#dev 2021-04-21

2021-04-21 UTC
#
aaronpk i quill has a secret easter egg to do that
#
aaronpk well, secret markdown
#
aaronpk html is officially supported
[kimberlyhirsh] and [tantek] joined the channel
#
[tantek] secret markdown sounds like a members-only sale
#
@CharlieRoseMari ↩️ I don't have anything off the top of my head. I've been thinking about posting an article describing my ideas, and I guess I was using this thread to gauge interest, so I'll send you a webmention. :D (twitter.com/_/status/1384683210819338242)
Loqi, IWSlackGateway, aaronpk, [tantek], doosboox3 and samwilson joined the channel
#
jamietanna[m] Has anyone thought about making personal access tokens in their IndieAuth server? Ie so we can test stuff locally without needing an OAuth2 flow? (not that that's a bad thing, but personal tokens simplify speed-to-test)
[grantcodes] joined the channel
#
[grantcodes] @jamietanna I have one hardcoded token that doesn't expire which I use for automated things that I don't want to break. Might be bad security wise, but makes life easier 🤷
#
sknebel I think the WP and Known endpoints have UI to add them, but not 100% sure
#
GWG WP does
#
jamietanna[m] grantcodes that's interesting. For my automated stuff I've gone for refresh tokens (also cause I wanted to implement it) but was thinking of PATs so I could do one-off things. Currently I'm using tokens-pls.herokuapp.com to get me a token, but would prefer something easier to get up and running with
Ruxton joined the channel
#
@andrew_shadura ↩️ Not sure it fits but I liked https://indieauth.com/ (twitter.com/_/status/1384811009102290944)
minoru_shiraeesh and [KevinMarks] joined the channel
#
[KevinMarks] more podcast info https://nathangathright.com/the-future-of-apple-podcasts/
[Rose] joined the channel
#
@Cambridgeport90 ↩️ Mostly solving community and IndieWeb/Fediverse problems; creating clients for more of the newer WC3 standards (webmention, activityPub, Micropub, and so on), of which we don't have enough. (twitter.com/_/status/1384843380564271104)
[pfefferle] joined the channel
#
aaronpk jamietanna[m]: I have a command line tool to generate an access token in my site for that purpose
[fluffy] and [Ana_Rodrigues] joined the channel
#
jamietanna[m] That's fair aaronpk - guessing that's via an authorization flow?
alex11 joined the channel
#
aaronpk No i run it on my server
#
aaronpk it just inserts a token into the database
#
@tomlarkworthy ↩️ OK so here is a demo of using IndieAuth to boot a Firebase Auth session. Cool thing discovered is that Firebase sessions have their own refresh tokens so the short lived IndieAuth token becomes a long lived Firebase session. https://observablehq.com/@endpointservices/indieweb-login-for-firebase (twitter.com/_/status/1384869028112576512)
[Murray], [tantek], [KevinMarks], [chrisaldrich] and shoesNsocks joined the channel
#
@kevinmarks ↩️ the 'who linked to me?' part of Technorati is what Webmentions do as an open system (twitter.com/_/status/1384908287133593604)
[raph_l] joined the channel
#
[raph_l] I posted the most detailed outline yet of the system I'm making--describing an upcoming alpha release: https://raphaelluckom.com/posts/some_decisions.html
KartikPrabhu and alex11 joined the channel
#
[tantek] For those that use Signal for their indie comms or anyone wondering who cracks the crackers, you may find this entertaining: https://signal.org/blog/cellebrite-vulnerabilities/ (also, not advising placement of any such random files on your website which might be cached by browsers on mobile devices which then might be extracted / parsed by a Cellebrite device)
barnabywalters joined the channel
#
jacky hey barnabywalters, does https://indieauth.spec.indieweb.org/#authorization help?
#
aaronpk holy crap [tantek]
#
barnabywalters ooh yes that’s what I was looking for
#
Loqi barnabywalters: tantek left you a message on 2017-07-21 at 6:44pm UTC: image src seems to have died on your note with photo https://waterpigs.co.uk/notes/686/ found from https://indieweb.org/photo#Notes_with_photos_examples
#
Loqi barnabywalters: [tantek] left you a message on 2018-12-19 at 3:00am UTC: your reply-contexts have subtly broken reply-to markup. E.g. https://waterpigs.co.uk/notes/4V2DjG/ which uses <div class="note-reply-context p-in-reply-to h-cite"><a class="u-url" rel="in-reply-to" href="… when it should be <div class="note-reply-context u-in-reply-to h-cite"><a class="u-url" href="…
#
barnabywalters thanks!
