#dev 2021-07-06

2021-07-06 UTC
# 01:30 
[jacky] peeks
# 01:31 
GWG [jacky]: What do you think?
# 01:31 
[jacky] so far, so good
# 01:32 
[jacky] interesting note regarding the introduction of a new link-rel
# 01:32 
GWG [jacky]: How so? It was implied before. I just tried to make it clearer
# 01:33 
[jacky] for some reason, I thought this would be like another kind of grant type
# 01:33 
[jacky] oh okay wait I see
# 01:33 
[jacky] is still reading - hasn't finished yet
# 01:35 
[jacky] hmm okay
# 01:35 
[jacky] this looks good to me!
# 01:36 
GWG Good...I tried to turn the original notes into something that looked a bit more detailed
# 01:36 
[jacky] but this looks implementable (obvs since people have already heh)
# 01:37 
[jacky] tbh I think this adds the last 'leg' in making protected posts a thing
# 01:39 
GWG The questions left are how to get the token from the ticket endpoint over to the client
# 01:39 
GWG But that's outside of this protocol
# 01:41 
[jacky] yeah! and that's better IMO (like it might make the spec a bit more abstract but it makes it up to the implementation's use case)
# 01:41 
GWG [jacky]: That's why I suggested we implement this... then we can solve the other problems around it
# 01:41 
GWG Resources can be discussed in IndieAuth proper
# 01:44 
[jacky] Yeah
# 01:44 
[jacky] I'm still thinking about how to let someone _ask_ for a ticket tbh
# 01:45 
[jacky] the only place I can think of that would need to do this is within a Microsub client (for reasons)
# 01:45 
[jacky] or rather, would benefit immediately from this
# 01:48 
GWG [jacky]: Zegnat set it up to use a post action to the token endpoint with action=ticket
# 01:48 
GWG But that was for testing
[KevinMarks] and [snarfed] joined the channel
# 02:42 
GWG !tell Zegnat I'm not getting an expires_in
# 02:42 
Loqi Ok, I'll tell them that when I see them next
[tantek], jeremycherfas and [fluffy] joined the channel
# 03:59 
[fluffy] My initial implementation for requesting a ticket is just going to be by logging in.
# 03:59 
[fluffy] Like, I parse their profile when they sign in anyway, so if their profile includes a ticketauth  endpoint, that’s a good time to send them a ticket.
# 04:00 
GWG Do you want me to test that?
# 04:13 
[fluffy] Eventually, sure
# 04:14 
[fluffy] Hmm, so, I’m just noticing that the token_endpoint declared for the final leg of the transaction is using the IndieAuth token endpoint? What if someone needs separate token endpoints for IndieAuth vs. TicketAuth?
# 04:15 
GWG [fluffy]: For what reason?
# 04:15 
[fluffy] Like someone might want to use one token endpoint for a standard token grant for a Micropub client, but a different one for the Ticket Auth flow.
# 04:15 
[fluffy] Also my hope in all this was that the token auth thing could be totally independent of IndieAuth.
# 04:16 
GWG [fluffy]: So you are proposing an alternate way of finding the token endpoint?
# 04:16 
[fluffy] Like there’s technically no requirement from the ticketauth flow’s perspective that I even use IndieAuth to provide my own identity
# 04:16 
[fluffy] I think I’m proposing an alternate endpoint discovery rel yeah
# 04:16 
[fluffy] maybe I”m overthinking things though
# 04:17 
[fluffy] like since there’s different grant_types there’s nothing that prevents like… simple proxying
# 04:17 
[fluffy] and I mean it’s not like Publ supports token grants for anything else just yet, and any interesting uses of that would still be Publ-specific, so yeah never mind
# 04:18 
GWG But this is what endpoint you advertise on the resource page.
# 04:18 
GWG [fluffy]: If you want a different endpoint, then just advertise it there.
