#dev 2020-10-04

2020-10-04 UTC
# 00:00 
GWG Yes, I need to review that code and see if I can adjust it for that reality
# 00:01 
GWG I could also support https://github.com/indieweb/indieauth/issues/58 now
# 00:01 
Loqi [aaronpk] #58 Allow clients to always exchange authorization codes at the token endpoint
# 00:02 
Zegnat I guess the only bit that may be a little confusing is that your response is different depending on whether the client is doing the code exchange against the auth or token endpoint. If I have a profile scope and exchange with the auth endpoint I do not expect an access_token back, but when I go with the exact same flow against the token endpoint I do expect one?
# 00:02 
Zegnat Seems a little odd...
# 00:02 
GWG I'm thinking for scopeless.. instead of throwing an error, the token endpoint just returns me
# 00:03 
Zegnat I like the idea of making token endpoint do the exact same as the auth endpoint. Might end up doing that myself.
# 00:03 
Zegnat goes to bed but Zegnat's brain continues the theory crafting of the new endpoint
# 00:10 
GWG Zegnat's Brain sounds like a great idea for a website
geoffo, KartikPrabhu, sp1ff and [chrisaldrich] joined the channel
# 01:54 
GWG !tell Zegnat https://indieauth.spec.indieweb.org/#profile-url-response - I missed it. No Scope or only Profile Scopes means no token.
# 01:54 
Loqi Ok, I'll tell them that when I see them next
geoffo, KartikPrabhu, [fluffy], cjav_dev, [James_Gallaghe], nickodd, oodani, moppy, dhanesh95, peterrother and gbmor1 joined the channel
# 10:07 
Zegnat GWG: I guess my question is what to do if the client requested a profile scope and then goes and exchanges it at the token endpoint rather than at the auth endpoint
# 10:07 
Loqi Zegnat: GWG left you a message 8 hours, 12 minutes ago: https://indieauth.spec.indieweb.org/#profile-url-response - I missed it. No Scope or only Profile Scopes means no token.
# 10:08 
Zegnat I will file an issue to discuss after breakfast
# 10:10 
Zegnat GWG see also https://indieauth.spec.indieweb.org/#example-11 where a token is issued with profile in the scope
# 11:50 
@mmorpgdotnews Chris wrote this amazing article https://daily-dev-tips.com/posts/goodbye-comments-welcome-webmentions-%F0%9F%99%8B%F0%9F%8F%BC%E2%80%8D%E2%99%82%EF%B8%8F/ via @DailyDevTips1 disqus going to die?! (twitter.com/_/status/1312720617997729792)
jeremych_ joined the channel
# 12:16 
GWG Zegnat: If I read it correctly, it would only return the me/profile parameters and wouldn't issue a token.
# 12:16 
GWG That's the way I rewrote it. Awaiting review now
# 12:21 
jeremycherfas Time to process my logs with bise; I wish I knew enough to automate this. It no longer hurts, but it is still almost entirely manual.
swentel and KartikPrabhu joined the channel
# 13:37 
Zegnat GWG, I hope this makes my comments a little more clear: https://github.com/indieweb/indieauth/issues/62
# 13:38 
Loqi [Zegnat] #62 Clarification on issueing token with profile scope
# 13:38 
Zegnat I feel like the spec leaves it up to interpertation whether token endpoints should issue tokens with profile scopes or not
lexly and OhTheCode joined the channel
# 14:04 
Zegnat And a shorter comment here, from my reading, token endpoints should currently grant access tokens even if the only scope requested is profile: https://github.com/indieweb/indieauth/issues/58#issuecomment-703260485
# 14:04 
Loqi [Zegnat] > Token endpoints need to be aware that they should **not issue an access token if** no scope or **only profile scopes are issued** [...]
Emphasis by me. When I was writing up #62 and rereading this issue, I realised that this does not seem to be ...
# 14:10 
Zegnat These are typical things that I did not notice on my final big read through, but am noticing now that I am playing around implementing the spec again
# 14:11 
aaronpk implementation++
# 14:11 
Loqi implementation has 1 karma over the last year
strugee and [mapkyca] joined the channel
# 15:25 
Zegnat wonders if any client is doing PKCE yet for testing
# 15:27 
swentel I think quill supports it
# 15:27 
swentel indigenous for android handles it too
# 15:28 
GWG Quill does support it
# 15:28 
GWG As for implementation, I refused in my update to issue a token with just profile/email scopes
# 15:29 
GWG That was my choice
# 15:29 
GWG But I stand ready to adjust should some clarification enter the spec
# 15:31 
GWG I was going to try a PR to Quill to request the profile scope to restore the functionality it had under the experimental profile support
[tb] joined the channel
# 15:39 
[tb] I’ve done PKCE in Stilus now
# 15:41 
[tb] The implementation was fairly straightforward https://github.com/singulum/stilus/tree/main/pages/api/auth
# 15:42 
[tb] It's actually about all Stilus does so far lol
# 15:44 
Zegnat I am obsesively documenting error reponses in my code now, because I always get them wrong.
# 15:46 
[tb] Yeah error cases are what I still need to do on that code I linked
# 15:53 
Zegnat For me it is more like PKCE RFC 7636 tells me what error responses to give on faulty requests, but OAuth 2.0 RFC 6749 tells me how to actually send the error response, and everything just gets jumbled super easily.
# 15:54 
Zegnat [insert something about OAuth 2.1 being great for combining it all into one document again]
# 17:05 
@_WaylonWalker ↩️ Love your implementation of webmention (twitter.com/_/status/1312799851734761474)
[fluffy], [tw2113], lahacker, [James_Gallaghe], geoffo, [chrisaldrich], KartikPrabhu and NinjaTrappeur joined the channel; nickodd left the channel