#dev 2021-02-06

2021-02-06 UTC
ShadowKyogre joined the channel
#
Saphire
So what's "code_challenge" from indielogin?
#
jacky
hold on, I got a link!
[chrisaldrich] joined the channel; ShadowKyogre left the channel
#
Saphire
Also I'm still confused about the whole uh. Auth vs token thing?
#
Saphire
I need an example/use case of why those are separate things >.>
#
aaronpk
trying to think if i have a link handy
#
aaronpk
i build up to this idea in my oauth course, but i think that way of describing it hasn't been written down elsewhere yet
#
jacky
have you seen https://indieauth.spec.indieweb.org yet (if you're into reading specs)?
#
jacky
if not, https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web might be a bit more of a better read
#
aaronpk
i kinda talk about it in this video too https://www.youtube.com/watch?v=KT8ybowdyr0
#
jacky
tl;dr: IndieAuth == OAuth but optimized for inter-site communcation without the client secret fuzz
#
Saphire
https://paseto.io/ - also, wonder if this will be useful to anyone?
#
aaronpk
eh you don't need either that or jwt for a simple indieauth implementation
#
aaronpk
(true of oauth too)
#
Saphire
Oh meant in general ^^
#
Saphire
Tangentially remembered about that when thinking of tokens and especially "bakind code in"
#
jacky
interesting
#
jacky
my setup uses jwts by default (I never bothered to switch it off)
#
Saphire
JWT are.. highly fragile, but "fine" if done correctly
#
Saphire
It's just that doing them correctly might not be trivial
#
Saphire
Or at least, not clear enough and easy to miss an issue
#
Saphire
See good old "alg=none" ^-^
#
jacky
ha right
#
jacky
ooh I can just drop this into my project
#
Loqi
[ueberauth] guardian_paseto: A Guardian.Token implementation for Paseto tokens (https://paseto.io)
#
Saphire
Eee. Neat o:
[schmarty]1, [KevinMarks]1, ShadowKyogre and [tw2113_Slack_] joined the channel; ShadowKyogre left the channel
#
Saphire
"The client SHOULD provide the me query string parameter to the authorization endpoint"
#
Saphire
Uhh, only should? So applications /may/ assume that a user page uses an exclusive auth endpoint?
#
jacky
thinks about that for a moment
#
jacky
yeah! there's a chance that the user page might need a different type of authorization (so a different endpoint could be provided) or maybe they change it depending on who's asking (think: multiple identities/ACLs from one user/domain/URL)
#
jacky
granted, that sounds a bit complex in theory
#
jacky
but it's possible with a site that holds more than one user (like if Mastodon wanted to use specific URLs)
#
Saphire
I mean, if the specific user instance does not care about me parameter, it is very much free to ignore it. But a client app potentially not proving a "me" value to a multi-tenant auth host because it assumes single-tenant only use case, uh, sounds problematic?
#
jacky
I'm not very good with specific language stuff like this in specs, tbh, but I _think_ that client apps NOT providing a 'me' parameter wouldn't be a thing
#
jacky
in the sense that, without it, you can't do the resolving of their authentication _or_ token endpoints
#
Saphire
Well, it is apparently allowed by spec to fetch a provided "me" url, get auth endpoint, and not give the "me" to said endpoint?
#
Saphire
Unless I'm misreading
#
jacky
what part of the spec are you up to? there's a chance it explains itself later on
#
Saphire
Ooh
#
Saphire
Right, wait
#
Saphire
The auth page would be able to determine user it is going to verify by itself v:
#
Saphire
Right
#
jacky
always glad to talk over this stuff - both parties get more understanding
#
Saphire
The section about "treat me parameter as insecure/compromised data" (paraphrasing) kinda made me understand that ^^
[Tim_Nolte] and ShadowKyogre joined the channel
#
Saphire
So.. never allow any potentially malicious/untrusted actor be able to put a ref link or control your headers to mess with what auth endpoint is used..
#
aaronpk
I mean, generally yeah I'm not gonna let random people change my website :-)
ccchapman and alex11 joined the channel
#
@reinhart1010
↩️ Kalau saya, karena sering nulis blog di lebih dari satu tempat, sering reupload konten blog di situs baru saya http://reinhart1010.github.io. Situs ini masih belum ada fitur like dan komentar (meskipun rencananya mau ditambahkan webmentions), jadi saya juga naruh link artikel aslinya.
(twitter.com/_/status/1357924947926999044)
dopplergange, gRegorLove_, dhanesh, silo, nickodd, [KevinMarks] and jamietanna joined the channel
#
jamietanna
The removal of the `me` parameter also allows you to use a general-purpose OAuth2 client, instead of an IndieAuth specific client
#
jamietanna
If no `me` is provided, it's up to the user who they want to authenticate as. And tbh, even if there was a `me`, the authorization server doesn't have to listen to it - users can choose what identity they want
#
Saphire
Yeah, realized that later ^^'
#
jamietanna
I'm interested in giving PASETO a go, but I use JWT so much and I don't like change D:
#
jamietanna
Does sound super interesting though
silo joined the channel
#
Saphire
Hm.. is it worth having both h-card and older vcard-y thing too on, well, page with that?
silo and KartikPrabhu joined the channel
#
Saphire
So uh.. kinda trying to make own mock-up of a login screen for 3rd party indielogin, well, login. But having some difficulty and kinda want to see already existing examples and I'm not sure where to get them ^^'
#
aaronpk
there are some examples here! https://indieweb.org/consent_screen
#
GWG
I love some of those examples and wish to add some of them to mine.
