[tantek], jeremycherfas and [fluffy] joined the channel
#[fluffy]My initial implementation for requesting a ticket is just going to be by logging in.
#[fluffy]Like, I parse their profile when they sign in anyway, so if their profile includes a ticketauth endpoint, that’s a good time to send them a ticket.
#[fluffy]Hmm, so, I’m just noticing that the token_endpoint declared for the final leg of the transaction is using the IndieAuth token endpoint? What if someone needs separate token endpoints for IndieAuth vs. TicketAuth?
#[fluffy]Like someone might want to use one token endpoint for a standard token grant for a Micropub client, but a different one for the Ticket Auth flow.
#[fluffy]Also my hope in all this was that the token auth thing could be totally independent of IndieAuth.
#GWG[fluffy]: So you are proposing an alternate way of finding the token endpoint?
#[fluffy]Like there’s technically no requirement from the ticketauth flow’s perspective that I even use IndieAuth to provide my own identity
#[fluffy]I think I’m proposing an alternate endpoint discovery rel yeah
#[fluffy]like since there’s different grant_types there’s nothing that prevents like… simple proxying
#[fluffy]and I mean it’s not like Publ supports token grants for anything else just yet, and any interesting uses of that would still be Publ-specific, so yeah never mind
#GWGBut this is what endpoint you advertise on the resource page.
#GWG[fluffy]: If you want a different endpoint, then just advertise it there.
#GWGIt isn't necessarily the same one you advertise on your root
Ruxton, jeremycherfas and [fluffy] joined the channel
#[fluffy]the thing is that I’d need to advertise them on my root
#[fluffy]like the token auth for getting an authenticated feed would be on the main page (or at least on the root level of what people are subscribing to a feed of), and the token auth for getting a micropub grant would be on the category page of where they’d be posting, etc.
reed, [KevinMarks], shoesNsocks1 and jamietanna joined the channel
#jamietannaI think we should clarify the Ticket Auth page to use a non top-level `resource`, as I feel it's adding a bit of confusion because that's where the `rel=token_endpoint` is usually referenced from - anyone got objections if I update it?
[Ana_Rodrigues] joined the channel
#GWGjamietanna: Is that a recommendation or a requiremet?
capjamesg joined the channel
#GWGTrying to decide what is next on the ticket auth agenda for me
jamietanna1 joined the channel
#jamietanna1GWG I think I'm leaning more towards not requiring token_endpoint to be set on every page
#GWGjamietanna1: It should be on any page where it is required
#GWGAs in, private content pages as you need to find it to redeem
#GWGAnd on the top level or any profile page for identity
#GWGThe alternative is for it to be in what is sent to the ticket endpoint
#jamietanna1for simplicity, I think having it as just on the profile page makes more sense, rather than requiring it on each page
#jamietanna1and that we'd then send it to the ticket endpoint in a `issuer=$profile_url`
#jamietannaIs there any reason we may want a different token_endpoint between profile URL and pages? If so, I'd say it's better to leave it back to profile URL checks which folks are more likely to do
#[manton]In Micropub, I support paging through posts or media uploads via q=source, but I realized there’s no way to get the total number of expected posts (which would be useful for things like progress bars). Has anyone experimented with adding a “total post count” field somewhere?
#jamietanna1GWG I wouldn't say so no - because if someone intercepted it they'd still know the resource they were given access to
#GWGJamietanna1: Just want to make sure we write down we considered it in case someone asks
capjamesg joined the channel
#GWGThe same way I added why short lived tickets, because when someone asked me that at HWC when we were chatting, I didn't have a quick answer ready that satisfied them
#jamietanna1Also looking for token endpoint links could highlight where private content is being hidden?
#ZegnatNote that it is up to the person sending a ticket (you) to tell the ticket endpoint (potential reader) where to look for a token endpoint through resource. E.g. my current implementation always hardcodes the resource to my top domain, so that would be the only place I ever need to advertise my token endpoint.
