code?
#
[fluffy] er, right, I do use the code
#
[fluffy] for the validation
#
[fluffy] sorry, brainfart
#
[fluffy] I was confusing it with a token
#
aaronpk these names are not good :)
#
aaronpk naming is hard
#
[fluffy] the two hardest problems: naming, cache invalidation, and off-by-one errors
#
[fluffy] okay I’ll just set this fictional scope to ‘me’ and call it a day, if there’s no intended validation from the auth endpoint for what a scope even means anyway
#
[fluffy] like I note that neither the indieauth spec nor the OAuth spec have a canonical list of scopes anyway, they just say “the scope list must be formed of valid scope tokens” and then there’s a trivial regex-ish for what a valid scope token is
#
[fluffy] which I assume is just a fancy way of saying “the scopes are implementation-defined as per the requirements of the application”
#
aaronpk yeah
#
aaronpk openid defines some
#
aaronpk and since indieauth is similar, indieauth should define some
#
aaronpk micropub also defines some, which is the appropraite place for that
#
[fluffy] yeah I’m fine with the specific applications being where the scope definitions live
#
[fluffy] micropub has specific reasons for defining scopes, indieauth not so much IMO
#
aaronpk indieauth does if it defines any behavior about returning information about users
#
[fluffy] like, imagine some future where we have, say, indieauth-verified coffee pots or something, do we really want to shoehorn brewing into a ‘write’ scope when it really should be ‘brew’?
#
[fluffy] oh, good point
#
[fluffy] but I feel like that’s already covered by h-card on the identity/profile page
#
[fluffy] which is, again, what authl uses 🙂
#
[fluffy] I suppose a case could be made for extra-detailed private info, like an email address that’s passed along or something
#
[fluffy] I mean, without it being on a public profile
#
GWG [fluffy]: That was the original idea I recall. No scope, just basic information.
#
[fluffy] okay so I’ll just request ‘me’ and hope that doesn’t confuse people too much :P
#
[fluffy] https://github.com/PlaidWeb/Authl/pull/83 and I guess the one known in-the-wild `response_type=id` consumer disappears 😉
#
Loqi [fluffy-critter] #83 Request a code in the 'me' scope
#
GWG I still do it
#
GWG I'm waiting.
#
[fluffy] ah, what do you use it for?
#
[tb] Hmm I'm gonna need to give this fresh eyes in the morning but this is pretty much working now https://github.com/craftyphotons/omniauth-indieauth/commit/1fd75786844603d390aae997a014466de0a7b25d
#
[tb] Have a good night folks
KartikPrabhu, gRegorLove and [jeremycherfas] joined the channel; nickodd left the channel
#
[jeremycherfas] !tell geman I don’t know if this will help, but pinboard.in collects the tweets I like and more besides.
#
Loqi Ok, I'll tell them that when I see them next
[tantek] and [fluffy] joined the channel
#
[fluffy] Hmm, I’m trying to re-validate Publ’s token endpoint stuff (since I’m ripping all the AutoAuth stuff out and want to just use this for MicroPub et al) and I’m having trouble finding the part of the IndieAuth spec I was referencing before. It seems like a bunch of stuff changed on that? Or am I just misremembering things badly?
#
[fluffy] I was primarily referencing the AutoAuth stuff when implementing it and of course that’s basically dead in the water now
#
[fluffy] at least at one time there was something about token grants for resources, rather than users, and that’s what I’d implemented here, but that seems to have been tied to AutoAuth stuff so… never mind I guess
#
[fluffy] okay yeah this is the spec change that’s tripping me up: https://github.com/indieweb/indieauth/issues/44
#
Loqi [Zegnat] #44 Drop specification for communication between authorization and token endpoints.
#
[fluffy] now I’m wishing I’d been able to make it to that popup session because I do care about that extension, but oh well.
[Zegnat] joined the channel
#
[Zegnat] fluffy: any special reason why that change is tripping you up? The way we tackled the spec changes in the popup were to try and stay as backwards compatible and least invasive as possible.
dckc, gRegorLove, gxt, jjuran, moppy and strugee joined the channel
#
Ruxton GWG: that auth bug looks like it was caused by cached things, I've only replicated it by having all my cahcing on, logging in and then upgrading and trying to auth the new plugin version. If my WP caches are clear, it works fine.
[KevinMarks], [tantek], KartikPrabhu, [Rose] and [jgmac1106] joined the channel
#
Zegnat Did some minor selfauth work to get back into it during my lunch break. 2 PRs open. Will probably do some more when I get home.
