#dev 2020-08-22

2020-08-22 UTC
jonnybarnes, geoffo, KartikPrabhu and myfreeweb joined the channel
#
GWG
Looking at the Salmention spec for no particular reason
jimpick, myfreeweb, mattl, jonnybarnes and ndegruchy joined the channel
#
vika_nezrimaya
So, I just realized that my feed problem can be solved with Redis' sorted sets
#
vika_nezrimaya
Using dt-published converted to Unix timestamp as a rank, a feed insertion could be performed as a sorted set insertion
#
vika_nezrimaya
That way I'll be able to have my feeds ordered by time no matter what, and I may not even need a feed processor anymore?
#
vika_nezrimaya
The whole task of a feed processor service was to assign feeds to posts, and then insert those posts into feeds
#
vika_nezrimaya
but I can just do an insertion into a sorted set atomically
#
vika_nezrimaya
which means that it doesn't need a lock and it really simplifies the whole implementation
#
vika_nezrimaya
One microservice can be just THROWN OUT OF THE WINDOW
#
vika_nezrimaya
Combined with channels, this sets the stage for the ULTIMATE FEED EXPERIENCE IN KITTYBOX
#
vika_nezrimaya
MWAHAHAHA
#
Loqi
ahaha
#
vika_nezrimaya
laughs ominously
#
vika_nezrimaya
I'll take over the whole world with my CMS in no time!
#
vika_nezrimaya
(but right now I need to take over my server because it's running the old version still)
[tw2113] joined the channel
#
vika_nezrimaya
I just made a braindump into the issues, the best thing I could do right now for the future Vika to deal with: https://gitlab.com/vikanezrimaya/kittybox/-/issues/11
#
vika_nezrimaya
I should really use my GitLab more...
KartikPrabhu, kitt, jonnybarnes and nickodd joined the channel
#
vika_nezrimaya
sorted sets are really built for this kind of thing, but I think I might need some server-side pagination to make it blazing fast enough for feed views
#
vika_nezrimaya
I'll just implement it later, the performance feels reasonable enough for testing
#
vika_nezrimaya
I mean, with 100000 feed items it takes 0.7 seconds to get the whole feed, but it scales linearly and I don't see getting 100k posts in forseeable future
#
vika_nezrimaya
So with a more reasonable 2000 posts it takes on average 15 ms
#
vika_nezrimaya
scaling linearly since ZREVRANGEBYSCORE is O(log(n)+m), where n is the cardinality of the sorted set and m is the number of items requested
#
vika_nezrimaya
since I'm requesting the whole set it's basically O(log(n)+n) == O(n)
#
vika_nezrimaya
if I implement pagination I'm gonna cut it down to O(log(n)) since m is const
#
vika_nezrimaya
assuming the pagination will be efficient and use the rank of the last item on page as a pagination token
#
vika_nezrimaya
to a Micropub client that will be an implementation detail, to me it'll be a way to really optimise pagination - I'll be able to simply request limit+1 items every time and return posts[limit]'s timestamp (which is its ZRANK) as a pagination token
#
vika_nezrimaya
and boom, suddenly I have the perfect solution to the slow pagination problem
jonnybarnes, dckc and moppy joined the channel
#
vika_nezrimaya
accidentally broke everything
#
vika_nezrimaya
business as usual
jonnybarnes, dhanesh95 and [jgmac1106] joined the channel
#
jamietanna[m]
Aaronpk et al for the IndieAuth session later - what are your thoughts on adding https://github.com/indieweb/indieauth/issues/33 to indieauth-next? Thinking about making it so we can use existing OAuth2 clients where possible
#
Loqi
[jamietanna] #33 Why does the token endpoint not require the OAuth2-defined `active: true`?
jonnybarnes joined the channel
#
aaronpk
Seems reasonable, we can add it to the list, but I'd like to make sure we have time for everything else first
jeremych_, jonnybarnes, [James_Gallaghe], vika_nezrimaya and fauno joined the channel
#
Zegnat
I am still trying to figure out https://github.com/indieweb/indieauth/pull/53 in my head. I would love a whole session on just that ticket, hahaha
#
Loqi
[fluffy-critter] #53 Add recommendation to verify matching authorization_endpoint
#
Loqi
nice
#
Zegnat
[fluffy] have you considered joining the session today?
