#dev 2021-07-05

2021-07-05 UTC
Seirdy, Fernando, cambridgeport90, strugee and GWG joined the channel
#
Zegnat
!tell GWG I see a bunch of redeemed tickets ~2 hours ago? Did you get everything working now? Cool! Will add something to my site today that only exists when a token is provided.
#
Loqi
Ok, I'll tell them that when I see them next
#
GWG
Zegnat: I'm still working on storing it, but the redeeming works.
gerben and wrmilling_alt joined the channel
#
Zegnat
Nice. So even though it is a little scuffy, my token endpoint side seems to work then?
chee, voxpelli, geman, Saphire and willnorris joined the channel
#
GWG
These are temporary tokens, right?
#
GWG
Zegnat: If you want to invalidate all the tokens I requested today...
oodani and omz13 joined the channel
#
Zegnat
GWG, as it says on the page they will only be valid for 3 days. Was not planning on invalidating any manually and instead just trust my process
#
GWG
Zegnat: Maybe you should add expires_in to the return?
jjuran joined the channel
#
Zegnat
Anyone else doing that yet? Any examples of how people do it? I was thinking of adding Token Introspection for that at some point, but that is a little further down my list
#
GWG
Zegnat: Me
#
GWG
expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.
#
Zegnat
Noted, GWG. Will take a look during the day
#
Zegnat
https://indieweb.org/IndieAuth_Ticket_Auth#Martijn_van_der_Ven - documented the endpoint as you seem to be able to use it. So others can test against it aswell if they are interested
#
GWG
I also wonder if you should, in the token return, add in the resource.
#
GWG
Admittedly, it was sent with the original ticket request, but...
#
GWG
The same way that me is sent, which is an analogue for subject.
#
Zegnat
The reason I set resource as the root domain is actually a hack. My token endpoint basically forgets about resource immediately as that is not really a thing in base indieauth. So as my data structure is right now, I cannot return it.
#
GWG
My next step is a UI for managing the retrieved external tokens
#
Zegnat
As far as my site is concerned, you have gotten a bog standard indieauth token. No magic ticketing. Therefore no resource.
#
GWG
What I'm doing is adding the resource into the stored data for now. So I know what the token is for.
#
Zegnat
That is what you should do, from what I understand. The ticket endpoint is responsible to keep track of when it can use specific tokens.
#
Zegnat
But I don't think there is any harm in the token endpoint showing that data either... Maybe even when it returns scopes on token verification
#
GWG
Zegnat: That's why I suggested it.
#
GWG
Although, speaking about it, any resource specific token should identify in its return what the resource is.
#
GWG
But that may be an IndieAuth conversation, not a Ticket Auth one
#
Zegnat
I am also not sure I like the name resource for it. Especially if it may grant access to all underlying URLs too. As mentioned in one of the open questions.
capjamesg joined the channel
#
Zegnat
So these are good things to write down on the wiki page!
#
GWG
Yes, nothing is set in stone yet
#
GWG
It might be citing prior work at https://www.rfc-editor.org/rfc/rfc8707.html
#
Zegnat
Maybe. That one does not add resource to the token request response either though
#
Zegnat
It does show the expires_in ... I should really consider adding that. Do you expect expires_in only when exchanging the code for the token, or even when doing a verification call?
[jacky] and hendursa1 joined the channel
#
sknebel
still wonder if piggybacking on realms makes sense or not
#
sknebel
I thought it did, but people got confused by that in AutoAuth for some reason, and I've not seen it mentioned in any OAuth things
#
Zegnat
I do not think OAuth uses it. But I wonder if that is just because OAuth works with the assumption that you as the owner of a token already knows where it is accepted.
#
sknebel
yeah, "is for X API"
#
sknebel
not "is for random pages on this site"
#
Zegnat
Alternatively to HTTP auth’s realm, maybe the OAuth thing would be JWT’s aud?
#
sknebel
not quite, because it doesn't help a client figuring out which to use?
#
sknebel
i.e. you can't answer "do I have a token for this page" with it without further conventions?
#
Zegnat
aud would be a list of resources where the token is expected to be accepted. So if the current page is in the list, that is the token you can send.
#
sknebel
okay but we can't do lists of all blog posts on a site in the token :D
#
Zegnat
Then again, that would just make resource === aud :P
#
sknebel
right, what's "resource" again
#
Zegnat
It is what is currently suggested in the ticket auth. See also the first open question https://indieweb.org/IndieAuth_Ticket_Auth#Open_questions
#
Zegnat
I wonder, is this even a use-case we need? If we focus on authentication, we do not need it, right? You can use the token that identifies you as you on any resource that has its token_endpoint set to where you got your token from.
