#dev 2021-04-18

2021-04-18 UTC
shoesNsocks, [tw2113_Slack_], shoesNsocks1, IWSlackGateway3, KartikPrabhu, ShadowKyogre, __minoru__shirae and [kimberlyhirsh] joined the channel; ShadowKyogre left the channel
#
@jaybearca https://jaybear.ca/14719/ How should I tell http://Brid.gy that this is actually wrong? My Webmention Endpoint is no longer at http://Webmention.io... Warning: your blog's current webmention endpoint is https://webmention.io/jaybear.ca/webmention. If you want Bridgy to handle ... (twitter.com/_/status/1383692924236431360)
#
@jaybearca https://jaybear.ca/14719/ How should I tell http://Brid.gy that this is actually wrong? My Webmention Endpoint is no longer at http://Webmention.io... Warning: your blog's current webmention endpoint is https://webmention.io/jaybear.ca/webmention. If you want Bridgy to handle ... (twitter.com/_/status/1383692924236431360)
tomlarkworthy joined the channel
#
tomlarkworthy my server will indieauth with micro.blog but not indieauth.com (403). I think I am doing PKCE flow, not sure if micro cares.
#
tomlarkworthy doesn;t make sense 403 is not even on the code path, must be something else... https://github.com/aaronpk/IndieAuth.com/blob/d642e1e0453c00a009f6b47d8d071fdc043bf418/controllers/verify.rb#L87
#
tomlarkworthy Hmmm. are google addresses blocked? I am sending request from a cloud run instance?
#
tomlarkworthy ok it was something dumb, apparently setting the Accept header to application/json messes something up in a strange way
dhanesh, ShadowKyogre and shoesNsocks joined the channel; ShadowKyogre left the channel
#
tomlarkworthy I am so close... "Status: 400 error=invalid_request&error_description=The+authorization+code+has+already+been+used" except have a double redirect somewhere...
__minoru__shirae joined the channel
#
tomlarkworthy OK this is related to some other weird stuff I had happening earlier. I end up sending a referrer but not an origin header and that trips some kinda of block which is the 403
#
tomlarkworthy then the 403 causes a retry and thats how I end up burning my one shot at a code exchange.
#
tomlarkworthy doing it using form params seems to work though!
#
tomlarkworthy I have successfully authenticated using IndieAuth from both IndieAuth.com and micro.blog, and I am sending PKCE code_challanges
#
tomlarkworthy Hmm, I don;t think indieAuth does the code challange either :/ So not sure that works yet
[KevinMarks], shoesNsocks and tomlarkworthy joined the channel
#
tomlarkworthy yeah nginx bounces curl 'https://indieauth.com/auth/verify_link.json?me=https%3A%2F%2Ftomlarkworthy.endpointservices.net%2F&profile=https%3A%2F%2Fgithub.com%2Ftomlarkworthy' -H 'referer: https://endpointservices.static.observableusercontent.com/' -v
#
tomlarkworthy but works if you include the origin header
#
tomlarkworthy which is also an issue on authorization_endpoint curl 'https://indieauth.com/auth' -X POST -H 'accept: application/json' -H 'referer: https://endpointservices.static.observableusercontent.com/'
#
tomlarkworthy thats a 403 forbidden, works if you include the origin
#
tomlarkworthy I will file an issue coz it prevents me using the json response
#
tomlarkworthy https://github.com/aaronpk/IndieAuth.com/issues/216 not that I am thinking its an important but good to characterize
#
Loqi [tomlarkworthy] #216 403 Forbidden if origin header not included for JSON autheorization_endpoint response
#
aaronpk well that's a weird one
#
jacky re: PKCE, IndieAuth and code verification methods, I'm guessing everyone's only implemented SHA256? Is there some sort of way to get a hint as to what methods an endpoint might support?