# 04:18 
GWG It isn't necessarily the same one you advertise on your root
# 04:53 
GWG Thinking about that
# 04:58 
GWG I remember back in the day we discussed different webmention endpoints
# 04:58 
GWG Never caught on
Ruxton, jeremycherfas and [fluffy] joined the channel
# 07:18 
[fluffy] the thing is that I’d need to advertise them on my root
# 07:19 
[fluffy] like the token auth for getting an authenticated feed would be on the main page (or at least on the root level of what people are subscribing to a feed of), and the token auth for getting a micropub grant would be on the category page of where they’d be posting, etc.
# 07:19 
[fluffy] (which could also be root)
# 07:19 
[fluffy] I mean I guess I could have different pages for different roles or whatever
# 07:19 
[fluffy] but that doesn’t fit very well into publ’s model
jeremycherfas, [pfefferle], Ruxton and hendursa1 joined the channel
# 08:20 
@sprucekhalifa ↩️ Checking webmentions (twitter.com/_/status/1412324345842737154)
# 08:20 
@rowanmanning I just finished drafting a blog post that covers implementing Webmention on a static website. If this sounds intere… https://twitter.com/i/web/status/1412171439529238530 (twitter.com/_/status/1412171439529238530)
reed, [KevinMarks], shoesNsocks1 and jamietanna joined the channel
# 10:05 
jamietanna I think we should clarify the Ticket Auth page to use a non top-level `resource`, as I feel it's adding a bit of confusion because that's where the `rel=token_endpoint` is usually referenced from - anyone got objections if I update it?
[Ana_Rodrigues] joined the channel
# 11:48 
GWG jamietanna: Is that a recommendation or a requiremet?
capjamesg joined the channel
# 12:38 
GWG Trying to decide what is next on the ticket auth agenda for me
jamietanna1 joined the channel
# 12:55 
jamietanna1 GWG I think I'm leaning more towards not requiring token_endpoint to be set on every page
# 12:55 
GWG jamietanna1: It should be on any page where it is required
# 12:56 
GWG As in, private content pages as you need to find it to redeem
# 12:56 
GWG And on the top level or any profile page for identity
# 12:57 
GWG The alternative is for it to be in what is sent to the ticket endpoint
# 12:57 
jamietanna1 for simplicity, I think having it as just on the profile page makes more sense, rather than requiring it on each page
# 12:58 
jamietanna1 and that we'd then send it to the ticket endpoint in a `issuer=$profile_url`
# 13:08 
jamietanna Is there any reason we may want a different token_endpoint between profile URL and pages? If so, I'd say it's better to leave it back to profile URL checks which folks are more likely to do
# 13:08 
jamietanna *to do and be used to
[Murray] and [manton] joined the channel
# 14:15 
[manton] In Micropub, I support paging through posts or media uploads via q=source, but I realized there’s no way to get the total number of expected posts (which would be useful for things like progress bars). Has anyone experimented with adding a “total post count” field somewhere?
[snarfed] joined the channel
# 14:17 
[snarfed] manton++
# 14:17 
Loqi manton has 22 karma in this channel over the last year (29 in all channels)
# 14:41 
GWG jamietanna: Then we need to add in the identity of the individual sending ticket as a parameter.
[KevinMarks] and [Ana_Rodrigues] joined the channel
# 14:47 
GWG jamietanna: Is there a security implication there?
# 15:15 
@sprucekhalifa ↩️ Webmentions is on (twitter.com/_/status/1412429888938823683)
# 15:15 
@sprucekhalifa Testing webmentions

https://iamspruce.dev/blog/search-and-filter-component-in-reactjs (twitter.com/_/status/1412429789273673729)
# 15:20 
@sprucekhalifa ↩️ Testing tweets of webmentions (twitter.com/_/status/1412430673739239432)
[aciccarello] and jamietanna1 joined the channel
# 16:29 
jamietanna1 GWG I wouldn't say so no - because if someone intercepted it they'd still know the resource they were given access to
# 16:30 
GWG Jamietanna1: Just want to make sure we write down we considered it in case someone asks
capjamesg joined the channel
# 16:35 
GWG The same way I added why short lived tickets, because when someone asked me that at HWC when we were chatting, I didn't have a quick answer ready that satisfied them
# 16:36 
jamietanna1 Also looking for token endpoint links could highlight where private content is being hidden?
