#dev 2021-04-15

2021-04-15 UTC
[tw2113_Slack_], deltab, [tantek], Kaja, saptaks, enpo, shoesNsocks, koddsson, jjuran, [snarfed], Seirdy, __minoru__shirae, KartikPrabhu and jeremy joined the channel
# 06:40 
@dannysteenman ↩️ Well good that you ask, one thing that I would really like to see is webmentions!

https://hashnode.com/post/web-mentions-support-for-blogs-ckcwxgmtt00fd7ss1fnv60nw6 (twitter.com/_/status/1382583552517242880)
[KevinMarks], KartikPrabhu, [tantek] and __minoru__shirae joined the channel
# 10:10 
@fakebaldur “How to Sign Users In with IndieAuth • Aaron Parecki”

I really like IndieAuth as a tech (basically a more manageable profile of Oauth) but suspect that it has little appeal outside of indieblogger circles. https://aaronparecki.com/2021/04/13/26/indieauth (twitter.com/_/status/1382636985697718272)
deathrow1 joined the channel
# 11:40 
@tomlarkworthy I am working on a MIT licensed federated auth server using this beautiful technology
https://aaronparecki.com/2021/04/13/26/indieauth 

HOSTED ON @observablehq !!!!!

it will issue Firebase compatible tokens so can be used as drop in replacement for Firebase Auth (which stores personal data in US). (twitter.com/_/status/1382659902024392707)
deathrow1 and [schmarty] joined the channel
# 13:32 
[schmarty] looks like felixplesoianu is felix-ing again 🙄
[KevinMarks] joined the channel
# 14:09 
[KevinMarks] ah, he's blocked me now
[tw2113_Slack_], __minoru__shirae, JankyDoodle and tomlarkworthy joined the channel
# 14:40 
tomlarkworthy I am trying to test by IndieAuth client I need an authorization_endpoint I can test against
# 14:41 
tomlarkworthy ok https://micro.blog/ is possible
# 14:43 
tomlarkworthy Start the clock 10 days to get it working on the free trial!
# 14:44 
tomlarkworthy BTW, if anyone wants to see me livecode Firebase on Observable there is a Twitch in 45 mins https://www.meetup.com/observablehq/events/277449472
# 14:48 
tomlarkworthy My overally goal is to deFAANG Firebase by swapping the Auth system with IndieAuth so Google never actually sees emails directly.
[Ana_Rodrigues], ShadowKyogre and [manton] joined the channel; ShadowKyogre left the channel
# 15:12 
[manton] I think IndieAuth will continue to work in Micro.blog even after the 10-day trial, it just won’t let you create a post. 🙂 But let me know and I’m happy to extend it.
# 15:15 
GWG tomlarkworthy: You could spin up a WordPress instance and use the IndieAuth plugin as well
# 15:23 
[schmarty] thinking about adding a new HTTP header response to my sites today https://plausible.io/blog/google-floc
# 15:28 
superkuh Good idea. Added. See,  curl -I superkuh.com
# 15:28 
superkuh Oh, two :, gotta fix that.
# 15:29 
superkuh Okay, fixed.
koddsson, shoesNsocks1, shoesNsocks, sumner, [chrisaldrich], JankyDoodle, [jgmac1106], [tantek], KartikPrabhu, tru-is and ShadowKyogre joined the channel
# 18:00 
jacky this is what my consent screen for Sele looks like now blob:https://imgur.com/ac31ed9a-37bd-4b8c-badf-4de01c85b63c
# 18:00 
jacky https://imgur.com/ac31ed9a-37bd-4b8c-badf-4de01c85b63c
# 18:00 
jacky wait lol, sorry https://i.imgur.com/SxFQ8jP.png
ShadowKyogre left the channel
# 18:01 
jacky here's what it looks like on mobile https://i.imgur.com/hZY9r7t.png
# 18:01 
jacky I think I should move that info panel to the top on mobile
[schmarty] joined the channel
# 18:01 
[schmarty] there are so many interesting concepts in this screenshot 😄
# 18:02 
[schmarty] "This app is in a list you're watching" - what does it mean to watch a (list of) app(s)?
# 18:02 
jacky lol so that's something I've been thinking about in the back of my head
# 18:04 
jacky like pulling `generator` info from one's feeds to see what apps people tend to post with
# 18:04 
jacky it's like a personal thing for 'app discovery' that I wanted to do
[pfefferle] joined the channel
# 18:59 
jacky the one thing that's a bit annoying is that I can't comfortably _link_ scopes to a page to explain more about them
# 19:00 
jacky tbh, that should be up to the client to explain what they might do with their scopes
# 19:02 
jamietanna[m] Jacky true, but also its up to the IndieAuth/authorization server to explain what the scopes mean to them as the server issuing them?
[jeremycherfas] joined the channel
# 19:10 
[schmarty] honestly the IndieAuth / authorization server is like the one place that doesn't necessarily need to know what scopes mean
# 19:11 
jacky hmmm
# 19:11 
jacky jamietanna[m]: that's true (to a degree for me, I think unfamiliar / unrecognized ones should be either ignored silently or dropped [in a strict mode])
# 19:11 
jacky [schmarty]: I _think_ I agree b/c it doesn't actually _know_