#
jacky np!
#
jacky I'm working on some IndieAuth stuff myself right now
#
jacky had it open and everything :)
#
barnabywalters I hadn’t gotten that far through the document yet :D these web standards documents are so tedious to parse
#
aaronpk you might also enjoy a recent article i wrote
#
jacky wait hold on
#
jacky I'm reading that article now
#
aaronpk https://aaronparecki.com/2021/04/13/26/indieauth
#
aaronpk it's only half the picture. the other half is coming soon
#
jacky the placement of that bag is _way_ too timely lol
#
aaronpk but it's written to be way easier to read than the spec
#
Loqi [Aaron Parecki] How to Sign Users In with IndieAuth
#
[tantek] whoa a wild barnabywalters appears!
#
barnabywalters aaronpk: I suppose the missing half is the server part? my site works as both a client and server, so I have to get both parts up and running again
#
jacky I'm guessing it's adding the PKCE bits?
#
[tantek] aaronpk, re: that Signal blog post, certainly don't name any such file LT_REBEL_ICE.MPEG
#
barnabywalters indeed! hi tantek! or is it [tantek]? what do the brackets do?
#
aaronpk yeah this first post is from the client perspective
#
jacky the brackets are for Slack
#
barnabywalters ah, I see
#
jacky (for IRC users to know that the user is on Slack, that is)
#
aaronpk square brackets are an allowed character in IRC names, the Slack bridge uses it to reduce the chance of conflicts with registered IRC nicks
#
barnabywalters very clever
#
barnabywalters oh man, I haven’t written any PHP for so long
#
barnabywalters aaronpk: do you remember exactly what IndieAuth\Client::verifyIndieAuthCode did, and whether there’s a replacement for it in the latest version of the PHP indieauth-client?
#
barnabywalters I can’t find anything similarly named, and the library doesn’t seem to have any documentation for how to implement token endpoints
minoru_shiraeesh joined the channel
#
aaronpk that would have been renamed to exchangeAuthorizationCode
#
barnabywalters that’s what I thought at first, but exchangeAuthorizationCode makes a POST request to the token endpoint, and I was using verifyIndieAuthCode in the code for my token endpoint
#
barnabywalters so maybe I was using it wrong before?
#
aaronpk ah right
#
aaronpk that part got taken out of the indieauth client library because it's out of scope of something an indieauth client does
#
aaronpk tho technically you can use the exchangeAuthorizationCode to do it still because the first parameter is the endpoint to send to
#
aaronpk but generally yes the indieauth client library isn't meant to be used when building a token endpoint, even if some of the functions are useful for that
#
barnabywalters okay, good to know
[snarfed], [aciccarello], shoesNsocks, [pfefferle], dckc and [jgmac1106] joined the channel
#
barnabywalters hmmm it looks like token endpoints are now required to store some server-side state in order to function
#
aaronpk how so?
#
barnabywalters as the me parameter is no longer sent to the token endpoint, so it’s not possible to statelessly rediscover the authorization endpoint from the token endpoint to get the code verified
#
barnabywalters so the token endpoint has to be able to associate the code parameter with a previous authentiation attempt, right?
#
aaronpk in practice there were only 2 implementations where that actually mattered, and both had other ways to deal with it
#
barnabywalters okay, so I probably shouldn’t implement my own token endpoint, and should instead use https://tokens.indieauth.com/
#
aaronpk other way around, you probably _should_ implement your own token endpoint so that you already know where the authorization codes were issued from
tomlarkworthy joined the channel
#
aaronpk removing the "me" parameter from the token endpoint request means shared token endpoints need some other way to know how to validate the authorization code. it has no effect on single-user token endpoints since those would only ever be checking authorization codes from the one authorization endpoint
#
tomlarkworthy I just wrote one in JS if thats interesting https://observablehq.com/@endpointservices/auth#token_endpoint
#
barnabywalters I previously had my own token endpoint, which was receiving a me parameter along with a code (previously state) parameter, which it use to discover the auth endpoint associated with the me parameter, and would then call what is now exchangeAuthorizationCode in order to verify the code
#
jacky poop, I can get my webauthn setup working with Safari on Big Sur and Touch ID but not with FIrefox and Yubikey under elementaryOS
#
jacky platforms-- lol
#
Loqi platforms has -1 karma over the last year
#
tomlarkworthy I use the code as the key into a KV store, so the V stores the me
#
barnabywalters hmm okay, so I can at least temporarily fix the issue by assuming that only I will ever log into my site
#
barnabywalters which isn’t really what I want, but will work for the moment
#
aaronpk barnabywalters: if you're getting others to log in to your site, you never need a token endpoint
#
aaronpk you wouldn't ever issue tokens for other users. you'd be acting as an indieauth client in that case.