# 16:36 
jamietanna1 That's fair
capjamesg joined the channel
# 17:14 
GWG Yes, that is a great explanation
# 17:27 
GWG I'll add that
capjamesg joined the channel
# 17:57 
Zegnat Note that it is up to the person sending a ticket (you) to tell the ticket endpoint (potential reader) where to look for a token endpoint through resource. E.g. my current implementation always hardcodes the resource to my top domain, so that would be the only place I ever need to advertise my token endpoint.
# 17:57 
Loqi Zegnat: GWG left you a message 15 hours, 15 minutes ago: I'm not getting an expires_in
# 17:57 
Zegnat That is weird, GWG. I will double check in a bit!
# 17:58 
GWG Zegnat: If you get a chance, read the recent notes from Jamietanna1, and look at my attempts to make the ticket auth page more spec like.
# 18:03 
Zegnat Probably tomorrow when I am less burned out, but it is on the list! I am first going to check why you are not getting an expires_in from my token endpoint...
cambridgeport90 and alex_ joined the channel
# 18:17 
jamietanna1 Got what looks like a free day off tomorrow - hoping to get a ticket endpoint out for integration, although mine will require the `issuer` methinks, so may not work with others' out of the box
# 18:17 
aaronpk i'm going to have to do this too soon
# 18:19 
jamietanna1 You only issue them for now don't you aaronpk? You don't support receiving?
# 18:22 
aaronpk and i haven't looked at any of the recent discussions yet
# 18:22 
GWG aaronpk: What do you think of the open questions? As an OAuth expert, your experience is really helpful
# 18:22 
aaronpk i need to review the scrollback
# 18:23 
aaronpk or are these captured on the wiki?
alex11 joined the channel
# 18:25 
GWG aaronpk: All except the latest comment from Jamietanna1, which I haven't added
# 18:25 
GWG What is Ticket Auth?
# 18:25 
Loqi It looks like we don't have a page for "Ticket Auth" yet. Would you like to create it? (Or just say "Ticket Auth is ____", a sentence describing the term)
# 18:25 
GWG What is IndieAuth Ticket Auth
# 18:25 
Loqi Ticket Auth is an extension to IndieAuth that enables a publisher to send authorization, known as a ticket, that can be redeemed for an access token https://indieweb.org/IndieAuth_Ticket_Auth
# 18:25 
GWG There it is
# 18:26 
GWG I tried to add everything and make it look more protocol like
# 18:26 
GWG There's a list of questions
# 18:26 
GWG I also added an issue to the IndieAuth repo about moving the resource discussion into that spec
[jacky] joined the channel
# 18:31 
[jacky] fluffy: the bit re: having them sign in to get a ticket is definitely a direct way to determine it!
# 18:35 
GWG [jacky]: Out of scope thus far for the spec though
# 18:45 
[jacky] gotcha
# 18:52 
GWG Though it is a problem we'll have to solve, this is all about delivery, not deciding how you decide to deliver
# 18:57 
Zegnat GWG: I just found why you are not getting the expired_in. Stressed me only added it to the DB query, but not to the part where I actually return it in the body
# 18:59 
Zegnat If you could try grabbing a ticket again? I _think_ you should now get the expires_in.
# 18:59 
Zegnat Are you storing that with the response?
# 19:08 
GWG Zegnat: I convert it into an absolute timestamp and store it
# 19:09 
GWG So yes
# 19:09 
GWG So I do time()+expires_in
# 19:09 
Zegnat Gotcha
# 19:10 
Zegnat Well, it should be included now when you redeem the ticket ... I hope ;)
KartikPrabhu joined the channel
# 19:15 
GWG I'll test it in a bit
# 19:16 
GWG I also built a barebones management UI that can request revokation
# 19:16 
GWG Do you support that?
# 19:27 
Zegnat No
# 19:28 
Zegnat But I can add support pretty easy, maybe even before create day this weekend. As I already support POST action=ticket. Just need to add a branch for action=revoke :)
# 19:50 
GWG Zegnat: My code tries it, but doesn't surface anything if it fails because failure looks like success according to the spec
# 19:51 
Zegnat Failure looks like success?