# 19:12 
jacky but I think it's still okay for it to give a 'general' sense
# 19:12 
[schmarty] scopes are an agreement between the client and the server that actually handles the authorized request
marinin[t] joined the channel
# 19:14 
marinin[t] good evening everyone
# 19:14 
jacky bet  - that's enough for me to punt that to the client to explain tbh
# 19:15 
jacky evening, mattl
# 19:15 
jacky errr
# 19:15 
jacky marinin[t]: evening
# 19:15 
jacky my fault mattl lol
# 19:15 
[schmarty] i don't think there's currently a way for an IndieAuth authorization or token server to actually know where an issued token can be expected to be used.
__minoru__shirae joined the channel
# 19:15 
aaronpk sounds like OAuth Resource Indicators
# 19:16 
[schmarty] (like: does your IndieAuth endpoint know that you have a micropub endpoint? a micropub media endpoint? a microsub endpont? does it even need to?)
[tantek] joined the channel
# 19:17 
aaronpk as i'm going deeper into more of the OAuth specs, and also trying to rebuild everything in GNAP, i'm realizing that a lot of the problems and questions like this we have in IndieAuth have some overlap with other communities too, sometimes with already existing solutions
# 19:19 
[schmarty] to be clear i am not advocating for "solving" this at an auth server at the moment. so far the answers to my questions above have been "human coordination" and implementations have done well with that, haha. 😂
# 19:23 
jacky looks up GNAP
# 19:23 
jacky [schmarty]: but this is a good line of questioning
# 19:23 
jacky https://oauth.net/gnap/ == GNAP
# 19:24 
jacky lol this sentence "Concepts from OAuth 2, OIDC, PKCE, UMA, CIBA, OBUK, FAPI, [...]"
# 19:24 
jacky the NASCAR of authz/authn
# 19:25 
[schmarty] tentatively looking at https://tools.ietf.org/html/rfc8707 to learn about resource indicators for oauth 2.0
# 19:25 
jacky waits for the oauth.net link of that RFC
# 19:26 
jacky for now, I'll just not add this :)
# 19:26 
jacky because I'd love to link to something with more info (and maybe even sniff it out using MF2)
# 19:28 
aaronpk is glad oauth.net was the first result for GNAP :)
ShadowKyogre joined the channel
# 19:29 
jacky ha yeah I suffixed it with 'oauth2' and it came up
[KevinMarks] joined the channel; ShadowKyogre left the channel
# 19:46 
[schmarty] ok finished up. Resource Indicators is kind of neat from a "where should this token be accepted?" perspective. however this spec doesn't contain anything that would enable those resources to define what scopes are possible or allowed or what they mean.
# 20:12 
jacky needs to check out that spec
# 20:12 
jacky b/c now I wonder if it's possible to have some sort of descriptor link in a resource indicator
# 20:13 
jacky ooh this is like literally saying "I want to do $SCOPE[] with $RESOURCE[]"
# 20:13 
jacky tbh that can kinda address the thing you were mentioning [schmarty]
# 20:14 
jacky like if one of the resources is someone's micropub endpoint (and media) then it could be a stricter validation for things like `media` or `create|delete|update`
# 20:14 
jacky (as in using link-rel verification to confirm that those resources exist / are valid to the `me` associated with this token)
[chrisaldrich], ShadowKyogre, [aciccarello] and shoesNsocks joined the channel
# 21:20 
[schmarty] jacky: it could! but that would be some new spec where the auth server is discovering the endpoints it is allowed to make tokens for and then further discovering what scopes they support, etc.
# 21:21 
[schmarty] the resource indicators RFC supposes that all that is possible but doesn't give any mechanisms for doing it.
marinin[t] and [Rose] joined the channel
# 22:29 
marinin[t] hoping that I had not spammed webmention.rocks too much
# 22:30 
marinin[t] 22/23 tests are passing 🎉
# 22:33 
[schmarty] marinin[t]: congrats!!
# 22:34 
marinin[t] aaand the last test requires quite a bit of refactoring :)
sebbu joined the channel
# 22:57 
aaronpk webmention.rocks is there to be spammed!
# 23:04 
aaronpk moving from the main channel...
# 23:04 
aaronpk that feed tricks post has a lot of things in common with issues i’ve run into with activitypub
# 23:18 
[aciccarello] [jacky] FYI, I found that article you added to RSS under https://indieweb.org/feed#Criticism
[tantek] and prof_milki joined the channel
# 23:49 
prof_milki https://stackoverflow.com/questions/67117315/micropub-api-not-tied-to-specific-token-endpoint - Somewhat artifical question, since it's difficult to ask for basics when the spec covers most everything already. Also to create the tags on SO (indieauth/micropub somewhat underrepresented there).