#dev 2020-11-21

2020-11-21 UTC
#
@davatron5000
↩️ Link like nobody’s webmentions feed might give you SEO.
(twitter.com/_/status/1329941879862013954)
gxt and nickodd joined the channel
#
@fluffy
↩️ Given that most folks are displaying them with client-side libraries like webmention.js, they probably won't.
(twitter.com/_/status/1330008788368125955)
gxt, geoffo, jeremycherfas and [jgmac1106] joined the channel
#
jeremycherfas
I'm minded to take dogsheep out for a bit of fun this afternoon.
mattl joined the channel
#
nolith
!tell [grantcodes] how can I debug "my posts" section on together? I can see the `q=source` message in my logs, but the list in the app is empty :(
#
Loqi
Ok, I'll tell them that when I see them next
#
nolith
aaronpk: if I prepare a PR for https://github.com/aaronpk/indielogin.com supporting GitLab.com logins, will it be available for websites using indieauth.com as authorization_endpoint?
#
Loqi
[aaronpk] indielogin.com: Sign in with your domain name
jeremycherfas and [jgmac1106] joined the channel
#
[jgmac1106]
What is dogsheep?
#
Loqi
Dogsheep is a project to build tools for pulling personal data from different sources into SQLite databases https://indieweb.org/Dogsheep
#
Zegnat
nolith: indielogin.com is not an indieauth authorization_endpoint, it is a service that other websites can rely on the handle login for them (outsourcing all those oauth buttons). So if you were to add a PR for GitLab logins there, it means sites that use indielogin.com (like indieweb.org) will then allow GitLab logins
#
nolith
ok, so this is not what I need. But I'm confused because https://github.com/aaronpk/IndieAuth.com states "This service is being discontinued in favor of indielogin.com
#
Loqi
[aaronpk] IndieAuth.com: This service is being discontinued in favor of indielogin.com
#
nolith
I'm using indieauth.com on my blog. I'd like to be able to login using GitLab.com credentials when I put my website quill (or other micropub clients). Where should I contribute the missing implementation Zegnat ?
#
Zegnat
Yeah... blame that one on naming being hard. IndieAuth.com can do two things: function as a login handler for apps *and* function as a authorization endpoint for users. The first part is being replaced with indielogin.com (as it already has been on indieweb.org), the second part does not have a replacement yet
#
Zegnat
See the https://indieauth.com/ homepage. It has a red Deprecation Notice and slightly more feedback about the issue right below it (where it is split between For Developers and For Users)
#
Zegnat
I am actually not sure if anyone else is offering a public authorization endpoint like indieauth.com does
#
nolith
thanks for explaining Zegnat, I'll take a look at the code at https://github.com/aaronpk/IndieAuth.com
#
Loqi
[aaronpk] IndieAuth.com: This service is being discontinued in favor of indielogin.com
#
Zegnat
Not to say that a PR for GitLab for indielogin.com would not be appreciated! It will allow you to rel=me link to gitlab on your site and be able to login to the indieweb wiki with just that. Just trying to make clear that we are talking about two different things :)
#
sknebel
(someone could piggyback on indielogin.com to make an indieauth.com-authorization-endpoint clone :D)
#
sknebel
(I guess that's the plan for the replacement in some way)
#
nolith
Zegnat: sure, the point is that I'm not a PHP developer, but I am a ruby developer. And indieauth.com is ruby, but indielogin.com is PHP
#
Zegnat
Sounds like a valid reason to look into indieauth.com for sure, haha :D
schmudde and [Raphael_Luckom] joined the channel
#
nolith
aaronpk, Zegnat https://github.com/aaronpk/IndieAuth.com/pull/204 GitLab.com login support for indieauth.com
#
Loqi
[nolith] #204 Add gitlab.com login
nickodd joined the channel
#
aaronpk
nolith++ that was fast
#
Loqi
nolith has 2 karma in this channel over the last year (8 in all channels)
[grantcodes] joined the channel
#
[grantcodes]
nolith: Not too sure for debugging `q=source` query in together to be honest. You can open up the console and see responses from the graphql server and I think it should log errors there
[chrisaldrich] joined the channel
#
jeremycherfas
I'm just astonished by what Datasette has allowed me to look at, using only my Healthkit export. And fun, too. I suppose I better write up this mini-adventure.