#
aaronpk
ok i have a rough agenda for the topics today, i ordered the items here https://github.com/indieweb/indieauth/milestone/1
#
sknebel
Zegnat: I probably won't be in the session actually, but we can discuss some of it now if you want?
#
Zegnat
I think I have two points to discuss on that one: 1) must the extra check always be done or can we safe the work for clients in some cases (e.g. where new profile URL is a subpath of the original profile URL?) and 2) must we still forbid the domain from changing when different URLs have a way to be checked.
#
sknebel
as I said I'm fairly strong "yes, must always be done if the URL changed in any way" for the first one
#
sknebel
I don't feel particularly comfortable defining a "this has to be safe" exception that won't break a realistic scenario, so given the (IMHO) little gain I'd rather err on the side of checking "too often"
floridafruitgeek joined the channel
#
sknebel
for 2 - might not be needed indeed (I think its ok to allow it), but that could be a second iterative change potentially.
geoffo joined the channel
#
Zegnat
I guess most of my ponderings are in the "what effects has this throughout the spec" category. I have no problems with making clients redo discovery on the returned profile URL when it is different from the originally discovered profile URL. That seems fine to me.
#
Zegnat
agenda seems fine to me aaronpk. I think there is still plenty discussion there
#
sknebel
I feel like 2) could especially be relevant in an location migration use case, but that'd be a bigger project
#
sknebel
and out of scope for that change
#
Zegnat
Agreed, it is not what the change set out to solve. But I like it if we can simplify any parts of the spec by having as few exceptions or alternative behaviours as possible. But completely fine with opening a seperate ticket for it after this gets merged.
[manton] joined the channel
#
[manton]
I’ve gotta say: I worry about shared domains even being supported in IndieAuth at all. It adds a lot of complexity.
#
aaronpk
i guess the problem is right now it's not disallowed, and as such there's a potential impersonation issue
#
[manton]
And it’s complexity that is kind of against IndieWeb principles, since you can’t fully own your identity on a shared domain.
vika_nez` joined the channel
#
sknebel
I think it would be a bad idea to restrict indieweb technologies out of academic/corporate environments due to purity of principle arguments
[tantek] and [tb] joined the channel
#
[tb]
Is this one going to be back on the docket today? https://github.com/indieweb/indieauth/issues/43
#
[tb]
Oh sorry didn't see aaronpk's message earlier
#
Loqi
[aaronpk] #43 Consider using OAuth Server Metadata
#
[tb]
Ignore me 🙂
#
[manton]
[sknebel] Academic/corporate environments can’t use subdomains? I agree we don’t want to be too restrictive, but again I worry about making IndieAuth much more complicated than it already is.
#
sknebel
Subdomains also are not "fully owned identity" - and it's much more about "won't" than "can't.
#
[manton]
If someone is using a library that handles everything, great, but if someone is rolling their own implementation, expecting them to follow 10 redirects and re-download the HTML to check links, etc… It’s a lot. 🙂
#
sknebel
I disagree. you already need to fetch a URL, follow redirects and look up a rel value for the initial discovery
#
sknebel
if you got that figured out, you can do it a second time.
#
sknebel
(I generally subscribe to HTTP requests being cheap, and that you've got bigger problems if they aren't)
geoffo and [fluffy] joined the channel
#
[fluffy]
[Zegnat] I didn’t know there’s a session but I have other stuff going on today
#
Zegnat
[fluffy]: aah, that is too bad. Yeah, we decided to do a follow up 2 weeks after the previous one
#
Zegnat
To get through the rest of the agenda
#
[fluffy]
And sknebel I agree, reducing HTTP transactions gets to be a micro optimization after a certain point, and micro optimizations are bugs in disguise
jonnybarnes joined the channel
#
[manton]
To be clear, I’m not talking about any cost of the request itself, but the client code complexity.
