#dev 2020-11-19

2020-11-19 UTC
#
@simonw
Implementing IndieAuth for Datasette - inspired by a weekend spent at IndieWebCamp East Coast #indieweb https://simonwillison.net/2020/Nov/18/indieauth/
(twitter.com/_/status/1329223093311574017)
#
@simonw
↩️ IndieAuth is essentially the spiritual successor to OpenID - it lets you use your own domain name to sign-in to services in a decentralized fashion Since Datasette actively encourages deploying brand new web applications to new URLs on a whim, it's a great fir for authentication
(twitter.com/_/status/1329232167851814912)
maxwelljoslyn, [tantek], nickodd, KartikPrabhu and [chrisaldrich] joined the channel
#
@blaine
↩️ In the meantime, IndieAuth is, imho, a step backwards. OAuth/OIDC sign-in with login_hint works *great*; the lack of auto-/no-registration / a public key version is a real bummer, though.
(twitter.com/_/status/1329271750924800000)
#
@simonw
↩️ I'm intrigued by the IndieAuth thing where you can input a domain but your final identifier is a page specific to you on that domain - seems like it could help avoid users having to register their own domain or remember their full URL
(twitter.com/_/status/1329272943474397184)
#
@blaine
↩️ (specs exist, but no-one uses it; I really wish IndieAuth was something we could realistically add support for on e.g. Conde sites, but the "you must register your own domain" aspect makes it virtually impossible)
(twitter.com/_/status/1329272420025339904)
#
@aaronpk
↩️ This one I’m really confused on, and we should probably chat about it to clear things up. IMO OIDC is more of a barrier here because the default is that clients need to register. With IndieAuth there is no expectation of client registration at all.
(twitter.com/_/status/1329277964400267265)
#
@simonw
↩️ I thought that was valid with RelMeAuth but not IndieAuth - how can I get that working as an IndieAuth client?
(twitter.com/_/status/1329277698569428992)
#
@aaronpk
↩️ There is no obligation that you have to register your own domain for IndieAuth to work. I’ve talked about this at ActivityPub Conference showing how they can use IndieAuth to enable a standards-based app ecosystem for ActivityPub/Mastodon apps. That of course uses shared domains.
(twitter.com/_/status/1329277462530772993)
#
@aaronpk
↩️ so it turns out this works. I can type in “aaron@parecki.com” in an indieauth prompt and it works. because that is a URL.
(twitter.com/_/status/1329277149975511041)
#
@aaronpk
↩️ Email addresses *are* domain-based auth. I think you’re conflating two different parts of the system. In IndieAuth, the canonical user identifier doesn’t have to be the thing the user enters in a login prompt. This is also true for almost every other authentication system.
(twitter.com/_/status/1329280422295977984)
#
aaronpk
well that waS FUN
#
aaronpk
this caps lock key is way too easy to bump on man ipad
#
aaronpk
gives up
treora joined the channel
#
@ozaed
↩️ I use DNSSEC since 6+ years, while I have seen many auth protocols come and go. And 'IndieAuth' I first heard today.
(twitter.com/_/status/1329303439722033154)
[tantek] joined the channel; nickodd left the channel
#
[tantek]
aaronpk++ good persistence with short and specific points
#
Loqi
aaronpk has 67 karma in this channel over the last year (227 in all channels)
#
Zegnat
I would love to know why they think IndieAuth is a step backwards, when the problem with OAuth is the lack of registration. IndieAuth is an extension to OAuth that basically patches that, if you were to ask me
maxwelljoslyn, swentel, schmudde, jjuran, gxt, jeremych_, [Raphael_Luckom], geoffo, [tantek] and [Aaron_Klemm] joined the channel
#
[Aaron_Klemm]
He also said he's "pro IndiAuth" so there's a bit of talking out both sides of the mouth there
#
[Raphael_Luckom]
Does anyone have a good resource to share on strategies of content organization? Right now my hugo-generated blog has next post / previous post links on each post. That's cool, but what if I wanted to publish "list of posts with tag X"--when you go to those posts, should they still have previous / next links in the context of their chronological order? I'm sure there are some library-science-y practices for doing this, but I don't know
#
[Raphael_Luckom]
where to look for them.
[KevinMarks] joined the channel
#
[KevinMarks]
I think a "next with this tag" could make sense, assuming that time ordering for them is clear, but if a post has multiple tags that's confusing. By default doesn't Hugo make you paginated list pages per tag, so you can have summary there ang click through?