#LoqiZegnat: GWG left you a message 15 hours, 15 minutes ago: I'm not getting an expires_in
#ZegnatThat is weird, GWG. I will double check in a bit!
#GWGZegnat: If you get a chance, read the recent notes from Jamietanna1, and look at my attempts to make the ticket auth page more spec like.
#ZegnatProbably tomorrow when I am less burned out, but it is on the list! I am first going to check why you are not getting an expires_in from my token endpoint...
cambridgeport90 and alex_ joined the channel
#jamietanna1Got what looks like a free day off tomorrow - hoping to get a ticket endpoint out for integration, although mine will require the `issuer` methinks, so may not work with others' out of the box
#LoqiIt looks like we don't have a page for "Ticket Auth" yet. Would you like to create it? (Or just say "Ticket Auth is ____", a sentence describing the term)
#LoqiTicket Auth is an extension to IndieAuth that enables a publisher to send authorization, known as a ticket, that can be redeemed for an access token https://indieweb.org/IndieAuth_Ticket_Auth
#GWGThough it is a problem we'll have to solve, this is all about delivery, not deciding how you decide to deliver
#ZegnatGWG: I just found why you are not getting the expired_in. Stressed me only added it to the DB query, but not to the part where I actually return it in the body
#ZegnatIf you could try grabbing a ticket again? I _think_ you should now get the expires_in.
#ZegnatBut I can add support pretty easy, maybe even before create day this weekend. As I already support POST action=ticket. Just need to add a branch for action=revoke :)
#GWGZegnat: My code tries it, but doesn't surface anything if it fails because failure looks like success according to the spec
#ZegnatBut I think if you send a revocation request to me, I am not sure if I would answer with an HTTP 200? If I do, that is actually a bug on my end.
#GWGZegnat: More, without doing another validation request, I don't know it's gone
#ZegnatYou should only send a 200 if you accept the revocation. It is only whether you actually did a revocation or not that should not be signalled by the status
#ZegnatIt is kinda interesting how the reason why revocation always returns 200 (so you cannot try to guess tokens) is a little unneccessary with IndieAuth where token verification exists so I can go and check tokens there.
#ZegnatThis is also why token introspection spec expects clients to send along a token that specifically has the right to check tokens. So introspection is not public as it is in IndieAuth
[Murray] joined the channel
#GWGZegnat: Maybe you should propose that the token verification be protected by token
#ZegnatAt that point, it should just be dropped from the spec in favour of introspection. But that might make it harder for people to onboard. So pros and cons there.
#ZegnatWill have a think about it. Do we have a page for discussion ideas for the popup yet?
#jamietannayou mean to require token verification to be protected by some client credentials? May need to look at how OAuth handles public, credentialed clients
#aaronpknote that it's not clients that are doing token verification/introspection
#jamietannaI believe some clients _may_ be doing it i.e. to check the token works, but that's a fair point aaronpk
#aaronpkclients shouldn't be doing that in oauth or indieauth
KartikPrabhu joined the channel
#ZegnatNo, but the point is they can do it. And it is the reason why introspection spec says all info requests need to have their own bearer token included.
#ZegnatSo you would expect resource servers to have a token for that and be able to inspect tokens. But random clients do not have that token and thus cannot get the info
#ZegnatIt was the main difference takeaway I got from reading introspection spec the other day
#jamietannaaaronpk what would a client be able to use to verify their token's expiry, other than the `expires_in` from the initial granting?
#Zegnatyeay, means the fix worked. Thanks for checking GWG++
#LoqiGWG has 16 karma in this channel over the last year (105 in all channels)
#ZegnatOff to bed with me now. I’ll see about adding revocation in the short term. And then it is time to add some sort of hidden data thing to my homepage when you send a token along.
#GWGZegnat: I'm fine, just programmed my code to try and revoke
#ZegnatDumb thing is, the revocation support and everything already exists in my actual token endpoint code (MinToken), it just does not in this quick endpoint for ticket auth
hendursa1, jeremycherfas, [schmarty] and nekr0z joined the channel