#dev 2021-06-30

2021-06-30 UTC
[KevinMarks], Seirdy, alex11, samwilson, [jacky], KartikPrabhu, [tantek], jjuran and capjamesg joined the channel
#
petermolnar
to 1.20.1
hendursa1 and [jacky] joined the channel
#
[jacky]
this might be interesting for parsers that don't want to use something something like readability to mangle a page into MF2-esque JSON (on their end)
shoesNsocks1, samwilson, [KevinMarks], [Murray], chenghiz_, barnaby, ben_thatmustbeme, [tantek], [schmarty] and [manton] joined the channel; Poorchop left the channel
#
[manton]
Anyone have experience with Caddy? We’re considering switching from Nginx to Caddy to simplify HTTPS for hosted blogs on Micro.blog… https://caddyserver.com
#
[manton]
I generally prefer to stick to tried-and-true servers like Nginx, but this would simplify so many things it’s tempting.
#
sknebel
played around with a bit, wasn't quite what I was looking for at the time but good in principle
#
sknebel
I think it makes sense for what you are doing
#
sknebel
Zegnat had looked at it too I believe?
#
sknebel
fairly sure I've seen some hosters switch to specifically for the custom domain use case
#
[manton]
Nice, thanks!
#
barnaby
definitely good to see more software treating TLS as a default, and making it easier to manage
#
sknebel
lots of the newer tools do automatic cert fetching etc now
#
sknebel
for one setup I used Traefik, that's also interesting
#
sknebel
especially if you do lots of things with containers
#
sknebel
you can tag containers with domain/path matches and itll automatically add them to its routing and fetch certs as needed
#
petermolnar
you can automate certs on nginx with certbot and the nginx module of certbot
#
petermolnar
it works quite well in my opinion
#
aaronpk
of course, but it's quite a different thing having it built in and completely automatic out of the box
#
barnaby
yep, and hopefully more software will move towards that model
#
barnaby
I’m way more familiar with ACME than I ever intended on becoming, as my current web host charges silly fees for certs, but allows you to set your own. so I made a script which authenticates and renews a multi-domain cert for all my domains, then emails me the new cert and key in a GPG-encrypted email, to remind me to update them in the host UI
#
sknebel
petermolnar: for a hosted service with custom domains, I'd rather have caddys "one api call" over scripting around certbot
#
sknebel
although thats of course always possible
#
petermolnar
aaronpk: I wasn't arguing with that, I just wanted to point it out that automation with nginx is ok in case one doesn't want to move from nginx, and this - built-in certs - would be the only reason.
#
sknebel
(at larger scale, I've seen complaints that nginx gets unhappy when you ask it to load thousands of certs, not sure if thats still the case)
#
petermolnar
btw caddy doesn't fit my needs, because I need my certs in other daemons, so I need the hooks certbot provides
#
sknebel
yeah, thats a reason to keep cert managment outside
#
sknebel
as I said, Ialso didn't like caddy for my own server
#
barnaby
talking of TLS certs, does anyone know of attempts to use TLS certs and TLS as a way of doing signed server-to-server requests?
#
barnaby
if you’re assuming that one domain = one person, then surely it’d be the obvious way to distribute public keys
#
sknebel
client-side certs are a thing in TLS, yes
#
sknebel
alhough never all that popular
#
barnaby
I’m not talking about client-side as in stored on your browser
#
barnaby
that’s also interesting, but has a bunch of UI issues
#
barnaby
I’m more interested in using signed requests as a way of easily authenticating server-to-server interactions
#
sknebel
client-side doesn't mean "in the browser" in that case, but as in "the end of the connection making the request"
#
barnaby
ah okay
#
sknebel
(which can be a browser, which has all the issues you reference, but also can be done between services etc. although many implementations kind of assume that you have a shared private CA for all participants)
#
barnaby
specifically what I’m thinking about is: Server A makes a request to server B, signed with the private key used for Server A’s TLS cert. server B fetches and verifies server A’s public key, and uses it to verify the request
#
barnaby
is “client-side certs” used to refer to that flow?