#
jeremycherfas
I mean, I had no idea my iPhone was even measuring my six minute walk test distance, let alone what it is doing with that.
#
nolith
[grantcodes]: thanks. I got https://pastebin.com/wkDc0L8M It looks like my item names are a string array but together expects a string. The funny thing is that I'm not writing the json myself, but it's what the ruby microformats gem extracts from my pages. In any case I need to figure out why my pages have 2 `name` values
#
nolith
and yes, there is a bug in my template, it outputs 2 `p-name` one for the title, and one for the content
#
[grantcodes]
It expects a string from the graphql server which should convert what it needs to.
#
[grantcodes]
So maybe you have nested arrays which it doesn't fully flatten
#
nolith
but even fixing my double p-name, `microfomats` will still generate an array, like all the other fields
#
nolith
in any case, I'm deploying my fix. I'll see if the error changes\
#
Zegnat
All fields in mf2 are arrays in the parser json, so that would be correct
#
nolith
this is why the error surprised me, it seems to expect a string but the specs requires every filed to be an array
#
[grantcodes]
Yeah that's the graphql thing which converts it to a much stricter format closer to jf2
#
[grantcodes]
What object you return from your micropub endpoint nolith?
#
[grantcodes]
I just return an array as the root item, but I think it is maybe supposed to be `{"items": [posts here]}`
#
nolith
[grantcodes]: now I have a new error. in any case, my micropub endpoint it's simply proxying https://abisso.org/stream/items.json
[arush] joined the channel
#
[grantcodes]
Ah yeah looks like it is more or less working now since it has that `micropubPosts` object
#
[grantcodes]
It's likely my mf2 -> jf2 / graphql function doesn't handle nested h-cites
#
nolith
do you think it failed parsing one of my post that has webmentions?
#
nolith
My site it's quite a Frankenstein, it's a static generated site, plus a micropub server hosted elsewhere that commits changes with GitLab APIs and then CI deploys the website. I've also implemented webmention.io webhooks to recompile with webmention
vilhalmer joined the channel
#
aaronpk
sips some coffee and gets to work on some indieauth stuff
#
Zegnat
sips some port wine and awaits more indieauth discussion
#
Zegnat
ping me if you want to discuss the redirecting stuff slightly more synchronously than GitHub issues, aaronpk! :)
#
sknebel
ping me too. still stuck in a typewriter hack session, but happy to jump over
#
aaronpk
oh no my pgp key expired lol
#
aaronpk
i can't commit stuff cause git is configured to sign commits
#
aaronpk
that was a 4 year long key
#
aaronpk
disables commit signing for now cause digging up my airgapped setup for redoing the key sounds like too much work for now
#
Zegnat
"disables commit signing" and there went all of the benefits :P
#
stevestreza
you can change the expiration date on an expired key, though it might require subkeys that are only in your airgapped setup depending on how you set it up
#
aaronpk
i only have subkeys on this machine, the primary key is on a usb drive that i use on an airgapped machine
#
aaronpk
oh wait can i just extend the expiration of the subkey?
