#LoqiThis room is one of several discussion channels for the IndieWeb community, see the channel descriptions for the focus and purpose of each room https://indieweb.org/This_room
#[fluffy]So my current thinking on private feeds: user agents need bearer token support. They can get this token through any number of flows, like https://beesbuzz.biz/profile or with Ticket Auth or whatever. This isn’t novel thinking of course.
#[fluffy]Oh also a thing I worry about with bearer tokens in general is how to deal with refreshing them. Like I don’t want the bearer tokens to have an indefinite lifetime, and at there are also circumstances where all tokens might need to be refreshed.
#[fluffy]For example in Publ all tokens are stateless and just use HMAC-style signing, and if the signing key leaks that means it needs to change and all tokens become invalid.
#[fluffy]And it seems like invalid token should lead to a 401 response to indicate that the token needs refreshing.
#[fluffy]If I ever get around to building Subl my intention is that a 401 error will cause the feed to get re-fetched without authentication and also set some
#[fluffy]UX indicating that the authentication expired.
jonnybarnes joined the channel
#[fluffy]And Subl will absolutely support both Ticket Auth and manual bearer token entry.
#jackyso I store all of those tokens currently and do a hard expiry that way
#[fluffy]Yeah having an abstract token store has advantages over signing (and Authl and Publ both support that) but Publ defaults to using signed tokens because it lets me keep things stateless and database-independent.
#[fluffy]Yeah this all emerged as a simpler alternative to AutoAuth.
#[fluffy]At the online summit a bunch of us were talking about finally making AutoAuth work and then the question came up: is this the right protocol?
#[fluffy]And we collectively decided that, no, it has too many moving parts and has way too much stuff that has to happen for basic bootstrapping.
#[fluffy]And then Aaron wrote up a quick idea for a token grant mechanism which handwaves around the issue of invites/discovery in a way which happens to work very well for Publ. :)
#[fluffy]I have most of the groundwork in place in Publ to support it, I just need to implement the token endpoint dance.
#[fluffy]Which should only take me a few hours to write but I don’t have the motivation to because of the usual chicken-and-egg situation.
#[fluffy]But I should just hecking do it and then hack it into Feed on Feeds like I always do even though I have qualms about how multiuser subscriptions work in that
#[fluffy](Subl is designed with this in mind from the beginning of course but all I’ve written on that is a rough schema and some even rougher notes about how to implement it when I have a round tuit available)