#
barnabywalters hmm true, because they’ll have defined their own token endpoint, right?
#
jacky ideally
#
aaronpk yep, but also you won't even be getting tokens from them, you'd just be validating their authorization code to get their profile info
#
barnabywalters so in what case are shared token endpoints necessary?
#
aaronpk running a service like tokens.indieauth.com
#
aaronpk so, basically not necessary
#
aaronpk and in that case i would rather do it like webmention.io which creates a new endpoint for each user
#
aaronpk and that avoids the problem of the missing "me" parameter too
#
barnabywalters hmm okay, so in my token endpoint implementation, I can just assume that the me parameter is always going to be the hostname of the site it’s on, because that endpoint will only ever be used by me
#
aaronpk yep, in other words you already know the authorization endpoint because you're building both
#
aaronpk and you don't need to make a POST request to the authorization endpoint if both endpoints share a database or other storage
#
barnabywalters I’m not building the authorization endpoint, though, because I’m using indieauth.com for the acual authorization=
#
barnabywalters or am I getting all the endpoints mixed up?
#
aaronpk aha
#
barnabywalters there are rather a lot of them
#
aaronpk no that's fine. although at some point i'm going to be killing that off too
#
barnabywalters killing off permanently, or replacing with indielogin.com?
#
aaronpk this is the confusing part :)
#
aaronpk indielogin.com has already taken over indieauth.com for the use of indieauth.com that is an oauth client
#
barnabywalters tbh my site would probably be better off with a simple hard-coded password login, as I’m the only one using it
#
aaronpk i still need to build a replacement for the other use of indieauth.com which is an oauth server
#
aaronpk yeah for logging in to your own site it makes more sense to keep that local. indieauth is useful when you want to log in to micropub apps so they can post to your site, or log in to other peoples' sites
#
tomlarkworthy I made a minimal endpoint that just positively authorizes for testing
#
tomlarkworthy https://observablehq.com/@endpointservices/identity#yes_authorization_endpoint
#
barnabywalters well originally I wanted to implement the full indieauth flow, partly to test it and partly so that other people could log into my site and see private content
#
barnabywalters and also my note and article posting UIs work as micropub clients
#
aaronpk so if you're asking people to log in to your site, then that article i wrote details those steps, and there's no token endpoints involved at all
#
barnabywalters but realistically I don’t have any private content, and nobody uses my micropub clients, so I think I can safely turn off indieauth on my site
#
barnabywalters under what circumstances does one need to implement a token endpoint then? when you want external micropub clients to be able to post to your site?
#
aaronpk yep exactly
#
barnabywalters hence why https://tokens.indieauth.com/ helps people “jump-start” micropub endpoints by outsourcing token creation?
#
barnabywalters so it’s actually quite common that the token endpoint and the authorization endpoint would be on different servers and unable to share data? or is the current assumption that every personal site which supports micropub should have implement its own authorization endpoint too?
#
barnabywalters sorry for all the questions, I’m operating on five year old assumptions :D
#
aaronpk i would love to see more implementations of indieauth overall yes, so i'm happy to get more personal sites to support it natively
#
aaronpk but for the cases where you don't want that as part of your site, it is definitely still possible to outsource that
#
aaronpk however, in that case, it makes more sense to outsource *both* endpoints at the same time
#
aaronpk in other words, it's unlikely that the token endpoint and authorization endpoint would be separated, and even less likely that the token endpoint would not be tied to a specific authorization endpoint
#
barnabywalters i.e. either you make the auth and token endpoints yourself, or you use indielogin.com + tokens.indieauth.com?
#
aaronpk almost :)
#
aaronpk make both endpoints yourself, or you outsource both (indieauth.com + tokens.indieauth.com) or you outsource authorization to indieauth.com and build your own token endpoint
#
barnabywalters woo! auth is finally working again
#
barnabywalters thanks for the help
#
aaronpk nice
#
barnabywalters as promised: new hamster photo https://waterpigs.co.uk/notes/5CKgx/
#
Loqi [Barnaby Walters] The wild hamsters are active again! Saw about 20 of them today. https://waterpigs.co.uk/img/2021-04-21-hamster.jpeg
#
jacky so glad I got the nfc form of the yubikey
#
jacky now I can really use my keys to sign in
[KevinMarks] and jjuran joined the channel