shoesNsocks joined the channel
#
tomlarkworthy maybe this? https://serverfault.com/questions/690540/getting-403-forbidden-w-referer-on-nginxpassenger
#
tomlarkworthy @jacky only two mentioned in https://tools.ietf.org/html/rfc7636 is 'plain' and 's256'
#
jacky nah this is like if I sent a code_challenge_method and code_challenge to an endpoint - how would it handle methods it doesn't recognize/support
#
jacky ah perfect, that's a hint to at _least_ support those
#
jacky definitely not supporting plain, lol
#
jacky thank you tomlarkworthy
#
tomlarkworthy I guess they set it up for extensions down the line but yeah, seems like S256 is the only real option
#
jacky and that's right on the page for https://indieweb.org/PKCE - should have checked there first
#
jacky yeah like I guess not including MD5 or SHA1 is sensible, lol, but I am curious about things like SHA224, 384 and 512
#
jacky granted, IIRC SHA384 === SHA512 and SHA224 === SHA256 (just truncated)
jamietanna joined the channel
#
jamietanna jacky we'd be able to see what folks' servers supported through https://github.com/indieweb/indieauth/issues/43
#
Loqi [aaronpk] #43 Consider using OAuth Server Metadata
#
jacky _yes_
#
jacky this is the thing I was trying to remember earlier when [schmarty] mentioned something re: IndieAuth and metadata via like scope URLs
#
tomlarkworthy @aaronpk I think this looks very close https://stackoverflow.com/questions/10509774/sinatra-and-rack-protection-setting
#
tomlarkworthy anyway, its not a big deal for me so I do not care if you ignore
#
jacky I think referrer is missing a 'r' in that example in your issue on GitHub, tomlarkworthy
#
sknebel no, the header is misspelled
#
jacky lmfao
#
tomlarkworthy famously so https://en.wikipedia.org/wiki/HTTP_referer
#
jacky wait seriously?! lol
[tw2113_Slack_] joined the channel
#
sknebel yes, seriously
#
jacky so now I wonder if frameworks or tools have been rewriting for me
#
tomlarkworthy yeah its hilarious but also a cause of problems coz I truly don;t know how to spell it anymore
#
jacky tomlarkworthy: lo
#
jacky *lol
#
jacky this is wild
#
jacky this happened because his spell checker didn't catch it
#
jacky sheesh
#
jacky today I learned lol
shoesNsocks joined the channel
#
tomlarkworthy OK, I think I have finished. It would be helpful to see if this if people can login using https://endpointservice.web.app/notebooks/@endpointservices/auth/deploys/authorization_endpoint/mods/X/secrets/endpointservices_secretadmin_service_account_key?client_id=https%3A%2F%2Fobservablehq.com%2F%40tomlarkworthy%2Fhowto-indieauth&redirect_uri=https%3A%2F%2Fobservablehq.com%2F%40tomlarkworthy%2Fhowto-indieauth&state=4IPgtARt&scope=
#
tomlarkworthy I would expect the very last redirect to fail to issue a token as the state param won't match, but as long as it properly uses your IndieAuth settings I am happy
KartikPrabhu joined the channel
#
jacky oh I completely forgot my new site doesn't expose anything
#
jacky not even a feed
#
jacky D:
#
jacky hmm tomlarkworthy I tried signing in using Gitlab and that failed
#
jacky https://endpointservice.web.app/notebooks/@endpointservices/auth/deploys/auth_start/mods/X?me=https%3A%2F%2Fv2.jacky.wtf%2F&provider=gitlab&profile=https%3A%2F%2Fgitlab.com%2Fjackyalcine&client_id=https://observablehq.com/@tomlarkworthy/howto-indieauth&state=NDcmkPm3&redirect_uri=https%3A%2F%2Fobservablehq.com%2F%40tomlarkworthy%2Fhowto-indieauth
[KevinMarks] and minoru_shiraeesh joined the channel
#
tomlarkworthy oh good one, I have the gitlab regex but not an oauth client on the backend for it :/ I should not be advertising suport for it...
#
tomlarkworthy fixed
#
jacky hm doesn't seem to work still
#
jacky when I click that link above
#
jacky oh maybe the state's no good
[Rose] joined the channel
#
jacky hm, I don't know how to get back to the original page/noteobook from here
#
jacky oh the link's above, lol
#
jacky nope, still fails
shoesNsocks, [jeremycherfas], GWG and marinin[t] joined the channel
#
tomlarkworthy yeah that link is not good for the state, it should work all the way if you start at https://observablehq.com/@tomlarkworthy/weblogin
#
tomlarkworthy but you have to select @endpointservices as the service provider
sumner, [scojjac] and shoesNsocks joined the channel