#dev 2021-03-11

2021-03-11 UTC
#
jacky
so I have a 'flow' for this device registration (basically shows a secret via a QR code on a screen and the device sends a signed message with the generated OTP secret and some other bits of identifying information back to the server)
#
jacky
but I'm wondering if there's a way for me to snuggle this into the token endpoint (since that's the place to verify tokens if they're still fresh/valid)
#
jacky
I know that the authorization endpoint in OAuth 2 can handle client registration - so I'm wondering if it's a better idea to do that there
#
jacky
I really think that I might end up refactoring the logic I have to follow something like https://tools.ietf.org/html/draft-ietf-oauth-par-06#section-1.1
#
jacky
because this is something that would actually help make it less 'hands-on'
#
jacky
my flow would require having the phone up to a screen to scan and then doing another check
#
jacky
but this could be either _just_ doing the scan to associate it to the device and it can handle the rest of the flow using the rest of the IndieAuth flow
shoesNsocks joined the channel
#
jacky
also _I strongly_ think this is something more providers need to have lol https://tools.ietf.org/html/rfc8414
shoesNsocks1 joined the channel
#
jacky
would love any kind of thoughts to ^
#
jacky
mainly because I'd want this to be something other people can potentially just patch into their endpoints (but obvs will privde as well)
[chrisaldrich] joined the channel
#
aaronpk
we talked about the metadata spec and decided that it didn't make sense to add to indieauth until we start adding more optional features that are actually important for the client to be able to know whether the server supports
#
jacky
that makes sense
#
jacky
it's not as complex as Micropub can be yet
[fluffy] joined the channel
#
aaronpk
hopefully ever heh
#
aaronpk
the fewer optional bits the better
#
aaronpk
quite a mess
#
jacky
oh wow yeah this is a lot louder than I expected
#
jacky
hmm okay but I see why this would be handy
#
jacky
helps clients re-adjust themselves
#
aaronpk
there's a few useful things for sure
#
aaronpk
and would for example enable delegating to an indieauth server with just one rel tag in your html instead of specifying both the auth and token endpoints as link rels
#
jacky
oh that's a nice bump tbh
#
jacky
wow yeah, I never thought about that
gxt joined the channel
#
aaronpk
but, of all the things in there, we only have one response type, only one response mode, one grant type (technically the server might support refresh tokens too but more on that later), no token endpoint auth methods, no claims, etc
#
aaronpk
there isn't really a need for the client to know whether refresh tokens are supported during this discovery phase, because the client will either get one or not by the time the flow finishes
#
jacky
I can see it being handy to help the client prep for refreshing (like I always wonder if this was known how would the UX in something like Indigineous would be like)
#
jacky
but a singular endpoint with all of this info is _nice_
#
aaronpk
there's nothing the client can do differently before it starts the flow based on whether it knows refresh tokens will come back
#
aaronpk
but anyway, if there's specific things you think would be useful for the client to know ahead of time, we're collecting ideas here https://github.com/indieweb/indieauth/issues/43
#
Loqi
[aaronpk] #43 Consider using OAuth Server Metadata
#
jacky
oh perfect
shoesNsocks, anon_CWEJRrIS, nertzy, [tw2113_Slack_], [kiai], [asuh], [fluffy], treora, [Emma_Humphries], ShadowKyogre, shoesNsocks1, [grantcodes] and [Murray] joined the channel; ShadowKyogre left the channel
#
[Murray]
!tell jacky: in terms of using QR codes, is there an easy secondary mechanism? i.e. one that doens't rely on the user having a cameraphone? Asking because a) I don't and b) the recent track'n'trace system in the UK has really highlighted how much I'm _not_ an outlier amongst my friends 😄 The number of people whose phones have broken cameras, fogged cameras, lack QR scanning, or seem to have everything yet fail to read QR codes has been quite
#
[Murray]