#
Zegnat
If we both trust the same token_endpoint, then GWG only needs to get a ticket once from there to proof he is who he is. We would both accept the token.
#
Zegnat
For authorisation this is harder, of course. Because I might allow him create access, and you do not.
#
Zegnat
I am thinking of the Gemini case a little. Where people can send a cert along with each request to say “this is me”. If I have obtained an authentication token from tokens.indieauth.com (through a ticket or other means) that has a me value of "https://vanderven.se/martijn/", I can start sending that token along to every site I know that has tokens.indieauth.com as their token_endpoint. They trust that token provider, so they can
#
Zegnat
trust it is me making requests to their site.
#
Zegnat
So the realm === token_endpoint
#
Zegnat
(Again: only for authentication. For authorisation, you would want to know for sure that you were the one who granted the scopes.)
#
Zegnat
is going to let that simmer a little more and than add it to the brainstorm
#
sknebel
Zegnat: no, you cant do it cross-domain, because otherwise I can just claim to trust e.g. davids token endpoint and then I get a valid token for you that I can use to read stuff as you
#
Zegnat
Ah, you are right. Hmm
#
Zegnat
Here I thought I had found a solid simplification :P
#
sknebel
on a site it might be an arguable method that otken endpoint url == realm
#
sknebel
yeah, I think that'd be ok. guess other aspect is if you require checking for that before using a token or not, probably not?
#
sknebel
but thats something that can be left for later in the experimentation I think
#
Zegnat
You should check, I guess, to make sure you do not send the token someplace someone else can read it, else you get the imposter attack you mentioned above.
#
Zegnat
If you are not checking first, it means you are making the call based on something else whether to send the token. Then that "something else" should be == realm
#
Zegnat
To be fair, this is also a problem with realm. You do not know a resource realm without first requesting the resource and reading its WWW-Authenticate header.
#
Zegnat
I guess this is why URLs as realms are easy. Because that way I know the realm before making even a single request
#
sknebel
right. on a domain the imposter case is less obvious/common, so for our purposes it might be ok to not cover that (basically, if you combine it with path limits you say that you can't have less trusted things on subpaths of a URL. which is likely true for most personal sites, and can be made ok for many but not all other scenarios)
#
Zegnat
This feels like https://github.com/indieweb/indieauth/issues/35 all over again, which we sidesteped by just noting that you should always check the value of authorization_endpoint, hahaha
#
Loqi
hehe
#
Loqi
[fluffy-critter] #35 Improve validation rules for the verification response 'me'
#
Zegnat
mumbles something about how signatures would fix this as they would be different values for different requests
#
Zegnat
HTTP Signatures has me sign the request path and host header. So even if I were to send a request to a wrong entity, they can never use it to impersonate me against another party.
#
Zegnat
If we have a shared secret, and I use HTTP Signatures, if I send a signed request to sharedhost.test/~someoneelse/controls/this the someone else cannot grab the value and start impersonating me against other sites on sharedhost. Because only you and I have the shared secret
#
Zegnat
The value was only valid for /~someoneelse/controls/this
#
capjamesg
Funny ^
jamietanna joined the channel
#
jamietanna
Zegnat I also use `expires_in` as I'm another implementer with expiring tokens
#
jamietanna
GWG I wonder if the token issuing is the wrong place for the `resource` and it should instead be on verify - I'll do some reading to confirm that against how OAuth expects it
#
Zegnat
Jamietanna: is the expires_in available anywhere or only during the code exchange?
#
jamietanna
Right now mine only does it on exchange but this is an error
#
jamietanna
*returns an `exp` field on token verify (indieauth) and token introspection (oauth2)
#
jamietanna
Woops 🙃
#
GWG
Lots of good discussion while I slept
#
Zegnat
Mostly me going on an unhelpful tangent
#
GWG
I have some tokens, I need a UI and a way to use them after storage. But we accomplished something
#
Zegnat
I will add something fun to my site, but will not happen before wednesday at the earliest
#
GWG
I am fine thus far
#
GWG
Next there are more questions to figure out
chenghiz_, Jamietanna1, hendursaga and [KevinMarks] joined the channel
#
GWG
Trying to figure out what the difference is between the token verification response and a token introspection endpoint
#
GWG
I fear I'm confused
jamietanna joined the channel
#
Jamietanna1
Ah GWG so "token verification" is what we do in IndieAuth and it's a simpler flow than the "token introspection" which is an OAuth2 thing
#
jamietanna
I may be one of the few who have both :)
#
GWG
jamietanna: I'm just wondering if the conventions of token introspection responses would make sense in token verification
#
GWG
Namely exp
#
GWG
I return an expiration parameter, but maybe it should be exp if people expect that in a similar context
#
jamietanna
I'd say if we can try and keep it closer to OAuth2 that may make it simpler - my ideal would be that we replace the IndieAuth-only endpoint with the OAuth2 one, as then we can use libraries out-of-the-box (but I realise we've done it this way as it's much simpler)
#
jamietanna
so yeah replacing `expiration` with `exp` may simplify for folks who'd expect `exp`
#
Zegnat
Nobody expects anything from token verification. IIRC that is something that only exists in IndieAuth. (Then again, it does not define any form of expiration/expires_in/exp...)