# 19:56 
GWG https://indieauth.spec.indieweb.org/#token-revocation-request
# 19:56 
GWG the revocation endpoint responds with HTTP 200 for both the case where the token was successfully revoked, or if the submitted token was invalid.
# 19:56 
Zegnat Oh, yes, that is true.
# 19:57 
GWG  So no way to know if it worked
# 19:57 
Zegnat But I think if you send a revocation request to me, I am not sure if I would answer with an HTTP 200? If I do, that is actually a bug on my end.
# 19:57 
GWG Zegnat: More, without doing another validation request, I don't know it's gone
# 19:57 
Zegnat You should only send a 200 if you accept the revocation. It is only whether you actually did a revocation or not that should not be signalled by the status
# 19:58 
Zegnat Yes, that part is true :)
# 19:58 
Zegnat I thought you meant that you could not discover whether revocation requests were supported in the first place.
# 19:58 
Loqi yea!
# 20:21 
Zegnat It is kinda interesting how the reason why revocation always returns 200 (so you cannot try to guess tokens) is a little unneccessary with IndieAuth where token verification exists so I can go and check tokens there.
# 20:21 
Zegnat This is also why token introspection spec expects clients to send along a token that specifically has the right to check tokens. So introspection is not public as it is in IndieAuth
[Murray] joined the channel
# 20:34 
GWG Zegnat: Maybe you should propose that the token verification be protected by token
# 20:34 
GWG Certainly a good conversation topic
# 20:35 
Zegnat At that point, it should just be dropped from the spec in favour of introspection. But that might make it harder for people to onboard. So pros and cons there.
# 20:35 
Zegnat Will have a think about it. Do we have a page for discussion ideas for the popup yet?
# 20:36 
jamietanna you mean to require token verification to be protected by some client credentials? May need to look at how OAuth handles public, credentialed clients
# 20:37 
aaronpk note that it's not clients that are doing token verification/introspection
# 20:37 
aaronpk resource servers do that
# 20:38 
jamietanna I believe some clients _may_ be doing it i.e. to check the token works, but that's a fair point aaronpk
# 20:39 
aaronpk clients shouldn't be doing that in oauth or indieauth
KartikPrabhu joined the channel
# 20:45 
Zegnat No, but the point is they can do it. And it is the reason why introspection spec says all info requests need to have their own bearer token included.
# 20:46 
Zegnat So you would expect resource servers to have a token for that and be able to inspect tokens. But random clients do not have that token and thus cannot get the info
# 20:46 
Zegnat It was the main difference takeaway I got from reading introspection spec the other day
# 20:59 
jamietanna aaronpk what would a client be able to use to verify their token's expiry, other than the `expires_in` from the initial granting?
# 21:04 
aaronpk nothing, there's no need to
# 21:05 
aaronpk the client uses the token, it may or may not work
# 21:05 
aaronpk checking if it's going to work before using it is just adding an unnecessary request
# 21:06 
GWG Zegnat: The expires_in is there
# 21:06 
GWG Just checked.
# 21:07 
Zegnat yeay, means the fix worked. Thanks for checking GWG++
# 21:07 
Loqi GWG has 16 karma in this channel over the last year (105 in all channels)
# 21:07 
Zegnat Off to bed with me now. I’ll see about adding revocation in the short term. And then it is time to add some sort of hidden data thing to my homepage when you send a token along.
# 21:08 
GWG Progress is good
jamietanna joined the channel
# 21:09 
GWG Zegnat: I'm fine, just programmed my code to try and revoke
# 21:10 
Zegnat Dumb thing is, the revocation support and everything already exists in my actual token endpoint code (MinToken), it just does not in this quick endpoint for ticket auth
hendursa1, jeremycherfas, [schmarty] and nekr0z joined the channel
# 23:20 
@sprucekhalifa Webmentions test

https://iamspruce.dev/blog/ways-to-use-google-like-a-pro (twitter.com/_/status/1412551431396134912)
[tw2113_Slack_] joined the channel
# 23:22 
[tw2113_Slack_] good ole webmentions tests
hendursa1 joined the channel