#dev 2021-07-06

2021-07-06 UTC
#
GWG
[jacky]: What do you think?
#
[jacky]
so far, so good
#
[jacky]
interesting note regarding the introduction of a new link-rel
#
GWG
[jacky]: How so? It was implied before. I just tried to make it clearer
#
[jacky]
for some reason, I thought this would be like another kind of grant type
#
[jacky]
oh okay wait I see
#
[jacky]
is still reading - hasn't finished yet
#
[jacky]
hmm okay
#
[jacky]
this looks good to me!
#
GWG
Good...I tried to turn the original notes into something that looked a bit more detailed
#
[jacky]
but this looks implementable (obvs since people have already heh)
#
[jacky]
tbh I think this adds the last 'leg' in making protected posts a thing
#
GWG
The questions left are how to get the token from the ticket endpoint over to the client
#
GWG
But that's outside of this protocol
#
[jacky]
yeah! and that's better IMO (like it might make the spec a bit more abstract but it makes it up to the implementation's use case)
#
GWG
[jacky]: That's why I suggested we implement this... then we can solve the other problems around it
#
GWG
Resources can be discussed in IndieAuth proper
#
[jacky]
I'm still thinking about how to let someone _ask_ for a ticket tbh
#
[jacky]
the only place I can think of that would need to do this is within a Microsub client (for reasons)
#
[jacky]
or rather, would benefit immediately from this
#
GWG
[jacky]: Zegnat set it up to use a post action to the token endpoint with action=ticket
#
GWG
But that was for testing
[KevinMarks] and [snarfed] joined the channel
#
GWG
!tell Zegnat I'm not getting an expires_in
#
Loqi
Ok, I'll tell them that when I see them next
[tantek], jeremycherfas and [fluffy] joined the channel
#
[fluffy]
My initial implementation for requesting a ticket is just going to be by logging in.
#
[fluffy]
Like, I parse their profile when they sign in anyway, so if their profile includes a ticketauth endpoint, that’s a good time to send them a ticket.
#
GWG
Do you want me to test that?
#
[fluffy]
Eventually, sure
#
[fluffy]
Hmm, so, I’m just noticing that the token_endpoint declared for the final leg of the transaction is using the IndieAuth token endpoint? What if someone needs separate token endpoints for IndieAuth vs. TicketAuth?
#
GWG
[fluffy]: For what reason?
#
[fluffy]
Like someone might want to use one token endpoint for a standard token grant for a Micropub client, but a different one for the Ticket Auth flow.
#
[fluffy]
Also my hope in all this was that the token auth thing could be totally independent of IndieAuth.
#
GWG
[fluffy]: So you are proposing an alternate way of finding the token endpoint?
#
[fluffy]
Like there’s technically no requirement from the ticketauth flow’s perspective that I even use IndieAuth to provide my own identity
#
[fluffy]
I think I’m proposing an alternate endpoint discovery rel yeah
#
[fluffy]
maybe I”m overthinking things though
#
[fluffy]
like since there’s different grant_types there’s nothing that prevents like… simple proxying
#
[fluffy]
and I mean it’s not like Publ supports token grants for anything else just yet, and any interesting uses of that would still be Publ-specific, so yeah never mind
#
GWG
But this is what endpoint you advertise on the resource page.
#
GWG
[fluffy]: If you want a different endpoint, then just advertise it there.
#
GWG
It isn't necessarily the same one you advertise on your root
#
GWG
Thinking about that
#
GWG
I remember back in the day we discussed different webmention endpoints
#
GWG
Never caught on
Ruxton, jeremycherfas and [fluffy] joined the channel
#
[fluffy]
the thing is that I’d need to advertise them on my root
#
[fluffy]
like the token auth for getting an authenticated feed would be on the main page (or at least on the root level of what people are subscribing to a feed of), and the token auth for getting a micropub grant would be on the category page of where they’d be posting, etc.
#
[fluffy]
(which could also be root)
#
[fluffy]
I mean I guess I could have different pages for different roles or whatever
#
[fluffy]
but that doesn’t fit very well into publ’s model
jeremycherfas, [pfefferle], Ruxton and hendursa1 joined the channel
#
@rowanmanning
I just finished drafting a blog post that covers implementing Webmention on a static website. If this sounds intere… https://twitter.com/i/web/status/1412171439529238530
(twitter.com/_/status/1412171439529238530)
reed, [KevinMarks], shoesNsocks1 and jamietanna joined the channel
#
jamietanna
I think we should clarify the Ticket Auth page to use a non top-level `resource`, as I feel it's adding a bit of confusion because that's where the `rel=token_endpoint` is usually referenced from - anyone got objections if I update it?