#
aaronpk
wow lots of discussion for me to catch up on!
#
GWG
Zegnat: We have a chat coming up in August. I want things to bring up
#
GWG
Expiration might be one of them
#
jamietanna
Yes, so the spec (https://indieauth.spec.indieweb.org/#access-token-verification-response) says nothing about expiration as it's still quite experimental, but would make sense there
#
GWG
I'd like the IndieAuth spec to say. "Expiring tokens are recommended, and if implemented, should be in accordance with x.
#
GWG
Namely compatibility with refresh tokens and such.
#
jamietanna
That sounds good - we should definitely provide folks with understanding of how to respond to a token that's no longer active (revoked/expired)
#
Zegnat
I would definitely be interested in talking more expiration. I think that is a core security feature to tokens in lots of contexts.
#
GWG
How's that for a starting point
#
Loqi
[dshanske] #81 Adopt Expiration and Refresh Tokens into the Spec
#
aaronpk
is there anything unique about refresh token and expiration with indieauth? i wouldn't think so
#
aaronpk
my worry about putting more stuff in the spec is it makes it look like it's special to indieauth
#
Zegnat
There are only unique things if we want data to be made available upon token verification. Because I think that is the only IndieAuth specific part?
#
GWG
aaronpk: That's why I wanted it to be a citation
#
GWG
Added this proposal as well
#
Loqi
[dshanske] #82 Adopt Resource Indicators or similar system to limit token access to resources
#
GWG
To concur with Zegnat, it's how the process applies
#
Zegnat
The resource one ... I am still not sure exactly how to scope this stuff. So that might be a bit early? Also sounds like something for the ticket auth extension and not indieauth proper? Maybe?
#
aaronpk
it's relevant to indieauth too since we already have multiple resources like micropub vs microsub
#
aaronpk
especialy since a micropub and microsub endpoint might be hosted on two totally separate systems
#
GWG
Zegnat: That's why discussing it belongs in IndieAuth. Ticket Auth is about delivery, it shouldn't be about the token
#
GWG
The token is issued by an IndieAuth token endpoint
#
Zegnat
I am super interested in the resource/realm thing. Though I do not feel like I have answers there yet.
#
GWG
Nor do I, but discussion is the answer
#
GWG
realm is a description of resource in this context.
jamie and PuercoPop joined the channel
#
GWG
resources seem to be URLs and realm is arbitrary text
#
aaronpk
IIRC the idea with "realm" was to use it for scoping access within one resource, so you could use it for indicating like which group of friends something is accessible to
#
GWG
We also have the question of how resource works...in terms of whether paths under it are allowed
#
Zegnat
root URI + realm = protection space. So different resources on the some domain can share realm to communicate that the user can use the same auth for all of them.
#
Zegnat
resources might be better, as we usually are pretty URL focused anyway
#
GWG
I need an example to get that
#
GWG
Zegnat: That's what I was thinking re resource
jamietanna joined the channel
#
jamietanna
Resources should follow https://www.rfc-editor.org/rfc/rfc8707.html#section-2 and would be parent paths
#
GWG
Yes, that's the question of whether we adopt that
cambridgeport90 and superkuh joined the channel
#
GWG
Maybe I'll write up some proposed language
#
GWG
The issue is whether we use resource or aud on the return
#
jamie
Interesting - would that be on the response for redeeming the ticket? `aud` to me would be the audience for the token i.e. `client_id` usually, or `subject` in the case of how we issue the ticket
#
GWG
I'm discussing it independent of ticket auth
#
GWG
In theory, whatever we adopt for IndieAuth for resource limitation is the parameter we'd use in ticket auth
#
GWG
So, if we adopt resource limitations in IndieAuth, then resource becomes an optional parameter for both endpoints
#
GWG
The authorization endpoint would accept it, and pass it when verifying tokens to the token endpoint
#
GWG
The token endpoint would require resource to be passed on redemption
#
GWG
The change to ticket auth to match would be requiring the resource be a parameter for grant_type ticket
#
GWG
When requesting a token, the client can indicate the desired target
#
GWG
service(s) where it intends to use that token by way of the
#
GWG
"resource" parameter and can indicate the desired scope of the
#
GWG
requested token using the "scope" parameter.