#
sknebel
I think just "TLS client certificate" is most commonly used
#
sknebel
although the "B fetches and verifies server A’s public key" part I'm not sure if that's done, I think more commonly you just check that the cert is valid and from a trusted CA
#
sknebel
and now I wonder if usual TLS server certs actually have the right flags for this
#
sknebel
I've had client certs from a proper public CA, but I those were intentionally issued as client certs
#
barnaby
I didn’t put a proof-of-concept together for it to check if it worked, but I dug around in some openssl libraries and it seems like most of the parts are there
#
aaronpk
this is also called "Mutual TLS"
#
aaronpk
and "trust on first use" is a common way to handle that without a CA as well
#
aaronpk
there are some deployment challenges with Mutual TLS that make it impractical in some situations
#
aaronpk
also this wouldn't work if you have a load balancer/CDN in front of your site, since you won't have access to those private keys
#
aaronpk
e.g. cloudflare manages the TLS cert for your domain, you don't have a way to sign an outgoing request with cloudflare's key
#
barnaby
true, there are plenty of scenarios where you don’t have easy access to the keys
#
aaronpk
i'm not sure it's a good idea to make the assumption that one domain == one key
#
barnaby
yeah, seems like it’s a flawed idea
#
aaronpk
this is a big topic in the oauth group right now too, there are a few different ideas floating around for how to do client authentication which this idea basically is
#
aaronpk
personally i'm most excited about reviving HTTP signatures since I think that strikes the right balance between doing the signing in the transport and application layers
#
barnaby
I was hoping it would be a convenient shortcut for how to do signed requests between indieweb sites, which are typically one domain per person
#
barnaby
without having to generate and maintain extra keys, and implement discovery for them
#
sknebel
aaronpk: "revive" ? (did the work on them elsewhere die?)
#
aaronpk
it's...complicated
#
aaronpk
i noted some of the history here https://oauth.net/http-signatures/
#
aaronpk
but it's finally in the http WG where it belongs
[tw2113_Slack_], [aciccarello], [chrisaldrich] and jamietanna joined the channel
#
jamietanna
[manton] I've used Caddy for a few services in the past and recommend it! I don't use other web servers where I can avoid it, now
#
[manton]
[jackjamieson] Good to hear, thanks! The more I read about it, the more interested I am.
#
[manton]
Whoops, wrong username auto-complete. Sorry. @*jamietanna*
#
jamietanna
s'all good :) I wonder if you can try it on a subset of server(s) to give it a go? I've found the mix of auto-TLS and batteries-included for easily proxying between things to be useful, and I guess the Caddy API may be super helpful across the fleet of servers that run m.b ?
#
[manton]
Definitely, I think it potentially simplifies several things for us. I might split off my own blog (or a few test blogs) to route through Caddy as a first test.
maxwelljoslyn joined the channel
#
maxwelljoslyn
manton I like caddy definitely give it a shot, not as configurable as the competition but great fast setup for simple use cases
#
[manton]
Great, thanks. Because our hosted blogs are static sites, I’m hoping it’ll be straightforward to switch. (Just need a little bit of special handling for 404s.)
[schmarty] and jamietanna joined the channel
#
jamietanna
maxwelljoslyn what configurability would you say is missing?
#
GWG
jamietanna: Have you also been thinking about Ticket Auth?
