#dev 2021-02-18

2021-02-18 UTC
samwilson, alex11 and Seirdy joined the channel
#
jacky
wait I think I'm bugging out
#
jacky
but telegraph (or indielogin.com) is giving me `=S256` for the code_challenge_method field
#
jacky
is that a valid value for that?
#
jacky
hmm no
#
jacky
and that doesn't show up when I sign into aperture
#
jacky
oh wow looks like a blip because it's gone now
#
gRegorLove
S256 is valid, maybe an issue parsing the query string?
[schmarty], Seirdy, miklb, [chrisaldrich], djmoch_, AkyRhO, wagle, treora, [KevinMarks], [snarfed], [tantek], [fluffy], gRegorLove, [tw2113_Slack_], samwilson, jamietanna and DanC joined the channel
#
@RosserWrites
↩️ Same here. Next on my list is to replace Twitter with a combination of microblogging and webmentions.
(twitter.com/_/status/1362342422835990532)
silo, [KevinMarks], Valenghina and miklb joined the channel
#
GWG
I just realized that Draft Scope has 3 server implementations, but only 1 client
alex11 and [fluffy] joined the channel
#
@yatil
↩️ 1. indieAuth/OpenID 2. username + password 3. github 4. twitter
(twitter.com/_/status/1362439652448296964)
gRegorLove and [tantek] joined the channel
#
[tantek]
^ great response. see original tweet
#
jacky
gRegorLove: I think so but it happens like once every few sessions
#
jacky
I might just do a bit work to trim it
[Murray] and KartikPrabhu joined the channel
#
jacky
hm okay
#
jacky
so I don't know how or why
#
jacky
but my PKCE challenge generation uses slashes in place of underscores
#
jacky
which makes it fail my verification _every_ time lol
#
jacky
so now I have to either strip out these symbols from both or figure out _why_ this is happening
#
jacky
I wonder if this is a URL decoding thig
#
aaronpk
base64 url encoding vs base64 encoding
#
aaronpk
base64-url-encoding is base64-encoding with a few characters swapped
#
aaronpk
+ becomes - and / becomes _ and trim the = at the end
#
jacky
aghh I just figured that out and was going to report on that :P
#
jacky
welp definitely learned something today that I'll forget in two months
alex11 joined the channel
[snarfed], [schmarty], [tw2113_Slack_], shoesNsocks, [KevinMarks] and kitt joined the channel
#
GWG
Does anyone have any thoughts on clarifying application of draft scope? https://github.com/indieweb/micropub-extensions/issues/24
#
Loqi
[dshanske] #24 Proposed Draft Scope
#
jacky
I have yet to set that up
#
GWG
jacky: It's a question of how
#
jacky
like implementation on the server or client?
#
jacky
for the server, I figure it's similar to what aaronpk mentioned there (just swapping out the scope) and for me, adjusting the `post_status` field
#
GWG
jacky: Does draft mean you can only create drafts? Update them? Delete them?
#
jacky
that seems to be already answered in the beginning, no? (only CRUD-y actions for drafts)
#
jacky
if we had concepts of actions in scopes then I think this would be a bit easier
#
jacky
like if `draft` meant really anything to do with drafts but giving `draft:read` would be "you can only read draft posts"
#
jacky
combining it with the `read draft` flow makes it more confusing and (tbh!) less specific
#
[schmarty]
jacky: i've been thinking it would be nice if an auth server (or whoever was providing the consent screen) could get ask the actual services expecting to consume that token what details to show to the user
#
[schmarty]
s/get ask/ask/
#
jacky
oooh like a descriptor of sortrs?
#
jacky
like their specific parlance for the use of each scope
#
jacky
thinks aggressively
#
[schmarty]
yeah, or whether they understand it at all.
#
[schmarty]
(or even translated or expanded lists of things the user could opt into/out of! it blows up fast.)
#
[schmarty]
one problem is that a client will not tell the auth server what endpoints they intend to use the token with afterwards. so the auth server would have to discovery for each type of endpoint it is expected to protect.
#
jacky
hm those could be hinted by the kind of scopes they'd use, no?
#
jacky
like if they need a media endpoint, they'd have to send `media`
jamietanna and treora joined the channel
#
jamietanna
haha jacky those, and the removal of padding, are the little gotchas I faced at the time I was doing my IndieAuth PKCE - definitely things we would need in a test suite (and maybe even to clarify / with more examples on the spec?)
#
GWG
I am asking because I didn't think about it until jamietanna mentioned it in implementation
#
jamietanna
> what endpoints they intend to use the token with afterwards
#
GWG
I originally only thought about creating
#
jacky
jamietanna: it's mentioned in the spec! I just saw 'base64' and kept going lol
#
jacky
I think it's safe to think of it as mainly around post status (for now)
#
jacky
like if they want to delete something it should be permitted via `delete`
#
jamietanna
there's the resource URI stuff in OAuth that allows scoping tokens down to URIs, right?
#
jacky
I _do_ think the concept of combinatory scopes can help to make that more granular though
#
jacky
IIRC yeah
#
jamietanna
that's true, but even reading it, I think I didn't really get it until integration with apps
#
jacky
yeah same
#
jacky
I _think_ we can squeeze that on the wiki and if someone else comes along with an issue then bump it to the spec
#
jacky
hm the wiki doesn't mention it (which makes sense - the spec is canonical)
kitt joined the channel
#
jamietanna
I think the issue then is there are _tonnes_ of combinatory scopes to support and manage
#
jamietanna
I'd prefer, at least in terms of `draft` for it to be quite sweeping across everything that's authorized
#
jamietanna
If we went combinatory, we'd then want i.e. `update:media` or `update:post` right? Then the clients have to know which of the many scope options to request
#
jacky
IIRC post is deprecated
#
jacky
but the format would be`object:verb`
#
jacky
like `create:media`
#
jacky
could even make it more granular for particular post types
#
jacky
`create:note update:note` etc
#
jacky
oh that's `verb:object`, lol
#
GWG
That is going to add to complexity though
#
jamietanna
yeah, so I'd rather us not start on that - I've seen granular scopes can get quite awkward
#
jamietanna
I'll write up an official reply shortly GWG, but the way my `draft` works is as a modifier over usual scopes
#
jamietanna
so the usual CRUD scopes are required, then if draft is present, it modifies the scope of what they can do (pun not intended)
#
jacky
I like that ^
samwilson joined the channel
#
jamietanna
Also means it's more a user choice than a client choice
KartikPrabhu joined the channel
#
GWG
jamietanna: That's the part I never considered, as my original thought was draft was in lieu of create/update
#
jamietanna
I think that was the original intent, yeah
#
GWG
Yes, that's why I brought it up
[tantek] joined the channel
#
[tantek]
jacky, https://indieweb.org/indieauth-for-login looks like a still useful & accurate overview. aaronpk thoughts on where it fits with the other IndieAuth pages?
btrem joined the channel