gxt, geoffo, jeremycherfas and [jgmac1106] joined the channel
#jeremycherfasI'm minded to take dogsheep out for a bit of fun this afternoon.
mattl joined the channel
#nolith!tell [grantcodes] how can I debug "my posts" section on together? I can see the `q=source` message in my logs, but the list in the app is empty :(
#LoqiDogsheep is a project to build tools for pulling personal data from different sources into SQLite databases https://indieweb.org/Dogsheep
#Zegnatnolith: indielogin.com is not an indieauth authorization_endpoint, it is a service that other websites can rely on the handle login for them (outsourcing all those oauth buttons). So if you were to add a PR for GitLab logins there, it means sites that use indielogin.com (like indieweb.org) will then allow GitLab logins
#Loqi[aaronpk] IndieAuth.com: This service is being discontinued in favor of indielogin.com
#nolithI'm using indieauth.com on my blog. I'd like to be able to login using GitLab.com credentials when I put my website quill (or other micropub clients). Where should I contribute the missing implementation Zegnat ?
#ZegnatYeah... blame that one on naming being hard. IndieAuth.com can do two things: function as a login handler for apps *and* function as a authorization endpoint for users. The first part is being replaced with indielogin.com (as it already has been on indieweb.org), the second part does not have a replacement yet
#ZegnatSee the https://indieauth.com/ homepage. It has a red Deprecation Notice and slightly more feedback about the issue right below it (where it is split between For Developers and For Users)
#ZegnatI am actually not sure if anyone else is offering a public authorization endpoint like indieauth.com does
#Loqi[aaronpk] IndieAuth.com: This service is being discontinued in favor of indielogin.com
#ZegnatNot to say that a PR for GitLab for indielogin.com would not be appreciated! It will allow you to rel=me link to gitlab on your site and be able to login to the indieweb wiki with just that. Just trying to make clear that we are talking about two different things :)
#sknebel(someone could piggyback on indielogin.com to make an indieauth.com-authorization-endpoint clone :D)
#sknebel(I guess that's the plan for the replacement in some way)
#nolithZegnat: sure, the point is that I'm not a PHP developer, but I am a ruby developer. And indieauth.com is ruby, but indielogin.com is PHP
#ZegnatSounds like a valid reason to look into indieauth.com for sure, haha :D
#Loqinolith has 2 karma in this channel over the last year (8 in all channels)
[grantcodes] joined the channel
#[grantcodes]nolith: Not too sure for debugging `q=source` query in together to be honest. You can open up the console and see responses from the graphql server and I think it should log errors there
[chrisaldrich] joined the channel
#jeremycherfasI'm just astonished by what Datasette has allowed me to look at, using only my Healthkit export. And fun, too. I suppose I better write up this mini-adventure.
#jeremycherfasI mean, I had no idea my iPhone was even measuring my six minute walk test distance, let alone what it is doing with that.
#nolith[grantcodes]: thanks. I got https://pastebin.com/wkDc0L8M It looks like my item names are a string array but together expects a string. The funny thing is that I'm not writing the json myself, but it's what the ruby microformats gem extracts from my pages. In any case I need to figure out why my pages have 2 `name` values
#nolithand yes, there is a bug in my template, it outputs 2 `p-name` one for the title, and one for the content
#[grantcodes]It expects a string from the graphql server which should convert what it needs to.
#[grantcodes]So maybe you have nested arrays which it doesn't fully flatten
#nolithbut even fixing my double p-name, `microfomats` will still generate an array, like all the other fields
#nolithin any case, I'm deploying my fix. I'll see if the error changes\
#ZegnatAll fields in mf2 are arrays in the parser json, so that would be correct
#noliththis is why the error surprised me, it seems to expect a string but the specs requires every filed to be an array
#[grantcodes]Yeah that's the graphql thing which converts it to a much stricter format closer to jf2
#[grantcodes]What object you return from your micropub endpoint nolith?
#[grantcodes]I just return an array as the root item, but I think it is maybe supposed to be `{"items": [posts here]}`
#[grantcodes]Ah yeah looks like it is more or less working now since it has that `micropubPosts` object
#[grantcodes]It's likely my mf2 -> jf2 / graphql function doesn't handle nested h-cites
#nolithdo you think it failed parsing one of my post that has webmentions?
#nolithMy site it's quite a Frankenstein, it's a static generated site, plus a micropub server hosted elsewhere that commits changes with GitLab APIs and then CI deploys the website. I've also implemented webmention.io webhooks to recompile with webmention
vilhalmer joined the channel
#aaronpksips some coffee and gets to work on some indieauth stuff
#Zegnatsips some port wine and awaits more indieauth discussion
#Zegnatping me if you want to discuss the redirecting stuff slightly more synchronously than GitHub issues, aaronpk! :)
#aaronpkdisables commit signing for now cause digging up my airgapped setup for redoing the key sounds like too much work for now
#Zegnat"disables commit signing" and there went all of the benefits :P
#stevestrezayou can change the expiration date on an expired key, though it might require subkeys that are only in your airgapped setup depending on how you set it up
#aaronpki only have subkeys on this machine, the primary key is on a usb drive that i use on an airgapped machine
#aaronpkoh wait can i just extend the expiration of the subkey?
#ZegnatBut that is the one way the client can allow itself to skip the rediscovery. If it already knows what it is going to find from previous discovery
#ZegnatOf course clients should feel free to just always do rediscovery, as that does not hurt
#aaronpkdoing that check is essentially an optimization the client can do to save a request
#aaronpkif it can keep track of all the URLs in the redirects
#ZegnatAnd I thought it would be nice to call out that optimisation right there
#ZegnatI wonder if this, rather than being a security considerations section, should not just be the last section of the spec. The last step of the flow that clients should always do when they have received a `me` value ...