#
jamietanna
GWG I certainly have, could you tell from all the wiki editing? :D
#
jamietanna
I'm thinking that I may get around to implementing it (soon) but go with the route of "always issue a refresh token" as a way of nudging folks to implementing it
#
jamietanna
as well as being a good way of ensuring persistent access can be used - and in my case, if a refresh_token isn't used in 90 days (as far as I can remember, at least...) then it expires and a new one is required, leading to me needing to re-issue a ticket
#
jamietanna
I've still got to make a few changes to strengthen my IndieAuth-protected endpoints to validate the `resource` a token is issued for, and even if someone had a token, they wouldn't (yet) be able to use it, but I think I may use this as a way to lead into private posts
barnaby joined the channel
#
GWG
jamietanna: I will do refresh tokens when there's a reference client
#
GWG
I'm preparing to do a reference implementation for receiving tickets, not generating them.
#
GWG
I'm just wondering what questions about the existing proposal need to be answered
[jacky] joined the channel
#
jamietanna
that's fair re not doing refresh tokens yet - I'd like to raise a PR to one of the major clients, but not gotten round to it as it's lower on my priority list
#
jamietanna
so interestingly Netlify does ticket-based auth as part of the OAuth journey which I've just found while authing on this machine for the first time
#
jamietanna
https://open-api.netlify.com/#tag/ticket has a bit of info, will try and find a bit more - but this is where the client says "I have a ticket that I want the user to auth with" and seems quite similar to the OAuth Device Flow
#
jamietanna
`https://app.netlify.com/authorize?response_type=ticket&ticket=.....` was the link that the CLI asked me to follow, which then took me to a browser-based consent page, after authorizing it, the CLI knew that I'd auth'd correctly and who I was
#
jamietanna
it looks like they've either taken Device Grant and tried to simplify it, or re-implemneted it before realising there's an official OAuth grant for it
maxwelljoslyn joined the channel
#
barnaby
I’m definitely interested in the ticket auth stuff, looks like it could be a good method for giving sites temporary discretionary access to private resources
#
[jacky]
yup! tbh I hope that once I grok it enough, something like that could be easy to put into a check for something like nginx as a proxy_auth flow then static sites could probably get in the fun of private content 🙂
#
barnaby
it might be possible to have a client-initiated flow, too, which would solve the client TLS problems I was talking about earlier
#
barnaby
e.g. a way of server A being able to say “I want to be able to make authenticated requests to server B”, so server B sends a ticket to server A’s endpoint, which is then exchanged for a code
#
barnaby
ah, token, not code
#
barnaby
and then server A can temporarily make authenticated requests to server B
#
barnaby
there’s a lot more fragile back and forth and discovery involved than my hypothetical mutual TLS idea, but it would fix the problems with that approach, and build off existing indieweb building blocks
#
barnaby
not sure if there are some security issues I’m overlooking there though
#
GWG
barnaby: My proposal was let's get the endpoint working and then work on the client part
#
GWG
Us trying to solve all problems hasn't worked
#
barnaby
oh sure, I’m just thinking out loud, in case someone can shut my idea down with a security issue I’ve overlooked, in which case I can stop thinking about it
#
sknebel
AutoAuth started with the other direction
#
sknebel
with your client requesting that it get a token, and your site working with the target site to obtain such a token
#
barnaby
I guess you’re not talking about autoauth.com?
#
barnaby
what is autoauth
#
Loqi
AutoAuth is the working title of an extension to IndieAuth that allows clients to authorize to other servers in the name of their user, without the user being present to confirm each individual authorization flow https://indieweb.org/AutoAuth
samwilson and reed joined the channel
#
GWG
If you want speculation...the next step after we implement the spec as written is to add how someone can request a ticket be sent to them... And how it could work with clients
calebjasik, nekr0z and Abhas[m] joined the channel
#
GWG
If we're thinking Microsub, it isn't the client, it's the server that needs the token
batkin[m], cambridgeport90[ and BinyaminGreen[m] joined the channel
#
sknebel
the microsub server is the client
Lohn, LaBcasse[m] and astralbijection[ joined the channel
#
sknebel
and that's what the outer part of AutoAuth described: how do I ask for a token as client
#
GWG
sknebel: Yes, but some people's readers are integrated into their backend and some are not.
#
GWG
But if you assume..