#
[fluffy]
I already implement that in Authl and the code complexity is very low
#
[fluffy]
Less complexity would mean not allowing URL changes at all
#
[fluffy]
Assuming domain ownership is extremely exclusionary and short-sighted.
[schmarty] joined the channel
#
[schmarty]
ponders a "scale of exclusion"
#
[fluffy]
Most of the complexity in my implementation comes from having to verify the URL itself due to redirections. Checking the endpoint matching is trivial, and reuses a function that already existed for the initial discovery.
#
[fluffy]
Also, if IndieAuth cannot be trusted on shared domains then it cannot be trusted, as there is no way to know if someone has implemented it on a shared domain.
#
[fluffy]
And then we’re back to the mess of having to allow/blocklist known-safe domains.
#
[manton]
If IndieAuth didn’t support shared domains, it wouldn’t be an issue. But I’m happy to drop the issue… Just wanted to voice my concern instead of ranting on the Zoom call about it. 🙂
#
[manton]
(I’m still having trouble with the potential security risk, but I trust y’all that it’s there.)
#
[fluffy]
Supporting shared domains is incredibly important IMO. The vast majority of academic homepages are tilde pages; university IT does not hand out subdomains for homepage hosting, and most students aren’t going to set up a dedicated server.
#
[fluffy]
There is a proof of concept at tilde.club/~fluffy
#
sknebel
and since you can't technically *block* shared domains, you'd rely on every implementation and documentation always warning users about not to use it in such situations, which IMHO is a terrible idea for a security feature
#
[fluffy]
Use that URL to sign in to indieweb.org as any tilde.club identity.
#
Zegnat
I think the argument there has always been that those students should be enabled to get a domain (which they could setup to forward to their tilde page). Because that way even when you quit the university, your identity moves along with you.
#
Zegnat
But as a folder-user myself, I totally see the use-case. I have always been using IndieAuth for my sub folder. And most of the time there are no problems. The fact that this opens up for imitations is a concerning though.
#
[fluffy]
Should, maybe. Can? Nope.
#
[fluffy]
Even if they can it requires more technical acumen. And they’d still need to be able to host the profile page in such a way it still canonicizes as the subdomain.
#
[fluffy]
Which means ensuring a temporary redirect, and validating that is way more complex code-wise (and still needs to be done, and is already in the spec)
#
[fluffy]
I would rather see more complexity on clients, which can use existing libraries and have more validation performed on them, than on users, who just want a dang webpage.
#
[fluffy]
And verifying that the endpoint matches is trivial and gives you more security guarantees on its own than verifying the canonical URL on its own
nickodd joined the channel
#
[fluffy]
Honestly the whole temporary vs permanent redirect thing is annoyingly complex, and verifying the domain doesn’t change is annoyingly complex, and neither of those do anything to guarantee endpoint integrity.
#
[fluffy]
But verifying that the endpoint never changes solves the same problems but way, way more easily.
#
[fluffy]
(Putting the onus on the endpoint to be correct, of course.)
#
Zegnat
The temporary redirects are there so you can have something as your profile URL even if that is not the resource where the auth endpoint is on. Which I think is the proper HTTP way of using that. Allowing you to switch systems without switching profile URL.
#
[fluffy]
Yeah I mean I agree that the redirection stuff needs to be there.
#
[fluffy]
To me it seems silly to debate that redirection validation is important but endpoint matching isn’t.
#
[fluffy]
Especially when verifying the final endpoint is just going to be calling the same function you did for initial discovery.
#
[fluffy]
It is literally impossible to write a client in such a way that it doesn’t have the means of discovering the endpoint from an arbitrary URL.
