#dev 2020-10-03

2020-10-03 UTC
# 01:07 
sebbu oh, i thought the channel transformed into a NSFW one
geoffo, nickodd, sp1ff, KartikPrabhu, moppy, peterrother, dckc, jamietanna, NinjaTrappeur, sebbu2, shoesNsocks1, [tantek], zootella, skalnik, [schmarty] and [tb] joined the channel
# 16:23 
[tb] Actually did want to bring this over here now that I brought it up [Zegnat]
# 16:23 
[tb] So re: audience
# 16:24 
[tb] That's kind of what I was thinking — my IndieAuth token endpoint actually generates JWTs today so I can use them from other services of mine. I was thinking it might be good to start putting the `aud` claim in them, and so perhaps for each scope I just have a mapping of URLs that would be added to that claim
# 16:26 
[tb] And so `create`, `post`, etc. might all map to my Micropub endpoint, but maybe `webmentions:admin` would map to a my backend webmention service
# 16:33 
Zegnat Sure. But also note that if your Micropub endpoint is somewhat integrated with your IndieAuth solution, you do not actually need it to use create/post/... at all. Your IndieAuth provider could translate create into create:private create:public create:group create:dm whatever. And put those scopes on the token instead of create.
# 16:33 
Zegnat Lots of possibilities. You could also just have separate UI in your IndieAuth flow where you can select audience values to assign. Even if they were not specifically requested by the application
leg, lexly and [tb] joined the channel
# 19:00 
[tb] Ah yeah lots of options there
geoffo, leg, deltab, KartikPrabhu, [schmarty] and shoesNsocks1 joined the channel; nickodd left the channel
# 22:01 
GWG aaronpk: Shouldn't the changelog also mention that grant_type is now required when posting to the authorization endpoint?
# 22:01 
GWG Because that is also a breaking change, technically speaking.
# 22:02 
aaronpk i suppose so! I didn't realize it was optional before
# 22:03 
GWG aaronpk: It was nonexistent.
# 22:03 
GWG aaronpk: If you look at the W3C version of the spec, it says to verify an authorization code, which is the previous post option to the authorization endpoint, section 5.4 of the W3C edition, you only needed code, client_id, and redirect_uri
# 22:04 
GWG This was before the option for independent token/authorization endpoints was dropped from the spec
# 22:04 
GWG So, anyone who implemented it that way would get an issue if they start requiring grant_type
# 22:04 
GWG The token endpoint always required it
# 22:05 
GWG Excuse me, section 6.3.2 of the W3C edition
# 22:05 
GWG https://www.w3.org/TR/indieauth/#authorization-code-verification-0
# 22:06 
GWG I'm going to do the same thing I did with response_type....make it work, but put in a notice I will eventually require it
# 22:06 
GWG But same issue, with someone not being aware of a possibly breaking change.
# 22:07 
GWG I'm going over every part of the flow as I make these changes. This time, I'm adding comments to the code to remind myself in future what I was trying to do
# 22:08 
aaronpk can you file issues on github when you find stuff like this?
# 22:08 
aaronpk i can't do this change right now
# 22:10 
GWG aaronpk: Will do, stepping out, will file on return
# 22:10 
GWG I just asked to make sure I wasn't confused
# 23:12 
Zegnat Hmm, I forgot how much of those parameters were made optional for the id request :/
# 23:15 
aaronpk there should be almost nothing different betweetn the two requests now other than the scopes requested
# 23:38 
Zegnat Now yes, then no, haha
geoffo joined the channel
# 23:49 
GWG If you don't need an access token, would you ever ask for scopes?
# 23:52 
Zegnat Possibly, profile scope
# 23:55 
GWG I have to make some modifications to my code to cover that.
# 23:55 
GWG Zegnat: Other than profile scope, anything? I may want to lock it down
# 23:56 
GWG Conversely...if it only profile scope, is there a use case for getting a token with just a profile scope?
# 23:58 
Zegnat I would probably issue a token even with just profile. I guess it would enable someone to refetch the profile information using the token instead of having to request a code exchange anew.
# 23:59 
Zegnat I think the only take-away from the spec is that scope is optional because sometimes people just want to validate once. And when scope was empty in the first request, you should not issue them a token at all. But that is it. So before the code exchange step you should not really care about whether scope is empty or filled in