#
Zegnat Given it some more thought, but I do not think I will be working on PKCE in selfauth. I will leave that to someone else to solve. Will more likely start work on a stateful endpoint instead, where that all is a lot easier to do
deathrow1, [jeremycherfas], [KevinMarks], [Jose_Leiva], geoffo, dckc, [Ana_Rodrigues], [snarfed], [tantek], [tw2113], [fluffy] and [tb] joined the channel
#
[tb] [aaronpk] [jacky] Think I got this endpoint discovery class fully working and conformant with the spec now, if my tests are to be trusted — https://github.com/craftyphotons/omniauth-indieauth/blob/79e25bb7e69ca09c902d2102443dea5345f36ade/lib/omniauth/indieauth/discovery.rb / https://github.com/craftyphotons/omniauth-indieauth/blob/79e25bb7e69ca09c902d2102443dea5345f36ade/spec/lib/omniauth/indieauth/discovery_spec.rb
#
[tb] Now the fun part, wiring it up to the actual strategy!
#
[tb] How important is backwards-compatibility with the hardcoded stuff to IndieAuth.com [aaronpk]?
#
aaronpk nice!
#
aaronpk well if anything it should use indielogin.com now instead of indieauth.com
#
aaronpk but i'm not really sure what uses this gem that way
#
[tb] I could add `default_authorization_endpoint` and `default_token_endpoint` options to the strategy and have those point to `https://indielogin.com/auth` and `https://indielogin.com/token` maybe?
#
Zegnat I did not think indielogin.com was supposed to work as an authorization endpoint at all?
#
[tb] Oh wait nvm I keep getting it confused
#
@Cambridgeport90 ↩️ That would be. Then some fediverse applications also support Indieauth ... imagine logging into fedireads with your own site? (twitter.com/_/status/1293224007097974784)
#
jacky ooh nice work [tb]!
#
jacky [tb]++
#
Loqi [tb] has 2 karma in this channel over the last year (3 in all channels)
#
aaronpk Zegnat: the gem originally is a wrapper around indieauth.com as the "developer product" which is what indielogin.com is now
#
aaronpk so the original users of the gem are trying to just sign people in to a ruby app
#
Zegnat Ah, alright, I guess it still works for that usecase then
#
@Cambridgeport90 ↩️ Right? only one I know of that supports Indieauth right now though is http://Microblog.pub. Not sure what happened to it. (twitter.com/_/status/1293224651154284544)
[chrisaldrich], KartikPrabhu, [Emma_Humphries], gRegorLove, [Steve_Song], [schmarty], leg and jamietanna joined the channel
#
jamietanna Anyone using Indigenous for Android mind seeing if they see the same issue as https://github.com/swentel/indigenous-android/issues/401 ?
#
Loqi [jamietanna] #401 Alt tags are not being sent via Micropub requests
#
jamietanna Also is anyone able to see if Drafts are working for them in-app? Everything I've saved over the last week seems to have disappeared :thinking:
gRegorLove joined the channel
#
sknebel fluffy++ (the second point in the post is really something that should be addressed soon!)
#
Loqi fluffy has 19 karma in this channel over the last year (70 in all channels)
[tantek] joined the channel
#
@fluffy New post: Plaidophile: Two PSAs regarding IndieAuth https://beesbuzz.biz/blog/6265-Two-PSAs-regarding-IndieAuth IndieAuth is starting to get some traction in the greater Internet space, which is really cool! I’m glad to see a protocol finally emerging around distributed/federated identity, managing to get some t… (twitter.com/_/status/1293265028465020928)
[fluffy] joined the channel
#
[fluffy] [sknebel] About the differing profile URL?
#
sknebel yes
#
[fluffy] cool
#
sknebel (and agreed - checking the endpoint is referenced there too seems like the best idea)
#
[fluffy] yeah this has been a concern of mine for nearly a year
#
Zegnat I am hoping the first point will actually not be a big concern. Because it seemed like multiple providers may already have been ignoring the code/id difference. PR files for selfauth to ignore it today too.
#
[fluffy] Yeah, I hope you’re right.
#
[fluffy] My concern is that there’s no real easy way to tell. We can only go based on anecdotes.
#
[fluffy] Or at least based on a partial view of endpoints we know about.
#
jacky messing around with facepiles http://koype.test.black.af/post/a5a714eb-9d3f-4e85-9d97-2cd194b5e09e
#
Loqi [jackyalcineisgoinglocal] Rerum quisquam eum molestiae necessitatibus ut quos consectetur similique a.