#
GWG
Of course, that assumes a disconnected token and authorization endpoint... which we don't assume in IndieAuth
[fluffy], jamietanna and [Murray] joined the channel
#
Zegnat
!tell GWG Any future tokens you request through a ticket from me should now have expires_in. Let me know if it looks right.
#
Loqi
Ok, I'll tell them that when I see them next
#
GWG
Zegnat: Will do . I'm looking into the db now because I have yet to build a UI
#
Loqi
GWG: Zegnat left you a message 1 minute ago: Any future tokens you request through a ticket from me should now have expires_in. Let me know if it looks right.
#
GWG
Reading oauth2.1
#
GWG
Have you read this re resource and audience? https://datatracker.ietf.org/doc/html/rfc8693#section-2.1
#
GWG
Specifically the audience and resource definition
#
Zegnat
Seems like they are used interchangably, with the difference that resource is URI based and audience name based?
#
Zegnat
I still think for IndieWeb things, focusing on resource is probably correct.
#
Zegnat
I keep being surprised how much JWT stuff is part of these specs
#
GWG
Well, aud and exp are JWT claims, which is why they are in the token introspection stuff
#
Zegnat
I am going to drop off the face of the earth for 24 hours or so now. But I am looking forward to reading up on your findings when I get back :)
#
GWG
Where to?
[Rose], KartikPrabhu, petermolnar, sknebel, strugee, doosboox, neocow, Seirdy, eco, geman, gerben, alex11, vilhalmer, mikeputnam and ZooT_aLLures joined the channel
#
@dshanske
After declaring my intention to help iterate on the Ticket extension to IndieAuth, I built an experimental ticket endpoint, which is available on my test site. I was able to test it using Martijn van Der Ven’s test form for requesting a ticket., after… https://di5.us/t/1Qr
(twitter.com/_/status/1412129563539279874)
#
GWG
!tell [fluffy] I have a basic ticket endpoint up if you want to test
#
Loqi
Ok, I'll tell them that when I see them next
#
@jmartsch
↩️ You could also use Webmentions, an open standard for a protocol to notify about links, likes or comments to a webpage. Here is an article describing it https://daily-dev-tips.com/posts/goodbye-comments-welcome-webmentions-%F0%9F%99%8B%F0%9F%8F%BC%E2%80%8D%E2%99%82%EF%B8%8F/
(twitter.com/_/status/1412155610007810050)
[jeremycherfas] and [fluffy] joined the channel
#
[fluffy]
@gwg awesome, I’ll have to actually get around to implementing my end of it as promised
#
[fluffy]
I guess I should also have a manual grant flow, rather than requiring folks to log in to trigger it
#
GWG
[fluffy]: Zegnat had a action=ticket post request to the token endpoint set up as a way to test
#
[fluffy]
yeah, I was going to have Publ initiate the grant if someone logs in with a profile that declares an endpoint, and there’s no reason there can’t also be a manual login flow for that
#
[fluffy]
…although I suppose that means Publ itself is going to have to be able to parse out the endpoint too. So maybe it should all be up to Publ to do that, instead of adding the endpoint discovery to Authl.
#
[fluffy]
also not sure how quickly I’ll be able to work on it, I’m experiencing some /life-happens lately.
#
[fluffy]
what is life happens?
#
Loqi
life happens is a summary expression of numerous things that people experience in their actual physical lives that suddenly take higher priority than nearly anything else (like participation in volunteer-based communities), and the IndieWeb community is here to acknowledge, accept, and be supportive of community members experiencing this https://indieweb.org/life_happens
#
GWG
[fluffy]: No rush. Just excited
#
[fluffy]
yeah same
#
GWG
I did a bunch of documentation stuff
#
[fluffy]
been wanting to get this sort of forward progress for over a year now 🙂
#
[fluffy]
awesome
#
[fluffy]
documentation++ gwg++
#
Loqi
documentation has 1 karma over the last year
#
Loqi
gwg has 15 karma in this channel over the last year (104 in all channels)
#
GWG
Including updates to the ticket auth page and proposals in the IndieAuth repo
[tantek] and [jacky] joined the channel
#
GWG
I'm trying to make the Ticket Auth page more protocol like. Anyone have any feedback on the formatting?