#[fluffy]like my private blog posts are still at https://beesbuzz.biz/blog/ as the feed - no separate feed for private posts or whatever. I feel like people are expecting the indicated resource to specifically be the restricted content. Is the expectation that any post will generate a ticket sent to all trusted subscribers? Because that feels an awful lot like how ActivityPub privacy works, and it’s not great for a lot of reasons.
#[fluffy]IMO the protocol should be like… `resource`/`realm` to point to where access is being granted, and `issuer` as an *optional* property indicating where the endpoint is declared. Or even declare the endpoint directly as `cb` or something.
#aaronpk"Resource" could just as well describe the feed URL
#[fluffy]I mean, I don’t want to grant people access to the feed URL, I want to grant them access to my whole site
#[fluffy]Publ itself doesn’t even know about “feeds,” those are just an index template as far as it’s concerned
#[fluffy]and my intended flow was that if someone was to sign in via Authl then that’d trigger a ticket grant automatically, if they have a ticket endpoint. (And there’d also be a provision for folks to request a ticket grant.)
#[fluffy]Like if someone gets a ticket from my site they can get a token that’s usable for the entire site.
#[fluffy]Okay, and that’s what my previous assumption was. But some of the commentary on the wiki page makes it sound like people want the tickets to be to a specific resource, i.e. just one page.
#[fluffy]for example, “Jamie Tanna’s receiver supports resource and resource[]”
#[fluffy]and then the talk about how if resource goes to a page that is a 404 if you’re not signed in, etc.
#aaronpkso the resource indicator spec specificallly talks about the example you're talking about, where the resource could be the top-level page on the domain
#[fluffy]but there’s still the whole `issuer` thing… if that’s just about where to discover the endpoint, why not declare the endpoint directly?
#aaronpkor more concretely, if my home page was not a feed, and i have several feeds like /articles/notes, i could use multiple resource URIs to describe the multiple feeds without giving it access to the whole domain
#[fluffy](as an optional thing, with the default being “get it from the `resource`)
#[fluffy]My home page is not a feed but it declares an atom feed. I also think I purposefully don’t have h-feed markup on my site yet (although I do plan on adding that someday)
#[fluffy]I think I’ll go forward with implementing the spec as originally written, instead of trying to add in `issuer` etc.
#aaronpki still need to catch up on the issuer thing
#[fluffy]Yeah I feel like there’s a lot of folks talking past each other based on assumptions about what `resource` means
#[fluffy]The “open questions” section on the wiki page isn’t a good format for hashing this out. 🙂
#[fluffy]Like it’s sort of an alternate login flow I guess? I dunno
#[fluffy]ticketauth feels a lot simpler than indieauth
#[fluffy]you could have a ticket_endpoint on your profile page without an authorization_endpoint
#aaronpkit's simpler until you start trying to fill out all the details, the things that indieauth spells out
#[fluffy]I guess that’s what I mean by ‘independent of indieauth’ - there’s no need for the authorization_endpoint on the part of the person getting the token
#aaronpksure, but then in practice you'll end up with something that acts basically like the authorization endpoint in the end by the time you build out the actual complete system. it just might not be described by the spec
#[fluffy]like I could see some random non-indieweb feed reader like feedly or Feed-On-Feeds providing a ticket endpoint without having the rest of the indieauth thing
#aaronpkthis is why i like to think of specs as building blocks rather than thinking about things as alternatives to other things
#[fluffy]and the token grant part is very similar to the token grant part of IndieAuth
#[fluffy]SelfAuth doesn’t provide a token grant mechanism AFAIK (and if it does I don’t use it) and Publ doesn’t make use of token grants either; it only cares about the authentication flow, rather than authorization.
#aaronpkomg this discussion is so hard to follow on the wiki, can we please move it to github threads?
#[fluffy]Ironic that the authentication flow goes through authorization_endpoint but names are hard
#[fluffy]and I mean given that the token grant is so similar it does seem like the default should be to make them part of the same spec, and just let it undergo mitosis later if necessary
#[fluffy]the wiki-based discussion smells of bikeshedding to me
#[fluffy]except people aren’t even in agreement of what kind of bike they’re building
#GWG[fluffy]: I agree with you it is a parallel block. I tried to, when I reformatted it, to make it look that way.
#GWGaaronpk: Do you have a comment on IndieAuth issue #81 and #82, which seem related to your #83 and #84?
#aaronpkWith another spec group im involved with, it started out all as one spec with one repo, and when it made sense, we split out a chunk into its own spec and made a new repo and moved all the issues over
#GWGI was making the case to move the resource and expiration discussion into the main IndieAuth spec as that's token endpoint, not ticket endpoint business
#GWGThe only extension to IndieAuth is the ticket grant_type, and that could in theory work with other OAuth flavors, couldn't it?
#GWG[fluffy]: Are there other commonly used token endpoints?
#GWGI think it should be an OAuth2 token endpoint simply because there are a lot of those
#GWGI may be totally off base, but I see ticket auth as follows.
#GWGIt is a specification that allows the receipt of tickets, or invitations to share private stuff, and redeem that invitation at an OAuth2 token endpoint with an new grant_type.
#[fluffy]Yeah, I just mean that the ticket grant_type is easy to implement as its own thing without needing the rest of OAuth2.
#[fluffy]like, the token endpoint I’m implementing in Publ literally does JUST ticketauth token grants
#[fluffy]At least for now. I might implement the other token grant flow(s) later when I finally get around to adding, say, micropub support
#[fluffy]but even then Publ itself is only an IndieAuth client, not a provider. Or rather it uses Authl which is only a client for a lot of things. It actually provides a few different OAuth client roles (indieauth, mastodon, and twitter for now, and I plan on eventually adding facebook and tumblr when I get around to it)
#[fluffy]the email-based login flow isn’t using OAuth at all, either
#[fluffy]and I still sometimes think about adding OpenID 1.x to it but that feels like a lost cause at this point
#[fluffy]like everyone I know who would use that already signs in using twitter or mastodon
#[fluffy]I now feel incredibly vindicated in my contribution to that part of the spec :3
#[fluffy]although it sounds like that implementation isn’t even doing the basic URL verification thing
#[fluffy]Well, wasn’t. The author has now added the full verification flow.
#batkin[m]Yeah, the demo worked well, except one glitch i haven't figured out how to reproduce, which is either on datasette-indieauth or wordpress indieauth
#aaronpkSince IndieAuth is an extension of OAuth, it technically doesn't need to reproduce every aspect of OAuth like expires_in and refresh tokens in the spec. There's nothing about refresh tokens or expiring tokens unique to IndieAuth
#aaronpknow, whether it's helpful to mention it non-normatively is something to consider
#GWGI'll likely do a run through the Issues Repo and try to suggest things
IWSlackGateway, rockorager, KartikPrabhu, capjamesg and [tantek] joined the channel
#[tantek]sknebel, capjamesg, last time I tried, <li><p> or <li><blockquote> would autoclose the <li> before the subsequent opening tag. fairly certain this is still the case though I suppose we could create small example and check the DOM in dev tools