interesting. As a workflow, I still really like onscreen QR codes and this sounds great; it's a much better UX than most phone-auth methods. But I've also ended up in some ridiculous loops with customer service desks in the past because of them 😅
#
Loqi
Ok, I'll tell them that when I see them next
KartikPrabhu and ShadowKyogre joined the channel; ShadowKyogre left the channel
#
@foobartel
I finally found the time to update @sebastiangreger’s webmentions for Kirby 3 on my own site https://foobartel.com. It’s been a pretty smooth process, including the migration, and it seems that everything works… https://foobartel.com/tilrs/webmentions
(twitter.com/_/status/1369981610649587718)
kiero, ShadowKyogre, oenone_, rhiaro_, sknebel_, alex11, Saphire and sknebel joined the channel; ShadowKyogre left the channel
[KevinMarks], ShadowKyogre, [schmarty], nertzy, [scojjac], NinjaTrappeur, KartikPrabhu, [Zephyr], nickodd and [snarfed] joined the channel; ShadowKyogre left the channel
#
@raymondcamden
I wrote an article talking about comments, and webmentions, for the Jamstack - hope it's helpful! https://snipcart.com/blog/jamstack-static-site-comments
(twitter.com/_/status/1370057696066596866)
[jacky] joined the channel
#
[jacky]
[Murray] yeah! The current implementation actually has you enter a code to match what you see on the screen. It's a bit tricky at that part of the initial pairing flow because neither the server or client can be trusted
#
Loqi
[jacky]: [Murray] left you a message 7 hours, 23 minutes ago: in terms of using QR codes, is there an easy secondary mechanism? i.e. one that doens't rely on the user having a cameraphone? Asking because a) I don't and b) the recent track'n'trace system in the UK has really highlighted how much I'm _not_ an outlier amongst my friends 😄 The number of people whose phones have broken cameras, fogged cameras, lack QR scanning, or seem to have everything yet fail to read QR codes has been quite
#
[jacky]
I want to avoid SMS as much as possible (like unless someone starts offering to pay for Fortress because SMS can get expensive fast) especially because I don't want to encourage it as a medium for authorization
alex11, ShadowKyogre and [Murray] joined the channel
#
[Murray]
oh cool, yeah a combination of either QR code or just input code is a really great experience imo, fits whatever is simplest at that moment :thumbsup: sounds great!
[tw2113_Slack_], [KevinMarks] and ShadowKyogre joined the channel; ShadowKyogre left the channel
#
@razbone
serviço hospedado criado para receber facilmente menções da web em qualquer página da web https://webmention.io/
(twitter.com/_/status/1370066563026579456)
[Emma_Humphries], gRegorLove, [Ana_Rodrigues], maxwelljoslyn, ShadowKyogre, [kiai], [chrisaldrich] and hoschi joined the channel; ShadowKyogre left the channel
#
@moellus
TIL "Webmention is an update/replacement for Pingback or Trackback." #webmention
(twitter.com/_/status/1370099792450355200)
nickodd left the channel
#
@arcatech
Adding webmention support to my website...
(twitter.com/_/status/1370110429758947335)
ShadowKyogre, [jeremycherfas], [chrisaldrich], [tantek] and [KevinMarks] joined the channel; ShadowKyogre left the channel
#
@MarcLittlemore
↩️ I'll write up a how-to guide on adding Webmentions at the weekend. If you want to see the code in the meantime then it's on GitHub here: https://github.com/MarcL/marclittlemore.com/blob/main/src/_data/webmentions.js
(twitter.com/_/status/1370132335518216193)
#
@MarcLittlemore
I've finished my "daily" (almost!) writing challenge so I'm back to some evening coding. I decided to look at adding Webmentions to my @eleven_ty site. I'm not displaying all of the data yet as I wanted to restyle the site a bit. See it here: https://www.marclittlemore.com/youve-got-this-become-a-confident-developer/
(twitter.com/_/status/1370132127359074306)
#
@MarcLittlemore
↩️ Nice! I’ve read about webmentions quite a bit and meant to look at implementing them. I’ve only added a basic build time step so they’ll only be as current as the last build. I’ll look at adding a client side data pull too but wanted to update the styling a bit first.
(twitter.com/_/status/1370136518279450626)
[jeremyfelt], ShadowKyogre, [snarfed], [schmarty] and [tw2113_Slack_] joined the channel; ShadowKyogre left the channel