Seirdy, Fernando, cambridgeport90, strugee and GWG joined the channel
#Zegnat!tell GWG I see a bunch of redeemed tickets ~2 hours ago? Did you get everything working now? Cool! Will add something to my site today that only exists when a token is provided.
#GWGZegnat: If you want to invalidate all the tokens I requested today...
oodani and omz13 joined the channel
#ZegnatGWG, as it says on the page they will only be valid for 3 days. Was not planning on invalidating any manually and instead just trust my process
#GWGZegnat: Maybe you should add expires_in to the return?
jjuran joined the channel
#ZegnatAnyone else doing that yet? Any examples of how people do it? I was thinking of adding Token Introspection for that at some point, but that is a little further down my list
#GWGI also wonder if you should, in the token return, add in the resource.
#GWGAdmittedly, it was sent with the original ticket request, but...
#GWGThe same way that me is sent, which is an analogue for subject.
#ZegnatThe reason I set resource as the root domain is actually a hack. My token endpoint basically forgets about resource immediately as that is not really a thing in base indieauth. So as my data structure is right now, I cannot return it.
#GWGMy next step is a UI for managing the retrieved external tokens
#ZegnatAs far as my site is concerned, you have gotten a bog standard indieauth token. No magic ticketing. Therefore no resource.
#GWGWhat I'm doing is adding the resource into the stored data for now. So I know what the token is for.
#ZegnatThat is what you should do, from what I understand. The ticket endpoint is responsible to keep track of when it can use specific tokens.
#ZegnatBut I don't think there is any harm in the token endpoint showing that data either... Maybe even when it returns scopes on token verification
#GWGAlthough, speaking about it, any resource specific token should identify in its return what the resource is.
#GWGBut that may be an IndieAuth conversation, not a Ticket Auth one
#ZegnatI am also not sure I like the name resource for it. Especially if it may grant access to all underlying URLs too. As mentioned in one of the open questions.
capjamesg joined the channel
#ZegnatSo these are good things to write down on the wiki page!
#ZegnatMaybe. That one does not add resource to the token request response either though
#ZegnatIt does show the expires_in ... I should really consider adding that. Do you expect expires_in only when exchanging the code for the token, or even when doing a verification call?
[jacky] and hendursa1 joined the channel
#sknebelstill wonder if piggybacking on realms makes sense or not
#sknebelI thought it did, but people got confused by that in AutoAuth for some reason, and I've not seen it mentioned in any OAuth things
#ZegnatI do not think OAuth uses it. But I wonder if that is just because OAuth works with the assumption that you as the owner of a token already knows where it is accepted.
#ZegnatAlternatively to HTTP auth’s realm, maybe the OAuth thing would be JWT’s aud?
#sknebelnot quite, because it doesn't help a client figuring out which to use?
#sknebeli.e. you can't answer "do I have a token for this page" with it without further conventions?
#Zegnataud would be a list of resources where the token is expected to be accepted. So if the current page is in the list, that is the token you can send.
#sknebelokay but we can't do lists of all blog posts on a site in the token :D
#ZegnatThen again, that would just make resource === aud :P
#ZegnatI wonder, is this even a use-case we need? If we focus on authentication, we do not need it, right? You can use the token that identifies you as you on any resource that has its token_endpoint set to where you got your token from.
#ZegnatIf we both trust the same token_endpoint, then GWG only needs to get a ticket once from there to proof he is who he is. We would both accept the token.
#ZegnatFor authorisation this is harder, of course. Because I might allow him create access, and you do not.
#ZegnatI am thinking of the Gemini case a little. Where people can send a cert along with each request to say “this is me”. If I have obtained an authentication token from tokens.indieauth.com (through a ticket or other means) that has a me value of "https://vanderven.se/martijn/", I can start sending that token along to every site I know that has tokens.indieauth.com as their token_endpoint. They trust that token provider, so they can
#Zegnattrust it is me making requests to their site.
#Zegnat(Again: only for authentication. For authorisation, you would want to know for sure that you were the one who granted the scopes.)
#Zegnatis going to let that simmer a little more and than add it to the brainstorm
#sknebelZegnat: no, you cant do it cross-domain, because otherwise I can just claim to trust e.g. davids token endpoint and then I get a valid token for you that I can use to read stuff as you
#ZegnatHere I thought I had found a solid simplification :P
#sknebelon a site it might be an arguable method that otken endpoint url == realm
#sknebelyeah, I think that'd be ok. guess other aspect is if you require checking for that before using a token or not, probably not?
#sknebelbut thats something that can be left for later in the experimentation I think
#ZegnatYou should check, I guess, to make sure you do not send the token someplace someone else can read it, else you get the imposter attack you mentioned above.
#ZegnatIf you are not checking first, it means you are making the call based on something else whether to send the token. Then that "something else" should be == realm
#ZegnatTo be fair, this is also a problem with realm. You do not know a resource realm without first requesting the resource and reading its WWW-Authenticate header.
#ZegnatI guess this is why URLs as realms are easy. Because that way I know the realm before making even a single request
#sknebelright. on a domain the imposter case is less obvious/common, so for our purposes it might be ok to not cover that (basically, if you combine it with path limits you say that you can't have less trusted things on subpaths of a URL. which is likely true for most personal sites, and can be made ok for many but not all other scenarios)
#ZegnatHTTP Signatures has me sign the request path and host header. So even if I were to send a request to a wrong entity, they can never use it to impersonate me against another party.