#
[Raphael_Luckom]
Yeah, that's how it works, but I think that once you click through a tag-list link, you land on a post whose 'next' is not in the context of the list you clicked through--I think your idea of "next with this tag" is exactly what I was getting at--it seems like what I want, but it also seems like it would get confusing in exactly the way you described.
#
sknebel
I like how cweiske does it on his site, although it is a bit busy: https://cweiske.de/tagebuch/android-root-adb.htm
#
Loqi
[Christian Weiske] Getting ADB root access on a Tolino
#
@autiomaa
Good article about the future of web authentication methods, together with implementation details. "IndieAuth is a spiritual successor to OpenID, developed and maintained by the IndieWeb community and based on OAuth 2."
(twitter.com/_/status/1329464376106119175)
#
[Raphael_Luckom]
Oh, with the sidebar that has a few different contexts, that's really cool, I might copy that
#
petermolnar
[Raphael_Luckom]: re content organisation: if I'm not mistaken we had a session where adactio (?) talked a bit about taxonomy, folksonomy, etc; the notes are on https://indieweb.org/2018/Berlin/datalake but they look a lot more vague than I remember. That, or it was another session.
#
[Raphael_Luckom]
cool thanks!
#
[Raphael_Luckom]
The links in that session got me to finally go read the 1945 essay "As We May Think" (https://www.theatlantic.com/magazine/archive/1945/07/as-we-may-think/303881/) and so far it's a banger
reed joined the channel
#
[tantek]
[Raphael_Luckom] sounds like you're looking for Information Architecture 🙂
#
[tantek]
what is navigation
#
Loqi
Navigation refers to the UI, UX and markup allowing people to move around a website https://indieweb.org/navigation
#
[tantek]
what is archive navigation?
#
Loqi
archive navigation is UI specifically for navigating archives, often organized by time period https://indieweb.org/archive_navigation
#
[tantek]
^ lots more there [Raphael_Luckom]
#
[Raphael_Luckom]
thanks, yeah that's it
#
Zegnat
[Simon_Willison] great point there on the spec maybe not clearly defining what would be accepted and what not for people to enter as a login URL. I have tried to capture the thoughts here: https://github.com/indieweb/indieauth/issues/65
#
Zegnat
Do comment there if you think there is more to add!
#
Loqi
[Zegnat] #65 Clarify that discovery does not neccessarily start at a Profile URL
[Murray], [chrisaldrich], [tw2113_Slack_], [Aaron_Klemm] and [Simon_Willison] joined the channel
#
[Simon_Willison]
Oh I think I've spotted a spec confusion: "The resulting profile URL MAY be different from the canonical profile URL as resolved by the client, but MUST be on the same domain." - that's a security issue right? The problem is that the final JSON returned by the profile URL response https://indieauth.spec.indieweb.org/#profile-url-response could have anything in the "me" field - it's up to my client implementation to verify that the "me"
#
[Simon_Willison]
URL is on the correct domain and reject it otherwise
#
[Simon_Willison]
I missed that subtlety (I think I assumed this MUST was a requirement for the auth server, not the client) which means I have a pretty nasty security hole in my implementation!
#
[Simon_Willison]
Would definitely benefit from the spec emphasizing that! Also, what does "MUST be on the same domain" mean?
#
[Simon_Willison]
Does that include sub domains?
#
[tantek]
it feels like we're getting pretty close to needing a test suite for stuff like this
#
[tantek]
what is indieauth.rocks?
#
Loqi
It looks like we don't have a page for "indieauth.rocks" yet. Would you like to create it? (Or just say "indieauth.rocks is ____", a sentence describing the term)
#
aaronpk
hmm if i had to prioritize building a test suite or building a replacement for indieauth.com, which would be better to do before the end of the year?
#
[tantek]
test suite for sure
#
aaronpk
why for sure?
#
[tantek]
because that accelerates enabling other implementations like Simon's
#
[tantek]
and strengthens interop
#
[tantek]
might even cause the need to disappear to build a replacement for indieauth
#
[tantek]
because it scales to enabling someone(s) to build it
#
aaronpk
enabling others to build things is a good idea
#
[tantek]
good test suites enable exponential increase in development / implementation without exponential costs in comms
#
[Simon_Willison]
I had to figure out how to install Wordpress to help test my implement- thankfully that's only a few clicks on DigitalOcewn even if your PHP ecosystem knowledge is as rusty as mine
#
[Simon_Willison]
But... I had two bugs that showed up the moment other people tried it https://github.com/simonw/datasette-indieauth/commits/0.3.2
#
[Simon_Willison]
Question: “The resulting profile URL _MAY_ be different from the canonical profile URL as resolved by the client, but _MUST_ be on the same domain.” - what are the rules for “on the same domain”? Do I just need to look at the whole domain portion of the URL e.g. `www.example.com` or should I consider `foo.example.com` to be on the same domain as well?