#
[fluffy]
like. That is fundamental to the protocol.
#
[tantek]
Oh hey IndieAuth popup in minutes!
#
[tantek]
Kinda wondering if the zoom is already started and people are coffee-charting ahead of the official start like the discussion above!
#
[fluffy]
How long will it go for? I still need to get out of bed.
#
[tantek]
coffee-chatting again lol
#
[fluffy]
Although I’ve already said everything I can say above.
#
[schmarty]
Oop I am not gonna be able to Popup today after all. Have fun all!! Looking forward to the notes!!
#
Zegnat
was so focussed on GitHub issue that he did not noticee Zoom going live
#
Zegnat
Documented a quick overview of what I said previously. as well as the mentions of not optimising for HTTP requests: https://github.com/indieweb/indieauth/pull/53#issuecomment-678661659
#
[tb]
Don't want to send the popup on a tangent for this so I'll post here while I remember — is there a reason why a defacto `read` scope hasn't been defined alongside `create`/`media`/`update`/`delete` here in https://indieweb.org/scope or used in any of the implementations listed out there?
[snarfed] joined the channel
#
GWG
[tb]: It has...in Microsub, not Micropub
#
GWG
[tb]: What purpose would it serve in Micropub or in your use case?
#
[tb]
Ah
#
GWG
We probably should address the wiki confusion though
#
[tb]
I was thinking on the MP query endpoint specifically
#
[tb]
I suppose there's not really anything you'd want to do against the Micropub query endpoint though without also wanting to do `create`-type things down the line though
#
[snarfed]
`read` would be useful for making full fledged authoring clients. key main use case is “show me my posts (and drafts)”
#
[snarfed]
you can get public posts from the site (h-feeds etc), but not drafts, private posts, feed locations aren’t standardized or guaranteed to contain all posts, etc
#
[snarfed]
more background on this kind of micropub-based authoring client: https://snarfed.org/posting-to-the-indieweb-from-your-phone
#
GWG
[snarfed], [tb] : Good point to add to the Micropub-extensions issue list then
[James_Gallaghe] and [chrisaldrich] joined the channel
#
Zegnat
I was discussing that with voxpelli over coffee last week. Where he brought up the - to me unknown - BREAD over CRUD debate. As in CRUD rules do not cover everything, you want BREAD, which includes "browse" as an action. http://paul-m-jones.com/post/2008/08/20/bread-not-crud/
#
[snarfed]
Zegnat++
#
Loqi
Zegnat has 26 karma in this channel over the last year (67 in all channels)
#
Zegnat
voxpelli++
#
Loqi
voxpelli has 2 karma over the last year
#
Zegnat
What is CRUD?
#
Loqi
CRUD refers to the ability to Create, Read, Update and Delete comments and posts https://indieweb.org/CRUD
#
Zegnat
What is BREAD?
#
Loqi
It looks like we don't have a page for "BREAD" yet. Would you like to create it? (Or just say "BREAD is ____", a sentence describing the term)
#
Zegnat
BREAD is http://paul-m-jones.com/post/2008/08/20/bread-not-crud/ refers to the ability to Browse, Read, Edit, Add and Delete, and alternative to [[CRUD]].
#
voxpelli
Zegnat++
#
Loqi
Zegnat has 27 karma in this channel over the last year (68 in all channels)
#
hirusi[m]
It's me again! Need some quick pointers/help on a specific Micropub request query.
#
hirusi[m]
Or maybe not, think I got it
jamietanna joined the channel
#
jamietanna
I guess you wouldn't necessarily introspect JWTs, as often Authorization Servers would issue a JWS rather than a JWE, so you'd be able to inspect the claims without introspecting it
#
Zegnat
Problems that solve themselves, we love those around here, hirusi[m]! :D
#
hirusi[m]
oh this is the first time I think I solved it myself lol, but glad to be a part of that gang :D
[Joe_Crawford] joined the channel
#
jamietanna
I quite like PAR as a way of simplifying the `request=eyJ...` https://connect2id.com/blog/request-objects-in-oauth-and-openid-connect especially for sensitive data, but hopefully that's not something we'll be doing _as much_
swentel joined the channel
#
Zegnat
For those in call, why we are refering to this thing called XYZ: https://oauth.xyz/
#
jamietanna
Cheers folks, that was a good session!
