#dev 2021-04-14

2021-04-14 UTC
astralbijection joined the channel
# 00:04 
[raph_l] I might be misunderstanding something, but i'm imagining a flow where:
# 00:04 
[raph_l] 1. I get redirected to my auth endpoint from the requesting app
# 00:04 
[raph_l] 3. I get redirected to the consent screen
# 00:04 
[raph_l] 2. I sign in, or my auth endpoint sees that I'm already signed in
# 00:04 
[raph_l] and it's step 3 you're thinking about
# 00:05 
jacky it's a mix of step 2 and 3 - the tool I have (Sele) doesn't have a means of 'confirming' the identity of the user signing in
# 00:05 
jacky so what I've done right now is store requests internally as unapproved
# 00:05 
jacky I was thinking about having another endpoint that pushes state changes for requests so when the client attempts to redeem the code, it'll eventually approve it
# 00:06 
jacky there's an error state 'authorization_pending' that could be used here
# 00:06 
jacky but it's conventionally used in the OAuth2 Device flow (IIRC)
# 00:07 
jacky wants this endpoint to be a bit of a backing service for a IndieAuth provider and also something people can use to run on their own
# 00:07 
[raph_l] I'm finding "sele + auth/ software / oauth" unexpectedly hard to google
# 00:08 
jacky ooof sorry hold on
# 00:08 
jacky https://git.jacky.wtf/indieweb/sele is the project
# 00:09 
jacky I'm following https://indieauth.spec.indieweb.org/ + https://oauth.net/2/device-flow/ (namely https://developer.okta.com/blog/2019/02/19/add-oauth-device-flow-to-any-server)
# 00:17 
[raph_l] interesting, I haven't looked at device flow before
[tantek] joined the channel
# 00:22 
[tantek] Was this already shared here? https://blog.steren.fr/2020/my-stack-will-outlive-yours/ feels very IndieWeb
__minoru__shirae joined the channel
# 00:42 
aaronpk i just logged in to iA Writer on my mac and discovered a minor UX thing I need to change on my indieauth server
# 00:43 
aaronpk because the "redirect" back to the app launches the app, the browser is just left there on the consent screen
# 00:43 
aaronpk so ideally I'd use some javascript to watch for the button press on "authorize" and then clear out that screen to show a message like "great, you'll be taken back to the app" before actually doing that redirect
[tw2113_Slack_], GWG, paramdeo and shoesNsocks joined the channel
# 01:22 
maxwelljoslyn test
maxwelljoslyn joined the channel
# 01:22 
maxwelljoslyn Oh no. meetable does not support <s>
# 01:23 
aaronpk oops! it should support <strike> tho
paramdeo and astralbijectio joined the channel
# 02:46 
astralbijectio I'm having a little bit of a design dillema with my website right now
# 02:47 
astralbijectio Essentially, I have articles, but not notes, and I want to add a note functionality that can be POSSE'd to places like Twitter
# 02:47 
aaronpk a note is just an article with no title
# 02:48 
KartikPrabhu   "just"
# 02:48 
aaronpk :D
# 02:48 
astralbijectio Well, that part isn't too hard, but the POSSEing is the slightly bigger issue lol
# 02:49 
KartikPrabhu you can use Bridgy publish to POSSE to twitter
# 02:49 
KartikPrabhu that is what I do
# 02:49 
astralbijectio Well, it's a static site that stores its stuff in the filesystem
# 02:50 
astralbijectio But there's also an API that backs its comments and a few other things
# 02:50 
KartikPrabhu you can use Bridgy publish as long as you have a URL for the note
# 02:50 
KartikPrabhu it is semi-manual POSSE
# 02:51 
astralbijectio Well, I could do that, but I'm trying to do it automatically ;)
# 02:51 
astralbijectio with my own code
# 02:51 
KartikPrabhu ok so the issue is automatic POSSE not notes
# 02:51 
astralbijectio yeah, pretty much
[snarfed] joined the channel
# 02:51 
[snarfed] bridgy publish can be fully automatic. https://brid.gy/about#webmentions
# 02:51 
astralbijectio My idea was kinda like having a package-lock, except for notes
# 02:52 
astralbijectio and having my ssg edit and commit that file
# 02:58 
astralbijectio Hmm, maybe I could use bridgy, though I'm kinda wanting to make a DIY solution
# 03:01 
KartikPrabhu you can start by doing it manually, and then build up from there
[Joshua_Sim] and [KevinMarks] joined the channel
# 03:28 
[KevinMarks] you can send them through to twitter if you have an api key
# 03:29 
[KevinMarks] I have a node project that does it on glitch https://glitch.com/edit/#!/it-me-web
# 03:45 
astralbijectio Honestly, at this point, I'm starting to wonder if it's even worth having my site be static anymore lol
# 03:46 
astralbijectio It seems like there's a lot of conflicting stuff that I want, I may need to think about it a bit more
# 03:49 
astralbijectio Like, I want to code my own dynamic functionality, yet I also want a static site so that it loads quickly, but then I also want to store everything in a git repo as plaintext rather than a database
# 03:51 
astralbijectio And then, I also don't want to switch away from React because I have 7k lines of that now, but it takes a bit of time to build statically
sknebel joined the channel
# 04:13 
aaronpk we really need some more indieauth servers!