#
[Simon_Willison]
it’s not 100% clear from that section if subdomains count as the “same domain” or not
#
[Simon_Willison]
I think there may be a need for new terminology in the spec: it talks about “User profile URLs” and “Client identifier URLs” - but there’s also the thing-that-the-use-typed-in-the-first-place - I’d been assuming that was the user profile URL but it’s not, for two reasons: 1. the final user profile URL may differ from what they typed in and 2. `foo@exmaple.com` is a valid initial input URL even though the rules for user pro
#
[Simon_Willison]
that the `username@` bit isn’t valid
#
[Simon_Willison]
Maybe the spec needs something like a “user input URL” to cover that?
#
aaronpk
that's a good idea
#
[tantek]
for phrases like "same domain" would IndieAuth be able to re-use (and cite) "same origin" terminology like used elsewhere in lots of Web APIs?
#
[tantek]
or do we explicitly want / mean something different than same origin?
#
aaronpk
we should use the same terminology when possible yes
#
aaronpk
it's not quite the same situation as browser concerns but still basically the same
#
Loqi
totally
#
[Simon_Willison]
so “same domain” does include subdomains yeah? Or is `example.com` the same domain as `foo.example.com` BUT `bar.example.com` is not the same domain as `foo.example.com`?
#
aaronpk
i'm going to have to double check but I think the intent was full hostname match, not allowing subdomains to differ
#
[tantek]
this is why I'd lean towards re-using "same origin" unless we have a specific use-case otherwise
#
aaronpk
as soon as you want to allow subdomains to differ you have to bring the whole list of what exactly is a TLD, which isn't straightforward
#
[Simon_Willison]
Also, does this mean that it wouldn’t be safe for me to deploy my own indentity provider implementation to Glitch since all Glitch apps share the same domain? If I deployed an identity provider at `simon-indieauth.glitch.me` then someone else could deploy `evil-indieauth.glitch.me` and return a `"me"` value of `simon-indieauth.glitch.me` from it, stealing my identity
#
[tantek]
aaronpk, presumably I should be able to enter example.com and be logged in as tantek.example.com per all the services
#
aaronpk
e.g. user1.co.uk and user2.co.uk are not considered to be under the same domain because co.uk is in the public suffix list
#
[Simon_Willison]
Oh wow! That means implementations need to ship with a copy of the public suffix list
#
[Simon_Willison]
which is possible but definitely needs to be called out in the specification
#
aaronpk
that's why i'm thinking that's not a good idea
#
aaronpk
and i don't think that was our intent
#
aaronpk
but i also don't remember exactly whether or not it was the intent
#
[tantek]
we should be encouraging user subdomains instead of paths
#
[tantek]
pretty sure we have good docs on why
#
aaronpk
i'm not thrilled on requiring clients to have to ship with the public suffix list
#
aaronpk
if it was something an authorization server had to do i woudl feel differently
#
[tantek]
like we should not make it *harder* to return tantek.example.com instead of example.com/tantek when I sign-in with "example.com"
#
aaronpk
didn't this come up with micro.blog?
#
[tantek]
that's the subdomain use-case I think that's important
#
[tantek]
what is a subdomain
#
Loqi
A subdomain typically refers to a domain with one more "name(dot)" component than that which someone actually has registered which is often seen indieweb sites with a family name domain like joel(dot)franusic(dot)com, or often on silos like matt(dot)wordpress(dot)com https://indieweb.org/subdomain
#
Zegnat
I am pretty sure intent was literal hostname match. But I would have to see if I can find a good citation for that. Definitely worth mentioning though.
#
Zegnat
Of course that goes away if we chose to not care at all, and always check the `me` response as per the issue I linked
#
aaronpk
ah right that would be a much cleaner solution to all of this
#
Zegnat
https://github.com/indieweb/indieauth/pull/56 removes the "MUST verify that the canonical profile URL is on the same domain"
#
Loqi
[Zegnat] #56 Remove requirement for same domain
#
Zegnat
Might be able to clean that up some more. I think we may be able to drop multiple references to "profile URL" throughout, if we chose to only call the User Identifier (the `me` response) a "profile URL"
#
sknebel
I prefer that approach too (totally lost track of that PR, sorry)
#
[Simon_Willison]
This kind of thing needs to be really clear in the spec - we don’t want to fall into the same trap as JWT where the same security hole (alg=none) shows up in multiple implementations
[KevinMarks] joined the channel
#
aaronpk
i think that PR solves the security concern but in a cleaner way. and it means the subdomain thing works too
#
Zegnat
I did not specifically think about subdomains back when we were discussing that change (also because to me domain == hostname, thus every subdomain is a new domain). But yeah, no reason it doesn't also addresses that.
