#dev 2021-02-18

2021-02-18 UTC
samwilson, alex11 and Seirdy joined the channel
# 00:46 
jacky wait I think I'm bugging out
# 00:46 
jacky but telegraph (or indielogin.com) is giving me `=S256` for the code_challenge_method field
# 00:46 
jacky is that a valid value for that?
# 00:47 
jacky hmm no
# 00:49 
jacky and that doesn't show up when I sign into aperture
# 00:50 
jacky oh wow looks like a blip because it's gone now
# 00:52 
gRegorLove S256 is valid, maybe an issue parsing the query string?
[schmarty], Seirdy, miklb, [chrisaldrich], djmoch_, AkyRhO, wagle, treora, [KevinMarks], [snarfed], [tantek], [fluffy], gRegorLove, [tw2113_Slack_], samwilson, jamietanna and DanC joined the channel
# 10:10 
@RosserWrites ↩️ Same here. Next on my list is to replace Twitter with a combination of microblogging and webmentions. (twitter.com/_/status/1362342422835990532)
silo, [KevinMarks], Valenghina and miklb joined the channel
# 13:28 
GWG I just realized that Draft Scope has 3 server implementations, but only 1 client
# 13:30 
@GR36 Webmentions To Avoid Twitter: https://gr36.com/webmentions-to-avoid-twitter/ (twitter.com/_/status/1362393213961531399)
# 13:42 
petermolnar s
alex11 and [fluffy] joined the channel
# 16:35 
@yatil ↩️ 1. indieAuth/OpenID
2. username + password
3. github
4. twitter (twitter.com/_/status/1362439652448296964)
gRegorLove and [tantek] joined the channel
# 17:21 
[tantek] ^ great response. see original tweet
# 17:55 
jacky https://stitcher.io/blog/php-enums
# 17:55 
jacky gRegorLove: I think so but it happens like once every few sessions
# 17:55 
jacky I might just do a bit work to trim it
[Murray] and KartikPrabhu joined the channel
# 18:18 
jacky hm okay
# 18:18 
jacky so I don't know how or why
# 18:18 
jacky but my PKCE challenge generation uses slashes in place of underscores
# 18:18 
jacky which makes it fail my verification _every_ time lol
# 18:18 
jacky so now I have to either strip out these symbols from both or figure out _why_ this is happening
# 18:19 
jacky I wonder if this is a URL decoding thig
# 18:19 
aaronpk base64 url encoding vs base64 encoding
# 18:19 
aaronpk base64-url-encoding is base64-encoding with a few characters swapped
# 18:20 
aaronpk + becomes - and / becomes _ and trim the = at the end
# 18:39 
jacky aghh I just figured that out and was going to report on that :P
# 18:39 
jacky welp definitely learned something today that I'll forget in two months
alex11 joined the channel
# 19:08 
jacky yus
[snarfed], [schmarty], [tw2113_Slack_], shoesNsocks, [KevinMarks] and kitt joined the channel
# 20:09 
GWG Does anyone have any thoughts on clarifying application of draft scope? https://github.com/indieweb/micropub-extensions/issues/24
# 20:09 
Loqi [dshanske] #24 Proposed Draft Scope
# 20:37 
jacky I have yet to set that up
# 20:40 
GWG jacky: It's a question of how
# 20:41 
jacky like implementation on the server or client?
# 20:42 
jacky for the server, I figure it's similar to what aaronpk mentioned there (just swapping out the scope) and for me, adjusting the `post_status` field
# 20:43 
GWG jacky: Does draft mean you can only create drafts? Update them? Delete them?
# 20:44 
jacky that seems to be already answered in the beginning, no? (only CRUD-y actions for drafts)
# 20:45 
jacky if we had concepts of actions in scopes then I think this would be a bit easier
# 20:45 
jacky like if `draft` meant really anything to do with drafts but giving `draft:read` would be "you can only read draft posts"
# 20:46 
jacky combining it with the `read draft` flow makes it more confusing and (tbh!) less specific
# 20:49 
[schmarty] jacky: i've been thinking it would be nice if an auth server (or whoever was providing the consent screen) could get ask the actual services expecting to consume that token what details to show to the user
# 20:49 
[schmarty] s/get ask/ask/
# 20:50 
jacky oooh like a descriptor of sortrs?
