#dev 2021-07-08

2021-07-08 UTC
#
[fluffy] like my private blog posts are still at https://beesbuzz.biz/blog/ as the feed - no separate feed for private posts or whatever. I feel like people are expecting the indicated resource to specifically be the restricted content. Is the expectation that any post will generate a ticket sent to all trusted subscribers? Because that feels an awful lot like how ActivityPub privacy works, and it’s not great for a lot of reasons.
#
[fluffy] IMO the protocol should be like… `resource`/`realm` to point to where access is being granted, and `issuer` as an *optional* property indicating where the endpoint is declared. Or even declare the endpoint directly as `cb` or something.
#
aaronpk "Resource" could just as well describe the feed URL
#
aaronpk nothing says it has to be a single post
#
[fluffy] I mean, I don’t want to grant people access to the feed URL, I want to grant them access to my whole site
#
[fluffy] Publ itself doesn’t even know about “feeds,” those are just an index template as far as it’s concerned
#
[fluffy] and my intended flow was that if someone was to sign in via Authl then that’d trigger a ticket grant automatically, if they have a ticket endpoint. (And there’d also be a provision for folks to request a ticket grant.)
#
[fluffy] Like if someone gets a ticket from my site they can get a token that’s usable for the entire site.
#
aaronpk then the resource is your site
#
[fluffy] Okay, and that’s what my previous assumption was. But some of the commentary on the wiki page makes it sound like people want the tickets to be to a specific resource, i.e. just one page.
#
aaronpk reads
#
[fluffy] for example, “Jamie Tanna’s receiver supports resource and resource[]”
#
[fluffy] and then the talk about how if resource goes to a page that is a 404 if you’re not signed in, etc.
#
aaronpk so the resource indicator spec specificallly talks about the example you're talking about, where the resource could be the top-level page on the domain
#
[fluffy] Yeah, that was my read on it originally
#
[fluffy] My point is that I feel like other people are reading it differently, and that’s led to some confusion about what this even is.
#
[fluffy] Which is what leads to people adding things like `issuer` or `resource[]`
#
aaronpk multiple resources would be if you didn't want to use paths as a hierarchy
#
[fluffy] What’s the use case for that though?
#
aaronpk for example: example.com/one/ and example.com/two/ but not things at the top-level path
#
[fluffy] ah
#
[fluffy] but there’s still the whole `issuer` thing… if that’s just about where to discover the endpoint, why not declare the endpoint directly?
#
aaronpk or more concretely, if my home page was not a feed, and i have several feeds like /articles /notes, i could use multiple resource URIs to describe the multiple feeds without giving it access to the whole domain
#
[fluffy] (as an optional thing, with the default being “get it from the `resource`)
#
[fluffy] My home page is not a feed but it declares an atom feed. I also think I purposefully don’t have h-feed markup on my site yet (although I do plan on adding that someday)
#
[fluffy] I think I’ll go forward with implementing the spec as originally written, instead of trying to add in `issuer` etc.
#
aaronpk i still need to catch up on the issuer thing
#
[fluffy] Yeah I feel like there’s a lot of folks talking past each other based on assumptions about what `resource` means
#
[fluffy] The “open questions” section on the wiki page isn’t a good format for hashing this out. 🙂
#
aaronpk right, that's what github is for
#
aaronpk how did we end up with 5-deep nested discussions in the wiki?
#
[fluffy] Is ticketauth goign to be its own spec or will it be an addendum to indieauth?
#
aaronpk i would imagine it would be an extension
#
[fluffy] I kind of have a hope that ticketauth could be implemented independently of indieauth
#
aaronpk that's an interesting thought
#
[fluffy] like there’s nothing about it which explicitly requires indieauth
#
aaronpk independentely of what aspect of indieauth though?
#
[fluffy] the indieauth part
#
[fluffy] like. signing in with indieauth
#
aaronpk ...
#
aaronpk indieauth is a few things on top of oauth
#
[fluffy] The login flow.