#
[Simon_Willison]
I'm going to implement same domain including same subdomain first since that closes my security hole, I'll do subdomain matching later (once I understand the public suffix list issue)
#
aaronpk
with the change in that PR, there is no need to bring in the public suffix list
#
[KevinMarks]
If we got, say, blogger to support indieauth, accepting [user].blogspot.com makes sense.
#
Zegnat
He, I was just checking the WHATWG URL spec, and honestly, that did not really make it more clear what "domain" refers to :P
#
Zegnat
sub.www.example.com is a "host" that has the "registerable domain" of example.com. So the URL spec uses the term "registerable domain" to refer to domains minus subdomains.
#
Zegnat
They too say to use the term origin for security: https://url.spec.whatwg.org/#warning-avoid-psl
#
Zegnat
I think for IndieAuth it would be easier to just get rid of any verbage that talks about comparing domains. It isn't neccessary. I might try to expand my PR tomorrow if that sounds like a good way forward.
schmudde joined the channel
#
sknebel
yes, please do
#
sknebel
(and feel free to ping me for discussion/review... I somehow thought we had landed this already)
#
sknebel
[Simon_Willison]++ for very good feedback!
#
Loqi
[Simon_Willison] has 5 karma over the last year
#
[Simon_Willison]
I’ve released a security fix in 1.1, plus a GitHub security advisory warning against using version 1.0 https://github.com/simonw/datasette-indieauth/security/advisories/GHSA-mjcr-rqjg-rhg3
#
@simonw
↩️ Spotted a critical security vulnerability it datasette-indieauth - I've shipped v1.1 with a fix and posted a security advisory to the repo on GitHub here https://github.com/simonw/datasette-indieauth/security/advisories/GHSA-mjcr-rqjg-rhg3
(twitter.com/_/status/1329530678443032577)
[Raphael_Luckom] joined the channel
#
[Raphael_Luckom]
This is very impressive incident response.
#
[Simon_Willison]
Another question… “It MUST follow any permanent redirections from this URL to discover the canonical profile URL, in the same manner as initial profile URL discovery.”
#
[Simon_Willison]
What about temporary redirects?
#
[Simon_Willison]
I’m currently planning to follow 301s (up to a limit of 5) but throw an error if I encounter a temporary redirect - is that the right thing to do?
#
[Simon_Willison]
It refers back to https://indieauth.spec.indieweb.org/#discovery-by-clients which says:
#
[Simon_Willison]
not modify the canonical profile URL, nor do subsequent permanent redirects
#
[Simon_Willison]
> Clients _MUST_ follow HTTP redirects (up to a self-imposed limit). If one or more successive HTTP permanent redirects (HTTP 301 or 308) are encountered starting with the very first request, the client _MUST_ use the final permanent redirection’s target URL as the canonical profile URL. If any other redirection (such as HTTP 302, 303, or 307) is encountered, it must still be resolved for endpoint discovery, but this redirection does
#
[Simon_Willison]
Should I follow the exact same rules for verifying the “me” value at the end of the flow? The language there only mentions “permanent redirections” but then says “in the same manner as…”
rawtext joined the channel
#
sknebel
strike the "permanent"
#
sknebel
that was TODO to be changed after the session, cf https://indieweb.org/2020/Pop-ups/IndieAuth#Issue_53
#
[KevinMarks]
Is that making the 301 "cache the new" and 302 "cache the old" distinction? If so it may make sense to make that explicit.
#
sknebel
ping aaronpk: seems like that TODO didn't get resolved
#
aaronpk
isn't that all pending merging Zegnat's PR?
#
sknebel
or rather, I would have expected that to be resolved independently of an to-be-discussed PR
#
sknebel
(which it was at that point)
#
sknebel
and "do you follow redirects or not" is still relevant after Zegnats PR
#
sknebel
so no, IMHO not pending, and the language in the spec right now is clearly not good.
#
aaronpk
hm ok i'll have to read closer
#
sknebel
I'd say remove the "permanent" [Simon_Willison] pointed out as being confused and that bit is good, given we decided in the discussion in the session how to resolve it
#
sknebel
afk for ~10h, sleeping :D
#
[Simon_Willison]
so 302 and 301 should be treated the same?
