#dev 2021-06-21

2021-06-21 UTC
# 00:32 
astralbijection[ okay, so after much effort it seems that building off of the oauth2 framework is more effort than it's worth
# 00:32 
astralbijection[ it's hard to inject me= into everything
# 00:34 
astralbijection[ as an introvert, this is doubly true
samwilson, jeremy, KartikPrabhu, [tantek], cambridgeport904 and capjamesg joined the channel
# 06:47 
Zegnat We made `me` optional (almost) at the same time as response_type=id was dropped. Also to make it more compatible with standard OAuth2.
# 06:47 
Zegnat Do you need a me parameter for your implementation, astralbijection[?
# 06:48 
Zegnat There was a long discussion about this, and in the end, me was made optional: https://github.com/indieweb/indieauth/issues/19
# 06:49 
Loqi [00dani] #19 Allow the 'me' parameter to authorization endpoints to be omitted?
pepperoni joined the channel
# 07:05 
Zegnat astralbijection[: what guide/documentation were you following that pointed you at response_type=id and the me parameter? I am wondering if there is something that we can update as the community to reflect the modern IndieAuth spec
hendursa1, [Murray], IWSlackGateway, [KevinMarks], [tantek] and pepperoni joined the channel
# 13:10 
astralbijection[ <Zegnat "astralbijection: what guide/docu"> I followed the spec on w3 (https://www.w3.org/TR/indieauth/#authentication-request) as well as the guide on the wiki (https://indieweb.org/authorization-endpoint#Request)
# 13:12 
Zegnat Hmm. Yeah, I see now that we have let the wiki pages go quite stale. We should at least add some sort of warning there that the spec is newer than the wiki page.
# 13:13 
Zegnat I do not know if we can do anything about the W3C Note. The live spec is where that Note links to as the latest editor’s draft: https://indieauth.spec.indieweb.org/
# 13:13 
Zegnat There have been a bunch of changes since the publication of the 2018 W3C note: https://indieauth.spec.indieweb.org/#changes-from-09-august-2020-to-26-september-2020-li-2
# 13:22 
Zegnat https://indieweb.org/authorization-endpoint#Creating_an_Authorization_Endpoint so, hopefully that eliviates some confusion. I do not have time to do a rewrite of the guide itself right now ...
chenghiz_, justBull, pepperoni, [KevinMarks], [Murray], hendursaga, IWSlackGateway, capjamesg and [tantek] joined the channel
# 17:05 
[tantek] Once the spec is updated to include things discussed on the wiki, the wiki should *link* to that section of the spec, instead of putting in "some sort of warning"
# 17:05 
[tantek] Like if you're going to take the effort to put in a warning, it's not much more work (and A LOT more useful to everyone reading) to instead link to section of the spec
[fluffy], [tw2113_Slack_] and pepperoni_ joined the channel
# 17:46 
Zegnat I am happy to update the wiki page when I have more headspace for it. But I am happy to call out to people who may be doing their implementation based on the wiki that it is a number of updates behind on the actual living standard for now. (So much so that a request made in accordance with the wiki may not even be accepted by an auth endpoint anymore...)
pepperoni_ joined the channel
# 18:31 
[tantek] that sounds like potentially harmful content that should be removed
# 18:34 
aaronpk the wiki content is meant to be an implementation guide, covering the topic from the point of view of individual roles, and potentially including things that aren't in the spec as well, such as methods of user authentication at the authorization server
# 18:34 
aaronpk where the spec has a single section describing the interaction at the authorization endpoint, the wiki content is meant to be written separately from the point of view of the app as well as from the AS
# 18:46 
[tantek] ok that makes sense
# 18:46 
[tantek] that may be worth putting in a "About this page" or something section on the page
# 18:50 
aaronpk 👍
shoesNsocks and shoesNsocks1 joined the channel
# 19:09 
[tantek] GWG, as someone who is a fan of weather and displaying weather information, thought you might appreciate this design approach to displaying temperature, perhaps for your archive pages for ranges of days / months / years: https://showyourstripes.info/
# 19:10 
[tantek] it reminds me of Dopplr's upcoming trips color bars, one segment per destination city
rockorager joined the channel
# 20:11 
GWG [tantek]: I have not gotten to temperature archives yet. Making a note
# 20:23 
[tantek] GWG, cool (so to speak). Was unsure where to collect that design example
# 20:23 
[tantek] what is temperature
# 20:23 
Loqi It looks like we don't have a page for "temperature" yet. Would you like to create it? (Or just say "temperature is ____", a sentence describing the term)
# 20:23 
[tantek] ^ GWG
[chrisaldrich] joined the channel
# 21:02 
GWG Temperature is a measurement of hot or cold that is often a property of posts to convey conditions at the time of posting.
# 21:03 
GWG What is weather?
# 21:03 
Loqi Weather is the state of the atmosphere at a place and time as regards heat, dryness, sunshine, wind, rain, etc https://indieweb.org/weather
# 21:03 
GWG Maybe it should be there
deeden joined the channel
# 21:34 
[tantek] yes that's fair (so to speak 🙂 )
# 21:35 
[tantek] weather << Cool design example for displaying an archive summary of temperatures across posts: https://showyourstripes.info/ (looks a lot like [[Dopplr]]'s trip stripes)
# 21:35 
Loqi ok, I added "Cool design example for displaying an archive summary of temperatures across posts: https://showyourstripes.info/ (looks a lot like [[Dopplr]]'s trip stripes)" to the "See Also" section of /weather https://indieweb.org/wiki/index.php?diff=76130&oldid=72817 
KartikPrabhu, [Will_Monroe], Seirdy and [jacky] joined the channel
# 22:54 
[jacky] https://waxjs.net/features/
[chrisaldrich], [Murray], [tw2113_Slack_], [fluffy] and [tantek] joined the channel
# 23:53 
[tantek] does anyone actually use atom:id elements that do not have their domain in it? and anyone know if any Readers that support Atom actually perform some sort of origin-limiting on Atom:id? Because if not, I'm pretty sure it's trivially spoofable for someone to provide "updates" to say, some mainstream media feed of articles, with slight alterations in the titles or summaries or even contents of the articles.
# 23:54 
[tantek] and anyone treating atom:id elements as all part of some global unique namespace (which is how RFC4287 defines the comparison operator) https://datatracker.ietf.org/doc/html/rfc4287#section-4.2.6.1
# 23:54 
[tantek] this bit is the key: "
# 23:54 
[tantek] ```Comparison operations MUST be based solely
# 23:54 
[tantek]    on the IRI character strings and MUST NOT rely on dereferencing the
# 23:54 
[tantek]    IRIs or URIs mapped from them.```
# 23:54 
[tantek] "
# 23:55 
[tantek] must be based *solely* on the IRI character strings, that means a processor MUST NOT compare them with some additional factor, say the source domain of the feed
# 23:55 
[tantek] this seems like a massive hole. what am I missing?
# 23:56 
[tantek] or was this back in the day when people thought there's no way feeds would do nasty things like consuming and republishing each other's atom:id in entires with slightly more recent <updated> dates?
# 23:56 
[tantek] this makes me want to recommend that folks DO NOT rely on atom:id for anything, because there's no spec-compliant way to use it that's not vulnerable to this spoofing attack
# 23:57 
[tantek] where are all the feed file defenders when you need them 😛
# 23:57 
aaronpk it's possible to follow that rule while still namespacing the IDs to the domain the feed is hosted on
# 23:58 
aaronpk in other words, it doesn't say you *can't* limit the comparison to IDs only from the same feed or domain
# 23:58 
aaronpk which you can do even treating the ID as an opaque string