# 04:16 
aaronpk also wooooow it's kind of magical to publish to my website from iA Writer
# 04:23 
aaronpk alright step 1
# 04:23 
aaronpk is done
# 04:23 
aaronpk https://aaronparecki.com/2021/04/13/26/indieauth
# 04:23 
Loqi [Aaron Parecki] How to Sign Users In with IndieAuth
# 04:23 
aaronpk next up is the other half: how to build an indieauth provider
# 04:23 
GWG aaronpk: I wrote one. I even won a free book.
# 04:23 
aaronpk GWG++
# 04:23 
Loqi GWG has 16 karma in this channel over the last year (129 in all channels)
# 04:26 
GWG aaronpk: Provider being?
# 04:27 
GWG I understand client and server, where is provider?
# 05:01 
aaronpk Do you mean I didn't define provider?
# 05:03 
GWG aaronpk: Did you and I missed it?
[jeremycherfas] joined the channel
# 05:16 
aaronpk I was trying to understand the question
# 05:17 
aaronpk "provider" is hinted at, but maybe not explicit, in the intro section. I can try to rephrase it tho
peterrother, stacktrust_, ludovicchabant, themaxdavitt, jbove, __minoru__shirae, [grantcodes], [Rose], [KevinMarks] and tomlarkworthy joined the channel
# 11:36 
tomlarkworthy OK first round of building my auth server is complete: https://observablehq.com/@endpointservices/auth. it can issue IndieAuth compliant tokens
# 11:37 
tomlarkworthy only supports github though, does not scan for authoerization_endpoint so its not more relmeauth than indieauth ATM
# 11:38 
tomlarkworthy I look at indieauth implementation and I see GPG challange keys, this is outside of indieauth spec. To support indie auth "all" I need to do is scan for user supplied authoerization endpoints
# 11:54 
tomlarkworthy So I think adding indie auth is not so hard now, I do need login with google though, any ideas how I might do that? If its a well known provider like google I think I can scan its for backlinks even thoguh they are not annotated correctly
# 12:26 
beko wow. still wrapping my head around this but I spotted a fun typo tomlarkworthy that for some reason made me laugh: "configurured"
# 12:27 
beko there are more but I really like the guru one :)
__minoru__shirae joined the channel
# 12:50 
tomlarkworthy Ahh yeah, there is no spell check on Observable its very annoying. Even the code controls manage to suppress the browser one somehow.
# 12:51 
beko happens all the time to me :)
# 12:52 
tomlarkworthy Its a bit manual but someone else made a spell checker I will run it over it https://observablehq.com/@mootari/typo
# 12:52 
tomlarkworthy though the prose is definately not finished I would like to cross reference the spec better
# 12:57 
tomlarkworthy (spell checked now, sorry about that)
[tantek], [Rose], [KevinMarks] and __minoru__shirae joined the channel
# 14:53 
[tantek] yesterday in XKCD 927. devs, if you find yourself saying "I'm working on a platform that leverages all the above in their various capacities under one platform", no you're not, you're having a delusion of grandeur. Step back and build something useful to yourself today.