#
sknebel
I'd say so
#
[Simon_Willison]
That does simplify my implementation if I just need to follow-all-
#
[Simon_Willison]
follow-all-redirects and treat the final URL as the canonical URL
#
[Simon_Willison]
(The Python httpx library already throws an exception for me after a maximum number of redirects, which is good)
#
sknebel
no updating the user URL at that point
#
sknebel
just follow all redirects and compare the endpoint urls
#
[Simon_Willison]
Aah OK, so my final step is “look at the `"me"` URL returned by the authorization server, fetch that URL, follow all redirects and confirm that it has the same `rel="authorization_server"` that I started with”
#
sknebel
confirming that whatever is behind the "me" URL trusts the same endpoint
#
[Simon_Willison]
But I still need to differentiate between 301 and 302 in the code I’m writing that resolves the canonical URL for the user profile at the start of the flow?
#
sknebel
id say so
#
[Simon_Willison]
The difference between temporary and permanent URLs is turning out to be the hardest part of the spec to implement - PCKE was actually pretty simply in comparison
#
sknebel
so, really gone now, hope aaronpk can help maybe
#
[Simon_Willison]
thanks for the tips!
schmudde, [schmarty], geoffo and [chrisaldrich] joined the channel
#
[Simon_Willison]
New release with those changes - it now follows permanent/temporary redirects correctly and verifies that the `authorization_endpoint` from the final `me` value matches the endpoint from the start of the flow https://github.com/simonw/datasette-indieauth/releases/tag/1.2
#
@simonw
↩️ Here's datasette-indieauth 1.2 with improvements to how the code follows and verifies redirects https://github.com/simonw/datasette-indieauth/releases/tag/1.2
(twitter.com/_/status/1329565075225526272)
[tantek] joined the channel
#
[Simon_Willison]
Had a thought about an IndieAuth test suite: turns out lots of my test code consists of mocked HTTP responses https://github.com/simonw/datasette-indieauth/blob/1.2/tests/test_indieauth.py
#
[Simon_Willison]
That way every implementation could share the same test suite - would make spinning up new correct implementations MASSIVELY easier
#
[Simon_Willison]
How about a language-agnostic IndieAuth test suite consisting of a folder full of mocked HTTP requests, maybe in JSON? Plus data showing the expected result for signing in with a specific me= URL?
#
aaronpk
that's an interesting idea
#
aaronpk
i was going to approach it more like webmention.rocks and micropub.rocks where it's an interactive tool that can play each role and different test numbers do different things
#
[Simon_Willison]
I'd like an interactive tool too - but a static folder of mock requests is easier to integrate into CI
#
aaronpk
i wonder if i could have the interactive tool work by reading static mock requests
#
aaronpk
i'll give this some thought
#
vilhalmer
I really like that idea
#
vilhalmer
would have been super useful when testing my implementation to avoid having to patch a live endpoint on my site through to my laptop haha
#
vilhalmer
(though doing that has a certain fun aspect as well…)
#
aaronpk
i do that a lot too haha
#
sebbu
aaronpk, i've finished investigating why i had ssl errors on my site (and it's probably the cause why some services didn't worked with it)
#
[Simon_Willison]
https://github.com/twitter/twitter-text/tree/master/conformance is an interesting example of a cross-language test suite, using YAML
#
sebbu
it's the remote that has outdated ca certificates
#
sebbu
if i manually add CURLOPT_CAINFO with the right cacert.pem (directly from curl's website), it works
#
aaronpk
oh boy fun times
#
sebbu
(or if i define it in my php/ini)
#
sebbu
so, it's not my fault, it's the remote's
#
aaronpk
i don't remember the context for this sorry
#
sebbu
when i added authorization_endpoint and token_endpoint on my site, it worked on indielogin but not indieauth (and other sites that depends on indieauth)
#
sebbu
(or was it the other way around)
#
sebbu
and i had *NO* error answer from the site
#
aaronpk
hopefully indielogin.com was working cause it's newer
#
sebbu
nope, works on indieauth.com but not indielogin.com
geoffo joined the channel
#
sebbu
Your IndieAuth server did not return a valid response. Below is the response from your server.
#
sebbu
below is nothing
#
aaronpk
right cause it didn't make a connection 😂
#
sebbu
but it should tell a ssl error then
#
aaronpk
:sigh: can you file an issue on indielogin.com saying to better report curl connection errors?
#
sebbu
on it
geoffo joined the channel