#
[fluffy] Like it’s sort of an alternate login flow I guess? I dunno
#
[fluffy] ticketauth feels a lot simpler than indieauth
#
[fluffy] you could have a ticket_endpoint on your profile page without an authorization_endpoint
#
aaronpk it's simpler until you start trying to fill out all the details, the things that indieauth spells out
#
[fluffy] I guess that’s what I mean by ‘independent of indieauth’ - there’s no need for the authorization_endpoint on the part of the person getting the token
#
aaronpk sure, but then in practice you'll end up with something that acts basically like the authorization endpoint in the end by the time you build out the actual complete system. it just might not be described by the spec
#
[fluffy] like I could see some random non-indieweb feed reader like feedly or Feed-On-Feeds providing a ticket endpoint without having the rest of the indieauth thing
#
aaronpk this is why i like to think of specs as building blocks rather than thinking about things as alternatives to other things
#
[fluffy] sure
#
aaronpk the authorization endpoint and redirect flow solve a specific problem
#
aaronpk this current ticket auth proposal solves a different problem
#
[fluffy] I mean ticketauth is clearly a building block, it just feels like a separate/parallel block to the indieauth authorization flow
#
aaronpk i'm also a fan of requiring the fewest dependencies between specs as possible
#
[fluffy] yeah
#
[fluffy] but I mean it’s also fine for these to be separate/related bits of the same spec
#
[fluffy] they definitely have a lot in common
#
[fluffy] and the token grant part is very similar to the token grant part of IndieAuth
#
[fluffy] SelfAuth doesn’t provide a token grant mechanism AFAIK (and if it does I don’t use it) and Publ doesn’t make use of token grants either; it only cares about the authentication flow, rather than authorization.
#
aaronpk omg this discussion is so hard to follow on the wiki, can we please move it to github threads?
#
[fluffy] Ironic that the authentication flow goes through authorization_endpoint but names are hard
#
[fluffy] I absolutely agree
#
aaronpk i'm going to add the indieauth github issues link to that page
#
[fluffy] good idea
#
aaronpk no reason not to use the main indieauth github page for this even if they end up as separate specs later
#
[fluffy] yeah
#
[fluffy] and I mean given that the token grant is so similar it does seem like the default should be to make them part of the same spec, and just let it undergo mitosis later if necessary
#
[fluffy] the wiki-based discussion smells of bikeshedding to me
#
[fluffy] except people aren’t even in agreement of what kind of bike they’re building
#
aaronpk i made a label to find them: https://github.com/indieweb/indieauth/labels/ticket-auth
#
[fluffy] awesome
#
aaronpk the spec text and the indieweb examples are great for the wiki format, but gosh is discussion in that format a challenge
#
GWG aaronpk: Should we set up a separate github for ticket auth then?
#
GWG Sorry, scrolled down, saw the answer
#
GWG [fluffy]: I agree with you it is a parallel block. I tried to, when I reformatted it, to make it look that way.
#
GWG aaronpk: Do you have a comment on IndieAuth issue #81 and #82, which seem related to your #83 and #84?
#
aaronpk With another spec group im involved with, it started out all as one spec with one repo, and when it made sense, we split out a chunk into its own spec and made a new repo and moved all the issues over
#
GWG I was making the case to move the resource and expiration discussion into the main IndieAuth spec as that's token endpoint, not ticket endpoint business
#
GWG The only extension to IndieAuth is the ticket grant_type, and that could in theory work with other OAuth flavors, couldn't it?
#
[fluffy] It doesn’t even rely on OAuth really.
#
[fluffy] I mean it feels like an entirely parallel OAuth-esque flow
#
GWG [fluffy]: The ticket endpoint doesn't.
#
[fluffy] Maybe I don’t understand OAuth as much as I thought though :)
#
GWG The grant_type requires a token endpoint, in theory. Though you could implement an alternative way of redeeming the token
#
[fluffy] I mean the token endpoint doesn’t have to be an OAuth endpoint.
#
GWG So, sending the ticket is definitely not something that requires IndieAuth, OAuth2, etc.
#
GWG I suppose not.
#
GWG [fluffy]: Are there other commonly used token endpoints?
#
GWG I think it should be an OAuth2 token endpoint simply because there are a lot of those
#
GWG I may be totally off base, but I see ticket auth as follows.
#
GWG It is a specification that allows the receipt of tickets, or invitations to share private stuff, and redeem that invitation at an OAuth2 token endpoint with an new grant_type.