[Murray] and [snarfed] joined the channel
# 15:58 
[snarfed] tantek++
# 15:58 
Loqi tantek has 20 karma in this channel over the last year (77 in all channels)
[Rose], gbmor, [KevinMarks] and dansup joined the channel
# 17:10 
jacky okay so I did figure out the thing I wanted yesterday
[schmarty] joined the channel
# 17:11 
[schmarty] jacky: indieauth provider without a UI??
# 17:11 
jacky going to have a PSK be a 'master' key to allow for initial bootstrapping and then attach 'devices' using the device flow that require a particular scope
# 17:11 
jacky [schmarty]: lol kinda but it'll require a bit of cURLing
# 17:12 
jacky which I think is okay for something like this (like I can also look into making a CLI tool to go with it)
[tw2113_Slack_] joined the channel
# 17:25 
[tantek] jacky, as much as I feel dumb for suggesting this (folks hopefully already know I'm not that afraid of appearing dumb), would 'primary' or 'start' key convey the same meaning that you're looking for?
# 17:34 
jacky I can see the term 'primary' key being used
# 17:34 
jacky it's truthfully an API key that has like super 'admin' privileges (the ability to grant devices access to manipulate other auth requests, for example)
[Ana_Rodrigues] joined the channel
# 18:14 
jacky lol the last step in https://aaronparecki.com/2021/04/13/26/indieauth is what I'm trying not to do
# 18:15 
Loqi [Aaron Parecki] How to Sign Users In with IndieAuth
[jgmac1106] and tomlarkworthy joined the channel
# 18:32 
tomlarkworthy is code_challenge manditory? The spec does not have it https://www.w3.org/TR/indieauth/#authorization-response
# 18:33 
tomlarkworthy Oh WTF THERE ARE 2 SPECS https://indieauth.spec.indieweb.org/#authorization-request
# 18:35 
tomlarkworthy PKCE is mandatory, that seems a little excessive
# 18:41 
tomlarkworthy ok well it is what it is, probably a good idea too
# 18:41 
tomlarkworthy not so good having two specs floating around coz I jsut google for "IndieAuth spec" and get an out dated document
# 18:43 
tomlarkworthy ok here is what I should be reading https://aaronparecki.com/2020/12/03/1/indieauth-2020
# 18:43 
GWG tomlarkworthy: You are looking at the original versus current
# 18:43 
Loqi [Aaron Parecki] IndieAuth Spec Updates 2020
# 18:43 
GWG The W3C version was superseded by the latest revision
# 18:43 
GWG We had a two part meeting
# 18:43 
GWG It was recorded if you want to watch it
gRegorLove joined the channel
# 18:48 
tomlarkworthy actually that spec update doc is great, they are good upgrades, I have never implemented PKCE so that will be fin!
# 18:48 
tomlarkworthy fun
# 18:49 
GWG tomlarkworthy: Have you subscribed to the issue tracker?
# 18:49 
GWG https://github.com/indieweb/indieauth
# 18:49 
GWG We have a place to discuss issues on the spec
# 18:50 
Loqi [indieweb] indieauth: IndieAuth Specification
# 19:03 
[tantek] aaronpk, would be interesting for you to ask, e.g. in the # social channel, how can the Social CG update the W3C IndieAuth note with the latest revision
# 19:03 
[tantek] might be something we can ask W3C staff to do
__minoru__shirae and [schmarty] joined the channel
# 19:39 
tomlarkworthy I have now, thanks
# 19:39 
tomlarkworthy GWG++
# 19:39 
Loqi GWG has 17 karma in this channel over the last year (130 in all channels)
[KevinMarks], [aciccarello], koddsson, [fluffy] and [Jeff_Hawkins] joined the channel
# 22:37 
jacky now I have to think up how to design a consent screen for this flow, lol
# 22:37 
jacky the self-hosted, single-user flow
# 22:37 
jacky this flow == the one outlined by Sele (being a 'headless' IndieAuth server)
KartikPrabhu joined the channel
# 23:33 
jacky this is all I have lol https://roan-bedecked-chungkingosaurus.glitch.me/
# 23:33 
jacky I think it's a good start