# 20:50 
jacky like their specific parlance for the use of each scope
# 20:50 
jacky thinks aggressively
# 20:50 
[schmarty] yeah, or whether they understand it at all.
# 20:51 
[schmarty] (or even translated or expanded lists of things the user could opt into/out of! it blows up fast.)
# 20:52 
[schmarty] one problem is that a client will not tell the auth server what endpoints they intend to use the token with afterwards. so the auth server would have to discovery for each type of endpoint it is expected to protect.
# 20:55 
jacky hm those could be hinted by the kind of scopes they'd use, no?
# 20:55 
jacky like if they need a media endpoint, they'd have to send `media`
jamietanna and treora joined the channel
# 21:03 
jamietanna haha jacky those, and the removal of padding, are the little gotchas I faced at the time I was doing my IndieAuth PKCE - definitely things we would need in a test suite (and maybe even to clarify / with more examples on the spec?)
# 21:04 
GWG I am asking because I didn't think about it until jamietanna mentioned it in implementation
# 21:04 
jamietanna > what endpoints they intend to use the token with afterwards
# 21:04 
GWG I originally only thought about creating
# 21:04 
jacky jamietanna: it's mentioned in the spec! I just saw 'base64' and kept going lol
# 21:05 
jacky I think it's safe to think of it as mainly around post status (for now)
# 21:05 
jacky like if they want to delete something it should be permitted via `delete`
# 21:05 
jamietanna there's the resource URI stuff in OAuth that allows scoping tokens down to URIs, right?
# 21:05 
jacky I _do_ think the concept of combinatory scopes can help to make that more granular though
# 21:05 
jacky IIRC yeah
# 21:05 
jamietanna that's true, but even reading it, I think I didn't really get it until integration with apps
# 21:06 
jacky yeah same
# 21:06 
jacky I _think_ we can squeeze that on the wiki and if someone else comes along with an issue then bump it to the spec
# 21:07 
jacky hm the wiki doesn't mention it (which makes sense - the spec is canonical)
kitt joined the channel
# 21:15 
jamietanna I think the issue then is there are _tonnes_ of combinatory scopes to support and manage
# 21:15 
jamietanna I'd prefer, at least in terms of `draft` for it to be quite sweeping across everything that's authorized
# 21:18 
jamietanna If we went combinatory, we'd then want i.e. `update:media` or `update:post` right? Then the clients have to know which of the many scope options to request
# 21:19 
jacky IIRC post is deprecated
# 21:19 
jacky but the format would be`object:verb`
# 21:19 
jacky like `create:media`
# 21:19 
jacky could even make it more granular for particular post types
# 21:19 
jacky `create:note update:note` etc
# 21:20 
jacky oh that's `verb:object`, lol
# 21:24 
GWG That is going to add to complexity though
# 21:30 
jamietanna yeah, so I'd rather us not start on that - I've seen granular scopes can get quite awkward
# 21:32 
jamietanna I'll write up an official reply shortly GWG, but the way my `draft` works is as a modifier over usual scopes
# 21:33 
jamietanna so the usual CRUD scopes are required, then if draft is present, it modifies the scope of what they can do (pun not intended)
# 21:34 
jacky I like that ^
samwilson joined the channel
# 21:36 
jamietanna Also means it's more a user choice than a client choice
# 21:41 
jacky yup
KartikPrabhu joined the channel
# 22:00 
GWG jamietanna: That's the part I never considered, as my original thought was draft was in lieu of create/update
# 22:04 
jamietanna I think that was the original intent, yeah
# 22:11 
GWG Yes, that's why I brought it up
# 22:17 
jamietanna :)
[tantek] joined the channel
# 23:20 
[tantek] jacky, https://indieweb.org/indieauth-for-login looks like a still useful & accurate overview. aaronpk thoughts on where it fits with the other IndieAuth pages?
btrem joined the channel