#dev 2021-06-07

2021-06-07 UTC
jjuran, rrix, gerben, gRegor, [tantek], capjamesg and hendursa1 joined the channel
#
capjamesg
What is rss?
#
Loqi
RSS is a set of XML feed file formats of varying degrees of use for syndicating time-stamped content from web sites, and sometimes used to refer more broadly to feed file formats as a whole including Atom, or even more broadly in vernacular as a synonym for feed file or even feeds or syndication as a concept https://indieweb.org/RSS
hendursa1 and mikeputnam joined the channel
hendursaga, barnaby, [tw2113_Slack_], reed, [KevinMarks], calebjasik, batkin[m], Abhas[m], nekr0z, [tantek], capjamesg and shoesNsocks joined the channel
#
GWG
barnaby: I would love to read your library for improvement ideas, although I have already implemented in php for WordPress
chenghiz_, capjamesg, gRegor, [jgmac1106], [schmarty], [kimberlyhirsh], [jacky] and jujudario joined the channel
#
gRegor
I'm working on IndieAuth server for ProcessWire and was wondering what people thought about the flow when the person isn't logged in to the CMS yet. Should I combine the login + consent in one screen? Or prompt for login like normal, then follow that with the consent screen?
#
gRegor
I'm leaning towards the latter
#
sknebel
That is afaik the more common pattern
[jeremycherfas] joined the channel
#
sknebel
Two simpler screens
#
gRegor
Yeah, seems it would make it less likely for people to gloss over the permissions they're granting that way. Easier for me to implement, too. :)
#
sknebel
(also makes integrating 2FA etc easier likely)
#
barnaby
agreed, split them into two stages
#
Zegnat
I would also split it up. In part because of what sknebel mentioned with 2FA. But also because maybe the CMS can have other plugins modify the login flow behaviour and you should not be getting in the way of that
#
barnaby
good point. also, it’s not inconceivable that the options displayed on the consent screen might be different for different users
#
Zegnat
Here is another one: some password managers might remember checkbox states etc and auto-fill those when filling in passwords. This could potentially really mess up consent screens
KartikPrabhu joined the channel
#
barnaby
what is authorization endpoint
#
Loqi
An authorization endpoint is an HTTP endpoint that micropub and IndieAuth clients can use to identify a user or obtain an authorization code (which is then later exchanged for an access token) to be able to post to their website https://indieweb.org/authorization-endpoint
#
barnaby
^^^ this all definitely belongs somewhere here
#
gRegor
what is consent screen
#
Loqi
consent screen is the page you see during an OAuth flow that asks whether you want to allow the application you're logging in to to be able to access the data it's requesting https://indieweb.org/consent_screen
#
gRegor
Thanks for confirming my suspicions, all. Will keep them separate
#
barnaby
oh cool, I’d not seen that page. great to have a collection of UI examples
#
gRegor
yeah it's been helpful!
[tantek], [tw2113_Slack_], KartikPrabhu, capjamesg, reed, batkin[m] and jamietanna joined the channel
#
jamietanna
Zegnat re "1 hour" = "shortlived", I've worked with APIs with a much smaller lifetime. And I guess going to refresh straight away if the token isn't used often can make sense
#
jamietanna
I'm sure I saw a popular client recently looking at refresh_tokens - maybe Indigenous for Android?
#
jamietanna
nope it wasn't hmm
reed, calebjasik, Abhas[m], batkin[m] and nekr0z joined the channel
#
jamietanna
do many servers support expiring tokens? I think not
[jacky] joined the channel
#
[jacky]
My old site did passively and I'm carrying that functionality into Sele
#
jamietanna
expiry? awesome
#
[jacky]
yeah - I felt like it's handy to have to also encourage token hygiene
#
GWG
I still need to add the expiry interface to mine
[chrisaldrich] and [kimberlyhirsh] joined the channel