#
[fluffy] Yeah, I just mean that the ticket grant_type is easy to implement as its own thing without needing the rest of OAuth2.
#
GWG Yes.
#
[fluffy] like, the token endpoint I’m implementing in Publ literally does JUST ticketauth token grants
#
[fluffy] At least for now. I might implement the other token grant flow(s) later when I finally get around to adding, say, micropub support
#
[fluffy] but even then Publ itself is only an IndieAuth client, not a provider. Or rather it uses Authl which is only a client for a lot of things. It actually provides a few different OAuth client roles (indieauth, mastodon, and twitter for now, and I plan on eventually adding facebook and tumblr when I get around to it)
#
[fluffy] the email-based login flow isn’t using OAuth at all, either
#
[fluffy] and I still sometimes think about adding OpenID 1.x to it but that feels like a lost cause at this point
#
[fluffy] like everyone I know who would use that already signs in using twitter or mastodon
#
[fluffy] Hm, the IndieAuth token grant stuff never mentions `expires_in` but that’s come up in a few discussions of token refresh. Is there some reason why that isn’t described in e.g. https://indieauth.spec.indieweb.org/#access-token-response ?
#
[fluffy] The IndieAuth spec also never talks about the refresh flow.
#
GWG [fluffy]: I want it to.
#
[fluffy] oh, yeah, I Just saw https://github.com/indieweb/indieauth/issues/81
#
Loqi [dshanske] #81 Adopt Expiration and Refresh Tokens into the Spec
#
[fluffy] I think I’ll go ahead and provisionally support that in my endpoint… it’s easy enough for me to add.
#
[fluffy] and I guess while I”m at it I’d might as well implement token verification
#
batkin[m] I was curious if indieauth had a CVE, and it looks like we're popular enough! BTW my prototype has the same problem. #laziness https://github.com/advisories/GHSA-mjcr-rqjg-rhg3
#
batkin[m] well, not a CVE...
#
[fluffy] I now feel incredibly vindicated in my contribution to that part of the spec :3
#
[fluffy] although it sounds like that implementation isn’t even doing the basic URL verification thing
#
[fluffy] Well, wasn’t. The author has now added the full verification flow.
#
batkin[m] Yeah, the demo worked well, except one glitch i haven't figured out how to reproduce, which is either on datasette-indieauth or wordpress indieauth
#
batkin[m] So nice work!
#
batkin[m] The glitch was that the first time i tried to login i got Invalid State
#
batkin[m] And the next time it worked, and in a different browser instance it worked the first time
#
batkin[m] So it seems it might be some server state on either datasette or the wp plugin
#
GWG batkin[m]: I've never gotten anyone with a State error on WordPress
#
batkin[m] I'll try creating another wp account
#
batkin[m] GWG good to know
#
GWG batkin[m]: Happy to help, I wrote that code
Seirdy joined the channel
#
aaronpk Since IndieAuth is an extension of OAuth, it technically doesn't need to reproduce every aspect of OAuth like expires_in and refresh tokens in the spec. There's nothing about refresh tokens or expiring tokens unique to IndieAuth
#
aaronpk now, whether it's helpful to mention it non-normatively is something to consider
[tantek] joined the channel
#
GWG aaronpk: How would you phrase that?
[tw2113_Slack_] and capjamesg joined the channel
#
sknebel capjamesg: you can put <p> in <li>, yes
#
capjamesg Sorry. That should have been #dev. Thanks sknebel.
[tantek] and Zegnat joined the channel
#
capjamesg I'm just marking up the list of search results with lots of <p> tags but I feel each result should be grouped.
#
capjamesg Google just uses a lot of divs but I wondered if there was a more semantically appropriate approach.
hendursaga, Kaja and Zegnat joined the channel
#
sknebel [tantek]: hm, html5 spec says "flow content" without furhter restrictions as content model for <li>?
#
sknebel https://html.spec.whatwg.org/multipage/grouping-content.html#the-li-element
#
@lepture ↩️ https://typlog.com/integrations/webmention (twitter.com/_/status/1413060744929705986)
#
@leeiio ↩️ 应该是这个第三方服务 https://brid.gy/ (twitter.com/_/status/1413060592428994560)
#
capjamesg sknebel interesting.