#
aaronpk
nope, i need the primary private key
#
stevestreza
alternatively, roll your system clock back until you can get to updating the expire :)
#
Zegnat
Havent used GPG for a while now, precisely because of all this admin that never seemed worth the hassle
#
aaronpk
i like that github shows the little verified checkmarks next to the commits
#
Zegnat
You could generate a new key every day, and it will do that too ;)
#
petermolnar
GPG has a worse admin tax of anything I ever touched
#
Loqi
The Armchair Post
#
Zegnat
I have not added a lot of super positive articles to https://indieweb.org/OpenPGP#Articles_and_Guides that is for sure. Except the 2017 one by Alexandre. Would love to read more positive cases of GPG use
#
aaronpk
is making a placeholder repo to move issues from indieauth.com when they are for the user's authorization server https://github.com/aaronpk/Personal-IndieAuth-Server/issues
[chrisaldrich] joined the channel
#
jacky
I do the key updating around the same time I do my machine backup of secrets
#
sebbu
i do the updating... whenever i feel like it :(
#
sebbu
(ie, not often)
#
sebbu
also, i failed transitionning to a password manager a long time ago
#
sebbu
didn't answered my needs
nickodd left the channel
#
aaronpk
ok finished managing indieauth.com issues and merging some PRs, now on to spec stuff
#
sebbu
aaronpk, and my issues ?
#
aaronpk
oh the cert thing? that's on indielogin.com and i wasn't looking at that
#
sebbu
nah, the ssl errors from curl that isn't reported
ethan joined the channel
#
sebbu
hum, #44 on indielogin is also about indieauth.com i think
#
sebbu
(the website)
#
aaronpk
indielogin.com also supports pgp as an option
#
sebbu
yes, but not with ed25519 keys
#
sebbu
rah, yes, it works on indielogin.com but not indieauth.com
#
aaronpk
Zegnat: two minor typos, then I think we should merge this and I'll write up a new exampels section https://github.com/indieweb/indieauth/pull/56
#
Loqi
[Zegnat] #56 Remove requirement for same domain
#
Zegnat
I'll do a fix commit, coming right up
#
Zegnat
And yes, I think the examples might go well in diffeing user profile urls. Although I am not sure that section title is super accurate.
#
Zegnat
There is some sort of push to be made for the whole "user input != profile url" thing
#
aaronpk
agreed, i can work on that after we get this in
#
Zegnat
Pushing the type fix now
#
aaronpk
hm as i'm typing out this example...
#
aaronpk
oh i see, great
#
aaronpk
"It MAY check the value against any URLs encountered during the initial endpoint discovery ... MAY then chose to skip the next step"
#
Zegnat
Feel free to clean up the wording
#
Zegnat
But that is the one way the client can allow itself to skip the rediscovery. If it already knows what it is going to find from previous discovery
#
Zegnat
Of course clients should feel free to just always do rediscovery, as that does not hurt
#
aaronpk
doing that check is essentially an optimization the client can do to save a request
#
aaronpk
if it can keep track of all the URLs in the redirects
#
Zegnat
Exactly
#
Zegnat
And I thought it would be nice to call out that optimisation right there
#
Zegnat
I wonder if this, rather than being a security considerations section, should not just be the last section of the spec. The last step of the flow that clients should always do when they have received a `me` value ...
#
Zegnat
(Both comments now resolved on the PR.)
#
Zegnat
(also ping sknebel incase you wanted to follow along the discussion ^)
#
aaronpk
yeah it's looking like that
#
Zegnat
I am thinking, the `me` returned from the AS is trusted from the user/AS point of view, but is not yet trusted from the client point of view as the user might be trying an impersonation attack. So the client should try to establish a trusted relationship between `me` and `authorization_endpoint` no matter what.
#
aaronpk
yeah that's the idea
[KevinMarks] joined the channel
#
aaronpk
most of these examples end up being equivalent
#
sknebel
Zegnat thx
#
sknebel
arguments look good, haven't had a proper read of the full thing yet
#
Zegnat
aaronpk the redirects you mean? Yeah, especially if you do not need to care for the difference between permanent and temporary anymore ...
#
aaronpk
http-https and www-to-no-www and short domain to full domain are all the same
#
sknebel
lol, while reading now find other sections I want to think about. *starts scratch file*
#
sknebel
re the optimization, maybe make that explizit as such?