[Ana_Rodrigues] joined the channel
#
GWG
jamietanna: Is that a recommendation or a requiremet?
capjamesg joined the channel
#
GWG
Trying to decide what is next on the ticket auth agenda for me
jamietanna1 joined the channel
#
jamietanna1
GWG I think I'm leaning more towards not requiring token_endpoint to be set on every page
#
GWG
jamietanna1: It should be on any page where it is required
#
GWG
As in, private content pages as you need to find it to redeem
#
GWG
And on the top level or any profile page for identity
#
GWG
The alternative is for it to be in what is sent to the ticket endpoint
#
jamietanna1
for simplicity, I think having it as just on the profile page makes more sense, rather than requiring it on each page
#
jamietanna1
and that we'd then send it to the ticket endpoint in a `issuer=$profile_url`
#
jamietanna
Is there any reason we may want a different token_endpoint between profile URL and pages? If so, I'd say it's better to leave it back to profile URL checks which folks are more likely to do
#
jamietanna
*to do and be used to
[Murray] and [manton] joined the channel
#
[manton]
In Micropub, I support paging through posts or media uploads via q=source, but I realized there’s no way to get the total number of expected posts (which would be useful for things like progress bars). Has anyone experimented with adding a “total post count” field somewhere?
[snarfed] joined the channel
#
[snarfed]
manton++
#
Loqi
manton has 22 karma in this channel over the last year (29 in all channels)
#
GWG
jamietanna: Then we need to add in the identity of the individual sending ticket as a parameter.
[KevinMarks] and [Ana_Rodrigues] joined the channel
#
GWG
jamietanna: Is there a security implication there?
#
@sprucekhalifa
↩️ Testing tweets of webmentions
(twitter.com/_/status/1412430673739239432)
[aciccarello] and jamietanna1 joined the channel
#
jamietanna1
GWG I wouldn't say so no - because if someone intercepted it they'd still know the resource they were given access to
#
GWG
Jamietanna1: Just want to make sure we write down we considered it in case someone asks
capjamesg joined the channel
#
GWG
The same way I added why short lived tickets, because when someone asked me that at HWC when we were chatting, I didn't have a quick answer ready that satisfied them
#
jamietanna1
Also looking for token endpoint links could highlight where private content is being hidden?
#
jamietanna1
That's fair
capjamesg joined the channel
#
GWG
Yes, that is a great explanation
#
GWG
I'll add that
capjamesg joined the channel
#
Zegnat
Note that it is up to the person sending a ticket (you) to tell the ticket endpoint (potential reader) where to look for a token endpoint through resource. E.g. my current implementation always hardcodes the resource to my top domain, so that would be the only place I ever need to advertise my token endpoint.
#
Loqi
Zegnat: GWG left you a message 15 hours, 15 minutes ago: I'm not getting an expires_in
#
Zegnat
That is weird, GWG. I will double check in a bit!
#
GWG
Zegnat: If you get a chance, read the recent notes from Jamietanna1, and look at my attempts to make the ticket auth page more spec like.
#
Zegnat
Probably tomorrow when I am less burned out, but it is on the list! I am first going to check why you are not getting an expires_in from my token endpoint...
cambridgeport90 and alex_ joined the channel
#
jamietanna1
Got what looks like a free day off tomorrow - hoping to get a ticket endpoint out for integration, although mine will require the `issuer` methinks, so may not work with others' out of the box
#
aaronpk
i'm going to have to do this too soon
#
jamietanna1
You only issue them for now don't you aaronpk? You don't support receiving?
#
aaronpk
and i haven't looked at any of the recent discussions yet
#
GWG
aaronpk: What do you think of the open questions? As an OAuth expert, your experience is really helpful
#
aaronpk
i need to review the scrollback
#
aaronpk
or are these captured on the wiki?
alex11 joined the channel
#
GWG
aaronpk: All except the latest comment from Jamietanna1, which I haven't added
#
GWG
What is Ticket Auth?
#
Loqi
It looks like we don't have a page for "Ticket Auth" yet. Would you like to create it? (Or just say "Ticket Auth is ____", a sentence describing the term)
#
GWG
What is IndieAuth Ticket Auth
#
Loqi
Ticket Auth is an extension to IndieAuth that enables a publisher to send authorization, known as a ticket, that can be redeemed for an access token https://indieweb.org/IndieAuth_Ticket_Auth
#
GWG
There it is
#
GWG
I tried to add everything and make it look more protocol like
#
GWG
There's a list of questions
#
GWG
I also added an issue to the IndieAuth repo about moving the resource discussion into that spec
[jacky] joined the channel
#
[jacky]
fluffy: the bit re: having them sign in to get a ticket is definitely a direct way to determine it!