#ZegnatI am thinking, the `me` returned from the AS is trusted from the user/AS point of view, but is not yet trusted from the client point of view as the user might be trying an impersonation attack. So the client should try to establish a trusted relationship between `me` and `authorization_endpoint` no matter what.
#aaronpkverification sounds to me like something that doesn't require a network requets
#Zegnat"Hi aaronpk, just checking in with you to [confirm|verify] that sknebel is acting on your behalf." ...... I guess confirm does sound better to me in that sentence
#ZegnatBut that again makes it sound like it is confirming the auth endpoint, not the me given by the auth endpoint. Surprisingly tricky wordsmithing here, hahaha
#ZegnatAre you going to push that to my branch, aaronpk? Or do you want to merge first?
#aaronpklet's merge it and i'll make a new PR to rearrange that and add my examples
#ZegnatThen I would say, sknebel, lets keep the change in the "MAY" line in mind for when aaronpk comes in with the rearrangement of that section. And get the PR merged as it is, if nothing else big stands out.
#ZegnatKeep thinking the one that does not redo discovery is optional, because if you want to be sure you can always redo discovery and that will give the correct answer.
#aaronpkso it's either: "do A first, if that fails, do B" or "do B"
#aaronpkoh right it adds the little text at the top "This section is non-normative."
#ZegnatWe do not really seem to use it anywhere except for the standard intros/appends texts. So, like I said, meh. Examples seem clear to me and cover those we have previously discussed. So that seems good to me.
#Loqi[aaronpk] #68 rephrase authorization server confirmation section
#sknebel(lol, got so used to gerrit now that I was looking for the voting buttons :D)
#ZegnatStill find myself wishing for a better phrasing than "either of the following", but that might also me being a non native speaker throwing a wrench
#ZegnatOh. Maybe I also find it jarring because I expect statements that can be true/false following such a phrasing. But instead the list seems to have actions? (E.g. they start with a verb.)
#sknebelI dislike it because it suggests you need to have both codepaths
#sknebelnot "you need the second one, and can add the first if you want"
#aaronpkbut doesn't "checking that either of the following is true" imply that if you can check the second one is true then you don't need to check the first?
#aaronpkthe problem i was having is the "MUST" with that second point isn't actually a MUST if it can be bypassed
#ZegnatI can see that. It is a bit tricky. The only reason it can be bypassed, is that the exact step has already been done during initial discovery in one very specific case. So it can be optimised away.
#aaronpkok so actually the "MUST" is "It MUST verify that the canonical profile URL declares the same `authorization_endpoint` as the initially-discovered authorization endpoint"
#sknebel" the client MUST verify the authorization server is authorized to make claims about the profile URL returned (i.e. the profile URL leads to a URL declaring the same authorization server).
#sknebelIf the profile URL is maong the URLs encountered during initial discovery, it MAY accept this. (?!!) Otherwise it MUST ... ?
#Zegnataaronpk: yes, the MUST is to verify that. And there are basically 2 ways: 1/ the client already knows it has the same authorization_endpoint because the canonical profile URL was visited during initial discovery, or 2/ the client redoes discovery on the canonical profile URL
#aaronpkthat's the "either" structure i was going for :)
#sknebelmaybe just an extra sentence a la "note that if the first is true, the second is also, so implementations MAY only implement the second check (at the cost of extra requests)
#ZegnatA valid client could implement just B, not A, without issue. But if you want to avoid the extra HTTP call, the client may want to implement A on top of B.
#aaronpkso, it is actually accurate to say that a client MUST do that step B. maybe then we add a note below that saying here is one way to optimize your code
#aaronpkin other words, the code to check step B has to exist in the client, the code for step A does not
#sknebelthe "in other words" yes, the first I agree with you that "eehhh" :d
#sknebelfor me it boils down to if "you MUST X, but you MAY skip X if Y" is acceptable langauge
#ZegnatYep. Step A is purely an optimisation. But I felt like it would be good to let implementers know that it is very much a valid / safe optimisation. In general I would advise against people coming up with optimisations in auth code otherwise
#aaronpkyeah i feel like mentioning it first is wrong
#aaronpkbecause then it makes it look like you either have to do it or it's safe to do only that
#sknebelthat's why I above tried to give context what it means
#sknebel" the client MUST verify the authorization server is authorized to make claims about the profile URL returned (i.e. the profile URL leads to a URL declaring the same authorization server). "
#sknebelor "(i.e. it MUST verify that the profile URL ..."
#aaronpk"the client MUST verify the authorization server is authorized to make claims about the profile URL returned by confirming the returned profile URL declares the same authorization server"
#ZegnatPart of the requirement is that "the returned profile URL declares the same authorization server" in accordance with discovery's rules? I feel like it needs to link back to that somehow
#aaronpkis a "MUST ... unless" structure confusing?
#sknebel"for me it boils down to if "you MUST X, but you MAY skip X if Y" is acceptable langauge" :D
#ZegnatThat commit was almost synced with the chat :P Haha
#ZegnatThis makes sense to me. Calling it out as optional after establishing the MUST seems good to me too!
#sknebel"any of the URLs encountered during the <a href="#discovery-by-clients">initial endpoint discovery</a> either from a possible redirect chain or as the final value.</p>" <- does that need a "," after the </a>?
#sknebelyes, think so to. maybe someone can come up with some improved wording, but it says the right thing