#
aaronpk
yeah! thanks for joining!
#
GWG
The IndieAuth session made me think more about Micropub
#
[fluffy]
I’m glad to have contributed, if only through chat before actually joining :)
#
hirusi[m]
There was a session today? Please don't say it was about Micropub! I'll be sorry to have missed it
#
sknebel
IndieAuth
#
GWG
hirusi[m]: Do you have a desire for another Micropub session?
#
GWG
Just out of curiosity?
#
hirusi[m]
IndieAuth...well this is nice to hear! Considering there was one just a while ago. :-)
#
GWG
hirusi[m]: This was part 2...we didn't finish last time
#
GWG
We didn't finish Micropub either actually. We still have querying for existing properties/queries/etc
#
aaronpk
what's a good label to put for this token introspection issue? "needs experimentation" or something
#
hirusi[m]
Oh really? I did drop in on the Micropub session I think but had to leave early + didn't have much to say re: the extensions themselves.
#
GWG
hirusi[m]: We didn't get to it, but the notes and video for what we did are all available.
#
hirusi[m]
Not sure, aaronpk. I can't comment on what the industry standard/defaults are, just that it confused me and would like to see it ironed out :)
#
aaronpk
hirusi[m]: what do you mean? what's confusing?
#
aaronpk
i was just talking about orgnanizing issues on github :)
#
hirusi[m]
Are we talking about issue #119 around Micropub?
#
aaronpk
i wasn't
#
hirusi[m]
Or something else 🙈
#
hirusi[m]
Ah ok, then disregard me please :)
#
GWG
hirusi[m]: There is obvious overlap between Micropub and IndieAuth as Micropub uses IndieAuth, but we weren't focused on anything Micropub specific today
#
sknebel
aaronpk: needs experimentation/needs information sounds good
#
sknebel
("revisit later" for the PAR one?)
#
aaronpk
that's better than my "future" label
#
aaronpk
okay, notes are on the wiki, issues are tagged, everything left in https://github.com/indieweb/indieauth/milestone/1 is my todo list for spec updates
#
Zegnat
Should we have opened a separate ticket for the changes needed around the auth endpoint verification step, aaronpk? Or is just the TODOs in the notes enough?
#
aaronpk
the notes are fine
#
Zegnat
Cool!
jonnybarnes joined the channel
#
Zegnat
Also if any PHP user would like to review my Selfauth changes to reflect the latest spec updates, I would love to get these merged! https://github.com/Inklings-io/selfauth/pulls
#
Zegnat
Or if anyone wants to have a go at writing a PR for PKCE... I am still not sure how I would do that one :(
#
swentel
anything specific you're having trouble with?
[tantek] joined the channel
#
GWG
I was trying to figure out if I should change how I generate my random tokens
#
Zegnat
Where do I store the secret? Selfauth is stateless, so would have to be in the state. But then you want it to be encrypted and there is not really anything in out-of-the-box PHP 5.6 that I would want to use for that encryption...
#
aaronpk
can you drorp 5.6 support yet?
#
swentel
use a session?
#
aaronpk
Zegnat: what are you using to store stuff for the authorization code? it's just one more thing to add to that list
#
[fluffy]
is there a requirement in PKCE that the stuff be encrypted, or does it just need to be signed?
#
sknebel
GWG: why? and what are you using currently?
#
aaronpk
it's a particular problem for selfauth because it's trying to be stateless
#
[fluffy]
like is there a secret that cannot be visible to the end user?