#
sknebel
I.e. start with what needs to be done and then an explizit "as an optimization, ..."?
#
sknebel
not sure if the wording is nicer like that or not
#
sknebel
Loqi--
#
Loqi
Loqi has -1 karma in this channel over the last year (15 in all channels)
#
sknebel
now I feel bad, didn't mean to put you in the negative
#
sknebel
two comments otherwise
#
sknebel
note to self: investigate how to build a nice diff of the formatted version like WHATWG has ....
#
Zegnat
Atleast GitHub shows me what words within a line were changed...
#
jacky
*git with the --diff=word (I believe)
#
Zegnat
git diff --word-diff ......... marry me jacky. I should of course have rtfm
#
sknebel
looks good to me with only 3 small points left
[tantek] and geoffo joined the channel
#
aaronpk
i want to move this section into a new section 5.4
#
aaronpk
so it'll be: Discovery, Authorization Request, Redeeming the Authorization Code, ??????
#
sknebel
"Verifying user identity URL (or whatever the thing is called)"
#
aaronpk
maybe "Verifying the Authorization Server" or "Authorization Server Confirmation" or "Profile URL Confirmation"?
#
sknebel
well, despite the quotes, not literally that
#
sknebel
Authorization Server Confirmation soulds to me like something the auth server does
[jgmac1106] joined the channel
#
Zegnat
"Profile URL Verification" is what it is doing, right?
#
aaronpk
i guess so yeah
#
aaronpk
or confirming
#
sknebel
Profile URL Verification sounds good to me
#
aaronpk
it's making sure the profile URL returned by the authorization server is legitimate
#
Zegnat
I guess confirming to me means it goes to ask a different party if it was right? But there is no different party to ask?
#
aaronpk
it's confirming it by asking the new profile URL
#
Zegnat
Hmm, yeah, guess that is true
#
aaronpk
verification sounds to me like something that doesn't require a network requets
#
Zegnat
"Hi aaronpk, just checking in with you to [confirm|verify] that sknebel is acting on your behalf." ...... I guess confirm does sound better to me in that sentence
#
Zegnat
anthropomorphises all the pieces
#
Zegnat
But that again makes it sound like it is confirming the auth endpoint, not the me given by the auth endpoint. Surprisingly tricky wordsmithing here, hahaha
#
Loqi
hehe
#
sknebel
but it is confirming the auth endpoint
#
sknebel
it is confirming that the auth endpoint is authorized to make claims about the profile URL
#
sknebel
it is verifying that the auth endpoint is authorized to make claims about the profile URL
#
sknebel
it's defending against the auth endpoint, not against the profile URL
#
Zegnat
naming--
#
Loqi
naming has -1 karma over the last year
#
aaronpk
so.. "Authorization Server Confirmation"?
#
sknebel
yeah why not. not like I have a better suggestion
#
Zegnat
Go for it
#
Zegnat
Are you going to push that to my branch, aaronpk? Or do you want to merge first?
#
aaronpk
let's merge it and i'll make a new PR to rearrange that and add my examples
#
Zegnat
Then I would say, sknebel, lets keep the change in the "MAY" line in mind for when aaronpk comes in with the rearrangement of that section. And get the PR merged as it is, if nothing else big stands out.
#
Zegnat
goes to resolve the comments on GH
#
Loqi
I added a countdown scheduled for 2020-11-28 3:16pm CET (#6813)
#
sknebel
fine :D
#
Zegnat
Hahaha
#
Loqi
hahaha
#
aaronpk
Zegnat: okay do you have anything left to do on that PR?
#
Zegnat
Merge away 🚀
#
aaronpk
woohoo let's do this
#
aaronpk
hm i want to rephrase those two steps
#
Zegnat
If you are writing it as its own complete section, then please do, haha
#
Zegnat
Maybe they do not even make sense as "steps" anymore. I mostly kept the list format to minimise changes from the current spec
#
aaronpk
alright i think i have something
#
aaronpk
aren't we basically saying the client can do either of those two steps?