#ZegnatIf we have a shared secret, and I use HTTP Signatures, if I send a signed request to sharedhost.test/~someoneelse/controls/this the someone else cannot grab the value and start impersonating me against other sites on sharedhost. Because only you and I have the shared secret
#jamietannaZegnat I also use `expires_in` as I'm another implementer with expiring tokens
#jamietannaGWG I wonder if the token issuing is the wrong place for the `resource` and it should instead be on verify - I'll do some reading to confirm that against how OAuth expects it
#ZegnatJamietanna: is the expires_in available anywhere or only during the code exchange?
#jamietannaRight now mine only does it on exchange but this is an error
#GWGI return an expiration parameter, but maybe it should be exp if people expect that in a similar context
#jamietannaI'd say if we can try and keep it closer to OAuth2 that may make it simpler - my ideal would be that we replace the IndieAuth-only endpoint with the OAuth2 one, as then we can use libraries out-of-the-box (but I realise we've done it this way as it's much simpler)
#jamietannaso yeah replacing `expiration` with `exp` may simplify for folks who'd expect `exp`
#ZegnatNobody expects anything from token verification. IIRC that is something that only exists in IndieAuth. (Then again, it does not define any form of expiration/expires_in/exp...)
#aaronpkwow lots of discussion for me to catch up on!
#GWGZegnat: We have a chat coming up in August. I want things to bring up
#GWGI'd like the IndieAuth spec to say. "Expiring tokens are recommended, and if implemented, should be in accordance with x.
#GWGNamely compatibility with refresh tokens and such.
#jamietannaThat sounds good - we should definitely provide folks with understanding of how to respond to a token that's no longer active (revoked/expired)
#ZegnatI would definitely be interested in talking more expiration. I think that is a core security feature to tokens in lots of contexts.
#Loqi[dshanske] #81 Adopt Expiration and Refresh Tokens into the Spec
#aaronpkis there anything unique about refresh token and expiration with indieauth? i wouldn't think so
#aaronpkmy worry about putting more stuff in the spec is it makes it look like it's special to indieauth
#ZegnatThere are only unique things if we want data to be made available upon token verification. Because I think that is the only IndieAuth specific part?
#GWGaaronpk: That's why I wanted it to be a citation
#Loqi[dshanske] #82 Adopt Resource Indicators or similar system to limit token access to resources
#GWGTo concur with Zegnat, it's how the process applies
#ZegnatThe resource one ... I am still not sure exactly how to scope this stuff. So that might be a bit early? Also sounds like something for the ticket auth extension and not indieauth proper? Maybe?
#aaronpkit's relevant to indieauth too since we already have multiple resources like micropub vs microsub
#aaronpkespecialy since a micropub and microsub endpoint might be hosted on two totally separate systems
#GWGZegnat: That's why discussing it belongs in IndieAuth. Ticket Auth is about delivery, it shouldn't be about the token
#GWGThe token is issued by an IndieAuth token endpoint
#ZegnatI am super interested in the resource/realm thing. Though I do not feel like I have answers there yet.
#GWGrealm is a description of resource in this context.
jamie and PuercoPop joined the channel
#GWGresources seem to be URLs and realm is arbitrary text
#aaronpkIIRC the idea with "realm" was to use it for scoping access within one resource, so you could use it for indicating like which group of friends something is accessible to
#GWGWe also have the question of how resource works...in terms of whether paths under it are allowed
#Zegnatroot URI + realm = protection space. So different resources on the some domain can share realm to communicate that the user can use the same auth for all of them.
#Zegnatresources might be better, as we usually are pretty URL focused anyway
#GWGThe issue is whether we use resource or aud on the return
#jamieInteresting - would that be on the response for redeeming the ticket? `aud` to me would be the audience for the token i.e. `client_id` usually, or `subject` in the case of how we issue the ticket
#GWGZegnat: Will do . I'm looking into the db now because I have yet to build a UI
#LoqiGWG: Zegnat left you a message 1 minute ago: Any future tokens you request through a ticket from me should now have expires_in. Let me know if it looks right.
[Rose], KartikPrabhu, petermolnar, sknebel, strugee, doosboox, neocow, Seirdy, eco, geman, gerben, alex11, vilhalmer, mikeputnam and ZooT_aLLures joined the channel
#@dshanskeAfter declaring my intention to help iterate on the Ticket extension to IndieAuth, I built an experimental ticket endpoint, which is available on my test site. I was able to test it using Martijn van Der Ven’s test form for requesting a ticket., after… https://di5.us/t/1Qr (twitter.com/_/status/1412129563539279874)
#GWG!tell [fluffy] I have a basic ticket endpoint up if you want to test
#[fluffy]@gwg awesome, I’ll have to actually get around to implementing my end of it as promised
#[fluffy]I guess I should also have a manual grant flow, rather than requiring folks to log in to trigger it
#GWG[fluffy]: Zegnat had a action=ticket post request to the token endpoint set up as a way to test
#[fluffy]yeah, I was going to have Publ initiate the grant if someone logs in with a profile that declares an endpoint, and there’s no reason there can’t also be a manual login flow for that
#[fluffy]…although I suppose that means Publ itself is going to have to be able to parse out the endpoint too. So maybe it should all be up to Publ to do that, instead of adding the endpoint discovery to Authl.
#[fluffy]also not sure how quickly I’ll be able to work on it, I’m experiencing some /life-happens lately.
#Loqilife happens is a summary expression of numerous things that people experience in their actual physical lives that suddenly take higher priority than nearly anything else (like participation in volunteer-based communities), and the IndieWeb community is here to acknowledge, accept, and be supportive of community members experiencing this https://indieweb.org/life_happens