#
aaronpk
but also yes the pkce code verifier can't be returned in plaintext as part of the authorization code otherwise that defeats the protection that pkce provides
#
[fluffy]
okay, so this is something I'll have to keep in mind when I add that to Authl
#
[fluffy]
since Authl supports stateless operation (and Publ uses that mode by default)
#
Zegnat
Authorization codes are not stored, they have an embedded expiry time that is checked against a signature.
[dmitshur] joined the channel
#
[dmitshur]
Hi sknebel. I saw a notification about a question from you on GitHub, but can't see that message now.
#
GWG
sknebel: hash( 'sha256', wp_generate_password(128, true), true ), essentially.
#
sknebel
[dmitshur]: yep, deleted it because I saw it was already covered in the change and thus didn't actually need discussion from my POV
#
Zegnat
And the signature is your standard HMAC thing, which should be safe enough.
#
[dmitshur]
I see. To clarify though, I used it because I didn't understand a comment, not that I disagreed with it. A guess a comment would've been more clear.
#
Zegnat
But for those signatures Selfauth only needs 1 random secret (stored in APP_KEY) that gets set at installation. PKCE would require new randoms for each request, which does have storage requirements.
#
GWG
sknebel: WP updated to PHP5.6 and is staying there. I thought there were some new functions in 5.6 I might want to use.
#
Zegnat
Opened PR for further discussion on removing same domain requirement: https://github.com/indieweb/indieauth/pull/56
#
Loqi
[Zegnat] #56 Remove requirement for same domain
#
[fluffy]
with PKCE can you generate a new secret by hashing the APP_KEY along with something that's immutable throughout the transaction? Or is that not considered secure enough?
#
[fluffy]
like hash of app_key+state or whatever
#
sknebel
GWG: ah. I think the interesting ones are in PHP 7, BUT a) worth checking if wordpress is using them in wp_generate_password and b) there is a 5.6+ polyfill by paragonie: https://github.com/paragonie/random_compat
#
Loqi
[paragonie] random_compat: PHP 5.x support for random_bytes() and random_int()
[tw2113] joined the channel
#
[fluffy]
I guess that could be subject to attacks like multiple transactions started within a single second
#
sknebel
Zegnat: I *think* storing information about the PKCE code in the auth code would already help?
#
GWG
sknebel: It does not, but it's wp_rand function is pluggable.
#
sknebel
because the code_challenge is what the authorization server needs to be able to "remember" later
#
Zegnat
The simple PKCE
#
Zegnat
The simple PKCE idea is just hard with real stateless and no storage and no encryption...
#
Zegnat
So my mind kinda gave up and started to wonder if it is useful to try and figure out a solution. Or if I should do a PHP7+ implementation where I also merge in Mintoken.
#
sknebel
but if we put the PKCE code_challenge in the auth code
#
sknebel
someone who intercepts the code can see the challenge
#
sknebel
but they'd need to be able to reverse the hash used to be able to use the auth code
#
sknebel
well, PKCE with "plain" code challenge isn't helping then I guess, but the signed one is
#
GWG
Is hash_hmac preferable to hash?
#
sknebel
for generating "random" data no
#
GWG
Didn't think so
#
sknebel
aaronpk: oh hm. because it could be "none"?
#
aaronpk
Yes I believe so
#
aaronpk
which is interesting... if we disallow "none" for IndieAuth then maybe that'd be okay
#
sknebel
I feel like thats one of the few cases where a "SHOULD" might have been appropriate :D
#
sknebel
(especially since the alternative for selfauth is to ignore PKCE... which is worse)
#
sknebel
(client can't even tell if the server supports it, right?)
