#dev 2020-10-04

2020-10-04 UTC
#
GWG
Yes, I need to review that code and see if I can adjust it for that reality
#
Loqi
[aaronpk] #58 Allow clients to always exchange authorization codes at the token endpoint
#
Zegnat
I guess the only bit that may be a little confusing is that your response is different depending on whether the client is doing the code exchange against the auth or token endpoint. If I have a profile scope and exchange with the auth endpoint I do not expect an access_token back, but when I go with the exact same flow against the token endpoint I do expect one?
#
Zegnat
Seems a little odd...
#
GWG
I'm thinking for scopeless.. instead of throwing an error, the token endpoint just returns me
#
Zegnat
I like the idea of making token endpoint do the exact same as the auth endpoint. Might end up doing that myself.
#
Zegnat
goes to bed but Zegnat's brain continues the theory crafting of the new endpoint
#
GWG
Zegnat's Brain sounds like a great idea for a website
geoffo, KartikPrabhu, sp1ff and [chrisaldrich] joined the channel
#
GWG
!tell Zegnat https://indieauth.spec.indieweb.org/#profile-url-response - I missed it. No Scope or only Profile Scopes means no token.
#
Loqi
Ok, I'll tell them that when I see them next
geoffo, KartikPrabhu, [fluffy], cjav_dev, [James_Gallaghe], nickodd, oodani, moppy, dhanesh95, peterrother and gbmor1 joined the channel
#
Zegnat
GWG: I guess my question is what to do if the client requested a profile scope and then goes and exchanges it at the token endpoint rather than at the auth endpoint
#
Loqi
Zegnat: GWG left you a message 8 hours, 12 minutes ago: https://indieauth.spec.indieweb.org/#profile-url-response - I missed it. No Scope or only Profile Scopes means no token.
#
Zegnat
I will file an issue to discuss after breakfast
#
Zegnat
GWG see also https://indieauth.spec.indieweb.org/#example-11 where a token is issued with profile in the scope
jeremych_ joined the channel
#
GWG
Zegnat: If I read it correctly, it would only return the me/profile parameters and wouldn't issue a token.
#
GWG
That's the way I rewrote it. Awaiting review now
#
jeremycherfas
Time to process my logs with bise; I wish I knew enough to automate this. It no longer hurts, but it is still almost entirely manual.
swentel and KartikPrabhu joined the channel
#
Zegnat
GWG, I hope this makes my comments a little more clear: https://github.com/indieweb/indieauth/issues/62
#
Loqi
[Zegnat] #62 Clarification on issueing token with profile scope
#
Zegnat
I feel like the spec leaves it up to interpertation whether token endpoints should issue tokens with profile scopes or not
lexly and OhTheCode joined the channel
#
Zegnat
And a shorter comment here, from my reading, token endpoints should currently grant access tokens even if the only scope requested is profile: https://github.com/indieweb/indieauth/issues/58#issuecomment-703260485
#
Loqi
[Zegnat] > Token endpoints need to be aware that they should **not issue an access token if** no scope or **only profile scopes are issued** [...] Emphasis by me. When I was writing up #62 and rereading this issue, I realised that this does not seem to be ...
#
Zegnat
These are typical things that I did not notice on my final big read through, but am noticing now that I am playing around implementing the spec again
#
aaronpk
implementation++
#
Loqi
implementation has 1 karma over the last year
strugee and [mapkyca] joined the channel
#
Zegnat
wonders if any client is doing PKCE yet for testing
#
swentel
I think quill supports it
#
swentel
indigenous for android handles it too
#
GWG
Quill does support it
#
GWG
As for implementation, I refused in my update to issue a token with just profile/email scopes
#
GWG
That was my choice
#
GWG
But I stand ready to adjust should some clarification enter the spec
#
GWG
I was going to try a PR to Quill to request the profile scope to restore the functionality it had under the experimental profile support
[tb] joined the channel
#
[tb]
I’ve done PKCE in Stilus now
#
[tb]
The implementation was fairly straightforward https://github.com/singulum/stilus/tree/main/pages/api/auth
#
[tb]
It's actually about all Stilus does so far lol
#
Zegnat
I am obsesively documenting error reponses in my code now, because I always get them wrong.
#
[tb]
Yeah error cases are what I still need to do on that code I linked
#
Zegnat
For me it is more like PKCE RFC 7636 tells me what error responses to give on faulty requests, but OAuth 2.0 RFC 6749 tells me how to actually send the error response, and everything just gets jumbled super easily.
#
Zegnat
[insert something about OAuth 2.1 being great for combining it all into one document again]
#
@_WaylonWalker
↩️ Love your implementation of webmention
(twitter.com/_/status/1312799851734761474)
[fluffy], [tw2113], lahacker, [James_Gallaghe], geoffo, [chrisaldrich], KartikPrabhu and NinjaTrappeur joined the channel; nickodd left the channel