#
GWG
[jacky]: Out of scope thus far for the spec though
#
[jacky]
gotcha
#
GWG
Though it is a problem we'll have to solve, this is all about delivery, not deciding how you decide to deliver
#
Zegnat
GWG: I just found why you are not getting the expired_in. Stressed me only added it to the DB query, but not to the part where I actually return it in the body
#
Zegnat
If you could try grabbing a ticket again? I _think_ you should now get the expires_in.
#
Zegnat
Are you storing that with the response?
#
GWG
Zegnat: I convert it into an absolute timestamp and store it
#
GWG
So yes
#
GWG
So I do time()+expires_in
#
Zegnat
Gotcha
#
Zegnat
Well, it should be included now when you redeem the ticket ... I hope ;)
KartikPrabhu joined the channel
#
GWG
I'll test it in a bit
#
GWG
I also built a barebones management UI that can request revokation
#
GWG
Do you support that?
#
Zegnat
But I can add support pretty easy, maybe even before create day this weekend. As I already support POST action=ticket. Just need to add a branch for action=revoke :)
#
GWG
Zegnat: My code tries it, but doesn't surface anything if it fails because failure looks like success according to the spec
#
Zegnat
Failure looks like success?
#
GWG
the revocation endpoint responds with HTTP 200 for both the case where the token was successfully revoked, or if the submitted token was invalid.
#
Zegnat
Oh, yes, that is true.
#
GWG
So no way to know if it worked
#
Zegnat
But I think if you send a revocation request to me, I am not sure if I would answer with an HTTP 200? If I do, that is actually a bug on my end.
#
GWG
Zegnat: More, without doing another validation request, I don't know it's gone
#
Zegnat
You should only send a 200 if you accept the revocation. It is only whether you actually did a revocation or not that should not be signalled by the status
#
Zegnat
Yes, that part is true :)
#
Zegnat
I thought you meant that you could not discover whether revocation requests were supported in the first place.
#
Loqi
yea!
#
Zegnat
It is kinda interesting how the reason why revocation always returns 200 (so you cannot try to guess tokens) is a little unneccessary with IndieAuth where token verification exists so I can go and check tokens there.
#
Zegnat
This is also why token introspection spec expects clients to send along a token that specifically has the right to check tokens. So introspection is not public as it is in IndieAuth
[Murray] joined the channel
#
GWG
Zegnat: Maybe you should propose that the token verification be protected by token
#
GWG
Certainly a good conversation topic
#
Zegnat
At that point, it should just be dropped from the spec in favour of introspection. But that might make it harder for people to onboard. So pros and cons there.
#
Zegnat
Will have a think about it. Do we have a page for discussion ideas for the popup yet?
#
jamietanna
you mean to require token verification to be protected by some client credentials? May need to look at how OAuth handles public, credentialed clients
#
aaronpk
note that it's not clients that are doing token verification/introspection
#
aaronpk
resource servers do that
#
jamietanna
I believe some clients _may_ be doing it i.e. to check the token works, but that's a fair point aaronpk
#
aaronpk
clients shouldn't be doing that in oauth or indieauth
KartikPrabhu joined the channel
#
Zegnat
No, but the point is they can do it. And it is the reason why introspection spec says all info requests need to have their own bearer token included.
#
Zegnat
So you would expect resource servers to have a token for that and be able to inspect tokens. But random clients do not have that token and thus cannot get the info
#
Zegnat
It was the main difference takeaway I got from reading introspection spec the other day
#
jamietanna
aaronpk what would a client be able to use to verify their token's expiry, other than the `expires_in` from the initial granting?
#
aaronpk
nothing, there's no need to
#
aaronpk
the client uses the token, it may or may not work
#
aaronpk
checking if it's going to work before using it is just adding an unnecessary request
#
GWG
Zegnat: The expires_in is there
#
GWG
Just checked.
#
Zegnat
yeay, means the fix worked. Thanks for checking GWG++
#
Loqi
GWG has 16 karma in this channel over the last year (105 in all channels)
#
Zegnat
Off to bed with me now. I’ll see about adding revocation in the short term. And then it is time to add some sort of hidden data thing to my homepage when you send a token along.
#
GWG
Progress is good
jamietanna joined the channel
#
GWG
Zegnat: I'm fine, just programmed my code to try and revoke
#
Zegnat
Dumb thing is, the revocation support and everything already exists in my actual token endpoint code (MinToken), it just does not in this quick endpoint for ticket auth
hendursa1, jeremycherfas, [schmarty] and nekr0z joined the channel
[tw2113_Slack_] joined the channel
#
[tw2113_Slack_]
good ole webmentions tests
hendursa1 joined the channel