#
GWG
Like the PKCE alert
#
GWG
aaronpk: That might be a good way to get people to adopt the new pieces.
#
GWG
I see people doing it, but I'm wondering if it is worth putting somewhere people trying to implement will see it.
#
Saphire
Ooh. How does your look?
#
GWG
I should screenshot mine and add it.
#
Saphire
Meanwhile I'm trying to go for a minimalistic one, but it's.. slightly difficult ^^'
#
Saphire
Wondering whether a pop-up or collapsible would be good, hm
shoesNsocks1 joined the channel
#
Saphire
Currently having an issue of the app URL being a bit long to easily fit <.<
KartikPrabhu joined the channel
#
GWG
There's mine.
alex11, [KevinMarks], silo and ccchapman joined the channel
#
Saphire
Heh.. one day I will get myself an image share/drop thing set up. For now just trying to figure out how to throw in the current mockup result for login consent?
#
Saphire
https://cdn.discordapp.com/attachments/523706669805338627/807659353694797874/unknown.png annoyingly Discord is better than Imgur nowadays thanks to not serving those uh.. <strong words> redirects to "feature rich" pages
#
Saphire
Maybe pillage Mozilla for some icons.. also not sure whether to put. PKCE on top of bottom. And in general unsure of layout but I think it works mostly >.>
alex11 joined the channel
#
Saphire
...also not even sure what's up with the font and it just slightly not getting properly aligned vertically x.x
silo joined the channel
#
leo60228
if i'm using Bridgy and i link someone else's Webmention-compatible site on a site that i have Bridgy linked to will they receive a Webmention?
[snarfed] joined the channel
#
[snarfed]
bridgy does that for hosted blog silos, but not for arbitrary web sites. https://brid.gy/about#blogs
ShadowKyogre, blade82, nickodd and [benatwork] joined the channel; ShadowKyogre left the channel
#
leo60228
[snarfed]: gotcha
#
leo60228
the specific thing i was curious about was whether if i linked a webmention-compatible site in a github commit message they would get a webmention
#
leo60228
i suppose i could just send the webmention manually from my cli
ShadowKyogre, [KevinMarks] and leg joined the channel; ShadowKyogre and nickodd left the channel
#
Saphire
https://media.discordapp.net/attachments/523706669805338627/807710395925528626/unknown.png ...I probably should do this with actual css rather than in dev tools >.>
leg joined the channel; ShadowKyogre left the channel
#
jacky
nah devtools >>>
#
jacky
I tend to do it all there
#
jacky
then do "Copy Outer HTML" and adjust in my code
#
jacky
who needs Sketch? lol
#
Saphire
Pfff
#
Saphire
And uh. Isn't Sketch Mac only
#
jacky
there's another thing but I forget the name
#
jacky
I was a big fan of Pencil
ShadowKyogre and leg joined the channel; ShadowKyogre left the channel
ShadowKyogre left the channel
#
lahacker
i'd like to search my micropub endpoint for presence of a URL (eg. the like-of property of an entry) so i can light up my extension icon when i'm on a page i've interacted with before
#
lahacker
i think i can use microsub's https://indieweb.org/Microsub-spec#Searching_for_Content to pluck out URLs from feeds i'm following
#
jacky
this is something I think we've discussed for this
#
jacky
re: micropub and finding a post/entry by a property
#
lahacker
i see some faint mention of "search" on the micropub pages
#
jacky
would have it
#
jacky
something like `?q=source&exists[]=like-of&property-like-of=$URL`
#
jacky
^ that's a hard check imo, you wouldn't need the `exists[]` if you know you're looking for a particular property
#
lahacker
since it seems "filter" is intended to be used in a letter-by-letter sort of fashion for autocomplete.. how about ?q=source&search=https://indieweb.org
#
lahacker
i'd prefer to keep it as general a search as possible
#
jacky
I don't follow
#
Loqi
[EdwardHinkle] #4 Query for Post List
#
lahacker
ah ok
#
lahacker
thanks
#
jacky
this is something I've wanted for my social readers as well tbh :)
#
@jamesvandyne
Got the start of the indieauth authorization flow working and the base models setup. https://tanzawa.jamesvandyne.com/7b4add9a-9a3a-4484-9823-d54e6b44f4da
(twitter.com/_/status/1358193591806398464)
#
jacky
like if someone signed in with their site, it'd automatically highlight action buttons (like reposting, etc) and allow for removal of said changes
#
jacky
I can even see indiebookclub using it to pre-load books and reading options