#
aaronpk
correct except if the server supports OAuth metadata
#
sknebel
okay, so I see an argument for ignoring that MUST, but you have a point
#
sknebel
(especially if the integration with token endpoint and thus wants storage anyways project is Zegnats alternative)
#
Zegnat
Note that scopes were not even included in the first version of Selfauth, because it was just for authentication. So in a world where IndieAuth is moving to even closer to zero stand-alone token endpoints than today, maybe Selfauth is moving towards overall deprecation anyway...
jonnybarnes, leg and geoffo joined the channel
#
aaronpk
i mean you can still implement just the authorization endpoint if you never have a use case for token endpoints
#
Zegnat
I guess I am just seeing fewer and fewer people who have that as the usecase? But I could be wrong.
#
aaronpk
rolling mintoken into selfauth probably does make sense tho, even if someone only ever uses it to log in to stuff
#
[fluffy]
I only really care about the authorization endpoint, FWIW.
#
[fluffy]
At least for any of my use cases.
#
[fluffy]
I’m also not doing Micropub yet though
krychu joined the channel; nickodd left the channel
#
Zegnat
I am just wondering what people use on the wider IndieWeb where they get away without a token endpoint. Telegram, indieweb.org, and webmention.io? Is that it? As soon as you start wanting to experiment with Aperture or Quill you are going to need tokens, and a bunch of other endpoints.
#
aaronpk
and logging in to the wiki :)
#
Zegnat
Yes, that was the middle example of the three ;)
#
aaronpk
i do suspect webmention.io has lots of users who don't use micropub or microsub tho
#
Zegnat
Possibly
#
aaronpk
i could actually scan all the websites and fine out
#
Zegnat
There is also a bit of eat-what-you-cook in here. The more I am thinking of moving away from Selfauth on my own site, the less likely I will be to do any upkeep on the code. And it already feels like many of the other collaborators on it have dropped off too
#
Zegnat
So PKCE might just be the last drop, haha
#
aaronpk
are you going to switch to something built in to your own site?
[chrisaldrich] joined the channel
#
Zegnat
aaronpk: my own site is static, so probably not integrated. But I want to switch to something that integrates the token endpoint and is written in modern PHP
#
Zegnat
Probably also with an interface for looking at and revoking tokens
#
aaronpk
that'd be cool
#
aaronpk
i still need to come up with a plan for replacing indieauth.com
#
Zegnat
Yeah, that is a tough one.
#
aaronpk
i'd prefer if other people made some good alternatives first tho :)
#
Zegnat
Whatever I end up building will probably still be single user. But I am planning to deploy with Dokku, so it *may* end up having a one-click Heroku deploy thanks to that.
#
Zegnat
But if you expect indieauth.com alternative to include relmeauth, you might be in for a longer wait, aaronpk. Not sure who wants to take on that pain
#
aaronpk
i'm not sure i want it to include relmeauth specifically, but I do want it to be usable without a password
#
aaronpk
i'm pretty happy with how indielogin.com handles twitter and github authentication now, so i'll probably provide those options still
#
Zegnat
That is something I have been thinking about a lot. But I am not sure what I want to swap password logins with. For instance, I got rid of email on my phone. So I cannot just email a link to myself.
#
aaronpk
i'd like to also support webauthn too, since it's integrated into browsers, it's a very nice experience once it's set up
krychu joined the channel
#
Zegnat
Another reason why I want to branch away from selfauth is testing more of that sort of stuff for login. I think Selfauth was great for doing what it does when it was written: dump it on any PHP host you happen to be using and it enables login to the indieweb.
#
Zegnat
It was not written to use libsodium for proper encryptions/signings, to offer multi-user or multi-login, etc.
#
sknebel
right, and PHP baseline is changing. PHP7 only is now more viable, and adds a lot
#
Zegnat
is tempted to start a project in PHP8 right now
[tantek] joined the channel
#
[tantek]
aaronpk++ for running the IndieAuth pop-up session! Thanks again!
#
Loqi
aaronpk has 68 karma in this channel over the last year (244 in all channels)
jonnybarnes and [Joe_Crawford] joined the channel
#
@pixelcrook
Testing retweet to try webmentions on new site
(twitter.com/_/status/1297303860986421248)
jonnybarnes joined the channel