#
Zegnat
Well, if the optional step fails, they MUST do the other one
#
Zegnat
So it is not really a either-or situation
#
aaronpk
one of the two steps has to succeed
#
aaronpk
"either of the following must be true"
#
Zegnat
Ah, that sounds right
#
Zegnat
Keep thinking the one that does not redo discovery is optional, because if you want to be sure you can always redo discovery and that will give the correct answer.
#
aaronpk
so it's either: "do A first, if that fails, do B" or "do B"
#
aaronpk
i am now realizing i should have done that in two commits
#
aaronpk
should i go back and redo that?
#
aaronpk
maybe even two PRs
#
Zegnat
You mean split out the changelog?
#
aaronpk
no i mean moving the section and then separately changing the text within the section
#
Zegnat
Oh, to make textual differences easier to review vs just the move? That might be nice ...
#
aaronpk
lemme go do that
#
Loqi
[aaronpk] #67 moves the differing profile urls section
#
aaronpk
if you can merge that i'll make a new PR with the text changes within that section
#
Zegnat
Does it need class "informative" on Examples?
#
Zegnat
Or I guess the IndieAuth spec does not do that
#
aaronpk
i don't think that actually does anything
#
aaronpk
i didn't even wrap the examples in a section so that they don't appear in the ToC
#
Zegnat
but meh
#
aaronpk
oh right it adds the little text at the top "This section is non-normative."
#
Zegnat
We do not really seem to use it anywhere except for the standard intros/appends texts. So, like I said, meh. Examples seem clear to me and cover those we have previously discussed. So that seems good to me.
#
Zegnat
hits the green merge button
#
aaronpk
ok next
#
Zegnat
Do you usually delete merged branches, aaronpk?
#
aaronpk
in this case yes
#
aaronpk
cause they are one-off branches for me
#
Zegnat
I basically always delete branches after merge. But did not want to mess with the repo too much.
#
Zegnat
In case you did not
#
Loqi
[aaronpk] #68 rephrase authorization server confirmation section
#
sknebel
(lol, got so used to gerrit now that I was looking for the voting buttons :D)
#
Zegnat
Still find myself wishing for a better phrasing than "either of the following", but that might also me being a non native speaker throwing a wrench
#
sknebel
yeah, do not like that either
#
Zegnat
Oh. Maybe I also find it jarring because I expect statements that can be true/false following such a phrasing. But instead the list seems to have actions? (E.g. they start with a verb.)
#
sknebel
I dislike it because it suggests you need to have both codepaths
#
sknebel
not "you need the second one, and can add the first if you want"
#
aaronpk
but doesn't "checking that either of the following is true" imply that if you can check the second one is true then you don't need to check the first?
#
sknebel
it doesn't suggest a is a subset of b
#
aaronpk
the problem i was having is the "MUST" with that second point isn't actually a MUST if it can be bypassed
#
Zegnat
I can see that. It is a bit tricky. The only reason it can be bypassed, is that the exact step has already been done during initial discovery in one very specific case. So it can be optimised away.
#
aaronpk
ok so actually the "MUST" is "It MUST verify that the canonical profile URL declares the same `authorization_endpoint` as the initially-discovered authorization endpoint"
#
aaronpk
*how* it does that isn't part of the MUST
#
sknebel
" the client MUST verify the authorization server is authorized to make claims about the profile URL returned (i.e. the profile URL leads to a URL declaring the same authorization server).
#
sknebel
If the profile URL is maong the URLs encountered during initial discovery, it MAY accept this. (?!!) Otherwise it MUST ... ?
#
sknebel
some structure like that?
