#[jacky]this might be interesting for parsers that don't want to use something something like readability to mangle a page into MF2-esque JSON (on their end)
shoesNsocks1, samwilson, [KevinMarks], [Murray], chenghiz_, barnaby, ben_thatmustbeme, [tantek], [schmarty] and [manton] joined the channel; Poorchop left the channel
#[manton]Anyone have experience with Caddy? We’re considering switching from Nginx to Caddy to simplify HTTPS for hosted blogs on Micro.blog… https://caddyserver.com
#[manton]I generally prefer to stick to tried-and-true servers like Nginx, but this would simplify so many things it’s tempting.
#sknebelplayed around with a bit, wasn't quite what I was looking for at the time but good in principle
#sknebelI think it makes sense for what you are doing
#aaronpkof course, but it's quite a different thing having it built in and completely automatic out of the box
#barnabyyep, and hopefully more software will move towards that model
#barnabyI’m way more familiar with ACME than I ever intended on becoming, as my current web host charges silly fees for certs, but allows you to set your own. so I made a script which authenticates and renews a multi-domain cert for all my domains, then emails me the new cert and key in a GPG-encrypted email, to remind me to update them in the host UI
#sknebelpetermolnar: for a hosted service with custom domains, I'd rather have caddys "one api call" over scripting around certbot
#petermolnaraaronpk: I wasn't arguing with that, I just wanted to point it out that automation with nginx is ok in case one doesn't want to move from nginx, and this - built-in certs - would be the only reason.
#sknebel(at larger scale, I've seen complaints that nginx gets unhappy when you ask it to load thousands of certs, not sure if thats still the case)
#petermolnarbtw caddy doesn't fit my needs, because I need my certs in other daemons, so I need the hooks certbot provides
#sknebelyeah, thats a reason to keep cert managment outside
#sknebelas I said, Ialso didn't like caddy for my own server
#barnabytalking of TLS certs, does anyone know of attempts to use TLS certs and TLS as a way of doing signed server-to-server requests?
#barnabyif you’re assuming that one domain = one person, then surely it’d be the obvious way to distribute public keys
#sknebel(which can be a browser, which has all the issues you reference, but also can be done between services etc. although many implementations kind of assume that you have a shared private CA for all participants)
#barnabyspecifically what I’m thinking about is: Server A makes a request to server B, signed with the private key used for Server A’s TLS cert. server B fetches and verifies server A’s public key, and uses it to verify the request
#barnabyis “client-side certs” used to refer to that flow?
#sknebelI think just "TLS client certificate" is most commonly used
#sknebelalthough the "B fetches and verifies server A’s public key" part I'm not sure if that's done, I think more commonly you just check that the cert is valid and from a trusted CA
#sknebeland now I wonder if usual TLS server certs actually have the right flags for this
#sknebelI've had client certs from a proper public CA, but I those were intentionally issued as client certs
#barnabyI didn’t put a proof-of-concept together for it to check if it worked, but I dug around in some openssl libraries and it seems like most of the parts are there
#aaronpkthis is a big topic in the oauth group right now too, there are a few different ideas floating around for how to do client authentication which this idea basically is
#aaronpkpersonally i'm most excited about reviving HTTP signatures since I think that strikes the right balance between doing the signing in the transport and application layers
#barnabyI was hoping it would be a convenient shortcut for how to do signed requests between indieweb sites, which are typically one domain per person
#barnabywithout having to generate and maintain extra keys, and implement discovery for them
#sknebelaaronpk: "revive" ? (did the work on them elsewhere die?)
#jamietannas'all good :) I wonder if you can try it on a subset of server(s) to give it a go? I've found the mix of auto-TLS and batteries-included for easily proxying between things to be useful, and I guess the Caddy API may be super helpful across the fleet of servers that run m.b ?
#[manton]Definitely, I think it potentially simplifies several things for us. I might split off my own blog (or a few test blogs) to route through Caddy as a first test.
maxwelljoslyn joined the channel
#maxwelljoslynmanton I like caddy definitely give it a shot, not as configurable as the competition but great fast setup for simple use cases
#[manton]Great, thanks. Because our hosted blogs are static sites, I’m hoping it’ll be straightforward to switch. (Just need a little bit of special handling for 404s.)
[schmarty] and jamietanna joined the channel
#jamietannamaxwelljoslyn what configurability would you say is missing?
#GWGjamietanna: Have you also been thinking about Ticket Auth?
#jamietannaGWG I certainly have, could you tell from all the wiki editing? :D
#jamietannaI'm thinking that I may get around to implementing it (soon) but go with the route of "always issue a refresh token" as a way of nudging folks to implementing it
#jamietannaas well as being a good way of ensuring persistent access can be used - and in my case, if a refresh_token isn't used in 90 days (as far as I can remember, at least...) then it expires and a new one is required, leading to me needing to re-issue a ticket
#jamietannaI've still got to make a few changes to strengthen my IndieAuth-protected endpoints to validate the `resource` a token is issued for, and even if someone had a token, they wouldn't (yet) be able to use it, but I think I may use this as a way to lead into private posts
barnaby joined the channel
#GWGjamietanna: I will do refresh tokens when there's a reference client
#GWGI'm preparing to do a reference implementation for receiving tickets, not generating them.