#
sknebel (which was why I gave the answer I gave)
#
capjamesg Yep. I understand your perspective now. I'm curious to hear tantek's thoughts.
#
capjamesg sknebel https://stackoverflow.com/questions/3255109/marking-up-a-search-result-list-with-html5-semantics
#
capjamesg ol / ul / li seems to be the most common suggestion I've seen.
[Ana_Rodrigues] joined the channel
#
petermolnar capjamesg: I use a definition list.
#
petermolnar dt for title and link, dl for snippet
#
capjamesg petermolnar Interesting.
#
petermolnar is that a British "interesting" dripping with cynism, or an internation "interesting" with actual interest? :D
capjamesg joined the channel
#
capjamesg petermolnar do you think dl/dt is more appropriate than an ol for search results?
#
petermolnar I genuinely don't know. I always like dl, which is why I'm using it.
#
capjamesg I think I'll leave my implementation as ol for now. But I'm going to keep my eye on this.
#
capjamesg The <p> in the li element does not raise any validation issues with the HTML5 W3C validator.
rockorager, chenghiz_, GoldenEye, capjamesg, jamietanna and [fluffy] joined the channel
#
[fluffy] @batkin by the way anyauth.beesbuzz.biz is a thing you can use to check the validity of profile url verification
capjamesg joined the channel
#
GWG Okay. 5 people did +1 for Microsub, so I put in on the schedule.
#
GWG https://indieweb.org/2021/Pop-ups/Microsub - If people would like to add possible topics
#
GWG I'll likely do a run through the Issues Repo and try to suggest things
IWSlackGateway, rockorager, KartikPrabhu, capjamesg and [tantek] joined the channel
#
[tantek] sknebel, capjamesg, last time I tried, <li><p> or <li><blockquote> would autoclose the <li> before the subsequent opening tag. fairly certain this is still the case though I suppose we could create small example and check the DOM in dev tools
[jacky] and [chrisaldrich] joined the channel
#
sknebel works now
#
[tantek] wow
KartikPrabhu and [fluffy] joined the channel
#
[fluffy] Okay https://dev.beesbuzz.biz/ should have TicketAuth support now. THere are two ways to get a ticket… either sign in at https://dev.beesbuzz.biz/_login from an identity that declares a ticket_endpoint from your user profile page, or go to https://dev.beesbuzz.biz/_tokens?me=https://example.com or whatever
gRegor joined the channel
#
sknebel [fluffy]++
#
Loqi [fluffy] has 9 karma in this channel over the last year (40 in all channels)
#
[fluffy] Note that I’ve only unit tested it and would really appreciate someone trying to do a real end to end test. :)
#
[fluffy] Also testing to make sure that the resulting token works by retrieving https://dev.beesbuzz.biz/userinfo
#
GWG [fluffy]: I'm on mobile, but I triggered my endpoint... have to check later if I have a token
#
GWG Haven't built a way to use the token yet, just to store it
alex11 joined the channel
#
[fluffy] Sure, using the token is the next part. :)
#
[fluffy] I’ve supported a manual token acquisition flow for ages now and that works fine. But no readers support that.
#
GWG [fluffy]: What is that flow?
#
[fluffy] Going to beesbuzz.biz/profile and grabbing a beater token. :)
#
[fluffy] *bearer
Saphire joined the channel
#
[fluffy] Oh my token endpoint should also support the indieauth token verification flow but I haven’t tested that.
#
[fluffy] and I just added a unit test for the token verification flow, yay
#
Loqi does a happy dance!
[Ana_Rodrigues] joined the channel
#
[fluffy] well, sorta. I don’t have a ticketauth endpoint to actually test it with, but my synthetic test of just the verification part works.
#
GWG [fluffy]: I don't have a token. I'll have to figure out why.
#
GWG Need better logging, I guess
[tantek] and oodani joined the channel
#
GWG !tell [fluffy] For some reason, it's not finding the token endpoint. But I see it when I look for it at the resource URL
#
Loqi Ok, I'll tell them that when I see them next
oodani and justache joined the channel