#
Zegnat
aaronpk: yes, the MUST is to verify that. And there are basically 2 ways: 1/ the client already knows it has the same authorization_endpoint because the canonical profile URL was visited during initial discovery, or 2/ the client redoes discovery on the canonical profile URL
#
aaronpk
that's the "either" structure i was going for :)
#
sknebel
but it's not "either"
#
Zegnat
(I guess a third way would be if the client has out-of-band knowledge about the canonical profile URL, e.g. it is also the hoster)
#
sknebel
it's optionally a), and if you don't do a), or a) does not apply, you MUST do b)
#
Zegnat
wonders if either has a different conontation to us Central Europeans, haha
#
aaronpk
the other difference between the two is: if A fails there's a chance it's still okay by checking B. but if B fails then you know it's an error
#
sknebel
maybe just an extra sentence a la "note that if the first is true, the second is also, so implementations MAY only implement the second check (at the cost of extra requests)
#
Zegnat
A valid client could implement just B, not A, without issue. But if you want to avoid the extra HTTP call, the client may want to implement A on top of B.
#
sknebel
right. and B must always be implemented
#
Zegnat
A valid client can never not implement B, I think
#
aaronpk
so, it is actually accurate to say that a client MUST do that step B. maybe then we add a note below that saying here is one way to optimize your code
#
aaronpk
in other words, the code to check step B has to exist in the client, the code for step A does not
#
sknebel
the "in other words" yes, the first I agree with you that "eehhh" :d
#
sknebel
for me it boils down to if "you MUST X, but you MAY skip X if Y" is acceptable langauge
#
Zegnat
Yep. Step A is purely an optimisation. But I felt like it would be good to let implementers know that it is very much a valid / safe optimisation. In general I would advise against people coming up with optimisations in auth code otherwise
#
sknebel
I want to mention it
#
aaronpk
yeah i feel like mentioning it first is wrong
#
aaronpk
because then it makes it look like you either have to do it or it's safe to do only that
#
sknebel
that's why I above tried to give context what it means
#
sknebel
" the client MUST verify the authorization server is authorized to make claims about the profile URL returned (i.e. the profile URL leads to a URL declaring the same authorization server). "
#
sknebel
or "(i.e. it MUST verify that the profile URL ..."
#
aaronpk
"the client MUST verify the authorization server is authorized to make claims about the profile URL returned by confirming the returned profile URL declares the same authorization server"
#
Zegnat
Yes, that :)
#
aaronpk
great. i'm going to expand on it below that as well. one sec
#
aaronpk
well hmm this is interesting
#
aaronpk
that sentence above is the actual normative requirement. *how* it confirms that is the thing where there's two options
#
aaronpk
i have another idea
#
Zegnat
Part of the requirement is that "the returned profile URL declares the same authorization server" in accordance with discovery's rules? I feel like it needs to link back to that somehow
#
aaronpk
is a "MUST ... unless" structure confusing?
#
sknebel
"for me it boils down to if "you MUST X, but you MAY skip X if Y" is acceptable langauge" :D
#
aaronpk
"MUST X unless Y"
#
[Raphael_Luckom]
MUST either x or y?
#
aaronpk
nope haha see above
#
aaronpk
that's how we got here
#
[Raphael_Luckom]
oop sorry
#
sknebel
X unless Y is probably fine, especially with explicit mention of it being an optimization
#
sknebel
word it like that, lets go find some more people to ask about a concrete proposal
#
aaronpk
k, changes forthcoming
#
sknebel
minor: could also be the initially entered URL, exact
#
aaronpk
"...an exact match of the initially entered URL or any of the..."
#
Zegnat
sees GitHub popup a refresh button
#
Zegnat
That commit was almost synced with the chat :P Haha
#
Zegnat
This makes sense to me. Calling it out as optional after establishing the MUST seems good to me too!
#
sknebel
"any of the URLs encountered during the <a href="#discovery-by-clients">initial endpoint discovery</a> either from a possible redirect chain or as the final value.</p>" <- does that need a "," after the </a>?
#
sknebel
yes, think so to. maybe someone can come up with some improved wording, but it says the right thing