#GWGI'm just wondering what questions about the existing proposal need to be answered
[jacky] joined the channel
#jamietannathat's fair re not doing refresh tokens yet - I'd like to raise a PR to one of the major clients, but not gotten round to it as it's lower on my priority list
#jamietannaso interestingly Netlify does ticket-based auth as part of the OAuth journey which I've just found while authing on this machine for the first time
#jamietannahttps://open-api.netlify.com/#tag/ticket has a bit of info, will try and find a bit more - but this is where the client says "I have a ticket that I want the user to auth with" and seems quite similar to the OAuth Device Flow
#jamietannait looks like they've either taken Device Grant and tried to simplify it, or re-implemneted it before realising there's an official OAuth grant for it
maxwelljoslyn joined the channel
#barnabyI’m definitely interested in the ticket auth stuff, looks like it could be a good method for giving sites temporary discretionary access to private resources
#[jacky]yup! tbh I hope that once I grok it enough, something like that could be easy to put into a check for something like nginx as a proxy_auth flow then static sites could probably get in the fun of private content 🙂
#barnabyit might be possible to have a client-initiated flow, too, which would solve the client TLS problems I was talking about earlier
#barnabye.g. a way of server A being able to say “I want to be able to make authenticated requests to server B”, so server B sends a ticket to server A’s endpoint, which is then exchanged for a code
#barnabyand then server A can temporarily make authenticated requests to server B
#barnabythere’s a lot more fragile back and forth and discovery involved than my hypothetical mutual TLS idea, but it would fix the problems with that approach, and build off existing indieweb building blocks
#barnabynot sure if there are some security issues I’m overlooking there though
#GWGbarnaby: My proposal was let's get the endpoint working and then work on the client part
#barnabyoh sure, I’m just thinking out loud, in case someone can shut my idea down with a security issue I’ve overlooked, in which case I can stop thinking about it
#LoqiAutoAuth is the working title of an extension to IndieAuth that allows clients to authorize to other servers in the name of their user, without the user being present to confirm each individual authorization flow https://indieweb.org/AutoAuth
samwilson and reed joined the channel
#GWGIf you want speculation...the next step after we implement the spec as written is to add how someone can request a ticket be sent to them... And how it could work with clients
calebjasik, nekr0z and Abhas[m] joined the channel
#GWGIf we're thinking Microsub, it isn't the client, it's the server that needs the token
batkin[m], cambridgeport90[ and BinyaminGreen[m] joined the channel
#sknebelwell, not as a ticket endpoint query protocol, but it solves the same thing
#GWGI'm just trying to break the problem into digestible pieces
#GWGAlso, in this scenario, the ticket endpoint requests all tokens and the client requests them from the token endpoint, as opposed to from the external token endpoint
#GWGYou could also in theory proxy it all through the token endpoint and never give the actual token up, but seems messy
#sknebelautoauth also passes the actual token through
#sknebelbut it also triggers the flow through the users endpoint, yes. that's a point where you could differ
#sknebelAutoAuth as currently written down generally does more to "police" requests, e.g. it will only send a request to the publisher if the users site has approved that - ticket auth appears to go in the direction of not caring about that
#sknebel"appears to" because the "how to request a token" is still open, so there is some discussion to be had about that part
#sknebelnot if you get to ".the next step after we implement the spec as written is to add how someone can request a ticket be sent to them" ?
#sknebelat the point you have the question of "if I'm willing to deliver tickets on request, how much do I care about that request being actually authorized by the site I'm sending a ticket to"
#sknebeli.e. can I as a random go and tell site A "hey, please give a ticket to site B"
#sknebelone way I could see is including a "as you requested" indicator in the request delivering the ticket, to distinguish from a ticket being delivered because A wanted to give one to B
#sknebelwhich gives B a way to say "hey wait I didnt even want this". but maybe that's also totally unneeded
#sknebelAutoAuth would go and verify "hey, did you really want a token for XYZ?" before doing anything. but if you consider creating tickets cheap, that's not needed. so that bit you could skip. maybe there is value in explicitly rejecting a ticket offer though
#sknebelprobably comes down to questions like "what am I supposed to do if I get a new ticket for something I already have a token for", "do I invalidate an old token if I issue a new ticket for the same thing", ...
#sknebelanyway, for clients I think the model of "they get an indieauth scope that allows them to ask the site for tokens" makes sense - if they then get to make the requests to publisher for a ticket to be issued themselves or not is probably open?
Seich joined the channel
#[jacky]a bit of brain banging: what's the implication of having a specialized token and authorization endpoint for people? like if you were building a service - I can see it as a way to do a 'harder' check against the usability of a token or request flow but I can see that being done by doing some session checking
[Murray] joined the channel
#aaronpkthe other thing i've been noodling on is figuring out whether it makes sense to bring in the concept of "resources" in addition to scopes
#aaronpkright now we've been relying on scopes quite a lot, but as we've been doing more "interesting" combinations of things, the idea of a resource identifier might be useful
#aaronpkthe resource being the micropub endpoint vs the microsub endpoint vs the potential webmention retrieval endpoint etc
#[jacky]I can see this being used for a 'progressively requesting' reader to first only allow it to read from microsub and then when asked for a more interesting function (maybe something mutable like blocking, muting or the like), it can potentially get a _separate_ token for doing other things