#
GWG
Client asks publisher for ticket
#
GWG
Publisher sends ticket to ticket endpoint
#
GWG
Client queries ticket endpoint and gets token
#
GWG
What we need is a ticket endpoint query protocol
#
sknebel
yes, thats what's described in AutoAuth
#
GWG
sknebel: I read it
#
sknebel
well, not as a ticket endpoint query protocol, but it solves the same thing
#
GWG
I'm just trying to break the problem into digestible pieces
#
GWG
Also, in this scenario, the ticket endpoint requests all tokens and the client requests them from the token endpoint, as opposed to from the external token endpoint
#
GWG
You could also in theory proxy it all through the token endpoint and never give the actual token up, but seems messy
#
sknebel
autoauth also passes the actual token through
#
GWG
I clearly need to reread that
#
sknebel
but it also triggers the flow through the users endpoint, yes. that's a point where you could differ
#
sknebel
AutoAuth as currently written down generally does more to "police" requests, e.g. it will only send a request to the publisher if the users site has approved that - ticket auth appears to go in the direction of not caring about that
#
sknebel
"appears to" because the "how to request a token" is still open, so there is some discussion to be had about that part
#
GWG
Ticket Auth switches that to the publisher
#
sknebel
not if you get to ".the next step after we implement the spec as written is to add how someone can request a ticket be sent to them" ?
#
sknebel
at the point you have the question of "if I'm willing to deliver tickets on request, how much do I care about that request being actually authorized by the site I'm sending a ticket to"
#
sknebel
i.e. can I as a random go and tell site A "hey, please give a ticket to site B"
#
sknebel
one way I could see is including a "as you requested" indicator in the request delivering the ticket, to distinguish from a ticket being delivered because A wanted to give one to B
#
sknebel
which gives B a way to say "hey wait I didnt even want this". but maybe that's also totally unneeded
#
sknebel
AutoAuth would go and verify "hey, did you really want a token for XYZ?" before doing anything. but if you consider creating tickets cheap, that's not needed. so that bit you could skip. maybe there is value in explicitly rejecting a ticket offer though
#
sknebel
probably comes down to questions like "what am I supposed to do if I get a new ticket for something I already have a token for", "do I invalidate an old token if I issue a new ticket for the same thing", ...
#
sknebel
anyway, for clients I think the model of "they get an indieauth scope that allows them to ask the site for tokens" makes sense - if they then get to make the requests to publisher for a ticket to be issued themselves or not is probably open?
Seich joined the channel
#
[jacky]
a bit of brain banging: what's the implication of having a specialized token and authorization endpoint for people? like if you were building a service - I can see it as a way to do a 'harder' check against the usability of a token or request flow but I can see that being done by doing some session checking
[Murray] joined the channel
#
aaronpk
the other thing i've been noodling on is figuring out whether it makes sense to bring in the concept of "resources" in addition to scopes
#
[jacky]
strongly wants that
#
aaronpk
right now we've been relying on scopes quite a lot, but as we've been doing more "interesting" combinations of things, the idea of a resource identifier might be useful
#
aaronpk
the resource being the micropub endpoint vs the microsub endpoint vs the potential webmention retrieval endpoint etc
#
[jacky]
oh that's an interesting abstraction
#
aaronpk
i still need to do some analysis on what exactly would be the benefit of it
#
[jacky]
ah okay, in this case, it'd be a way to isolate a token to be usable _only_ for a micropub endpoint
#
[jacky]
oh this is good, that'd make the scopes a bit more abstract (and yet specific to the resource in use)
#
[jacky]
resource++
#
Loqi
resource has 1 karma over the last year
#
[jacky]
I can see this being used for a 'progressively requesting' reader to first only allow it to read from microsub and then when asked for a more interesting function (maybe something mutable like blocking, muting or the like), it can potentially get a _separate_ token for doing other things
#
[jacky]
might be over thinking it
[tw2113_Slack_] joined the channel