[spieper] joined the channel
#
jacky I'm thinking about capping it to be like ~8 and then adding 'hidden' links for the rest of them so I can have those propagate in social readers more easily
#
jacky tbh I do want to adjust which ones show based on a set of rules
#
jacky if it's public; then it's anyone
#
jacky actually no, that'll be on the social reader's site
#
jacky I was thinking that it could sort it based on people the viewer knew but that's something a reader can do
#
jacky doing that on my site would be a lot more work than I'd like to take on (though it'd be cool)
[tw2113] and [snarfed] joined the channel
#
[snarfed] [aaronpk] just fyi i’m seeing broken images on your bookmark posts, eg https://aaronparecki.com/tag/barbot?tag=barbot&before=20170215T165614-0800
#
[snarfed] example image URL: https://aaronparecki.com/img/1240x0,s8hTovXXxzD1XUJojNC8-o8zBR_NrY_Y2eAbch-GE8i4=/https://media.aaronpk.com/file-20170128160006-6819.txt
[Rose], geoffo, KartikPrabhu and [cleverdevil] joined the channel
#
@iamskok Webmention test https://skok.netlify.app/blog/amstelvar/ #abc (twitter.com/_/status/1293313912348135424)
[tb] joined the channel
#
[tb] [aaronpk] [jacky] [jgarber] Endpoint discovery for omniauth-indieauth! https://github.com/aaronpk/omniauth-indieauth/pull/6
#
Loqi [craftyphotons] #6 Endpoint Discovery
#
aaronpk wow you're on a roll! tb++
#
Loqi tb has 3 karma in this channel over the last year (4 in all channels)
#
[tb] 🙂
#
[tb] This should lay the foundation for actually getting a token back as well as some other fun stuff
#
aaronpk that's awesome
#
aaronpk i don't have time to look at this right now, but if someone else wants to give it a look-over and approve it i'm happy to merge it!
#
[tb] I actually just left a note on there that I'm gonna do a UAT of this into a real app anyway so we can leave it just for code review for now
#
[tb] I'll install this into brvs.io tonight and make sure my integration tests weren't lying 😄
#
[tb] And actually before I even get to token acquisition, this needs to support PKCE
#
[tb] PKCE makes sending `state` redundant doesn't it?
#
aaronpk it does
#
GWG aaronpk: Where are you with the spec editing?
#
aaronpk going to do more on the weekend
#
GWG Okay
KartikPrabhu, [manton] and [jgarber] joined the channel
#
[jgarber] [tb] Awesome! Nicely done. 😄
#
[tb] Thanks [jgarber] and thanks again for the gem! As you can see there it worked nicely
#
[jgarber] There’s some overlap between your work and the indieweb-endpoints gem: https://github.com/indieweb/indieweb-endpoints-ruby
#
Loqi [indieweb] indieweb-endpoints-ruby: A Ruby gem for discovering a URL's IndieAuth, Micropub, Microsub, and Webmention endpoints.
#
[jgarber] That’s great to hear! Appreciate that you’re getting good use out of that code. 🙂
#
[tb] Oh hah I had no idea!
#
[tb] It might be better to use indieweb-endpoints-ruby here
#
[jgarber] I’d be interested in the Venn diagram of the indieweb-endpoints gem and your work and where there’s room for improvement to each!
#
[tb] Definitely! So I think the main focus in the codebase here was ensuring compliance with the IndieAuth spec on profile URL canonicalization
#
[jgarber] …which is an area I _think_ I didn’t cover in indieweb-endpoints. Wanted to keep that focused (if I’m remembering correctly).
#
[tb] Which led to this lovely method that I had to ignore a bunch of RuboCop violations for! https://github.com/craftyphotons/omniauth-indieauth/blob/endpoint-discovery/lib/omniauth/indieauth/discovery.rb
#
[tb] If it ends up making sense to the scope of indieweb-endpoints I'd be happy to collaborate on extracting it out of here
#
[jgarber] …and before I forget, add yourself! https://indieweb.org/Ruby
#
[tb] Ohh don't mind if I do!
#
[jgarber] I’d say profile URI canonicalization is out-of-scope for indieweb-endpoints _but_ it might be worthy of its own gem.
#
[jgarber] I swear I was working on that at some point in the last year or two, but I don’t know what might’ve come of that line of effort… 🤔
#
[tb] Yeah I was thinking tonight after I finished it that it could certainly be it's own little gem
#
[tb] its*
#
[tb] There's a couple optimizations yet I think could be made, like just making `GET` requests right away instead of the `HEAD` requests and then caching the results for parsing later on
[snarfed] joined the channel
#
[jgarber] Plus one to that. Practicality weighed against strict conformance with the spec shhh oh gosh don’t tell anyone I saw that aloud. 😂
#
[tb] Hehe
geoffo joined the channel