jeremycherfas, hendursaga, vilhalmer, alex11, geman, gerben, neocow, eco, mikeputnam, strugee, doosboox, petermolnar, capjamesg, hendursa1 and jjuran joined the channel
#capjamesgI have a somewhat unique problem that I need help with.
#capjamesgI'm building a search engine for my blog (https://search.jamesg.blog). The engine functions as intended except for one feature I'd like to add: image search that lets you see images.
#capjamesgThe trouble is that my images are quite large so loading them on the image search would result in quite a bulky page.
#capjamesgIs the best way to do this to create small thumbnail images to show in search on crawl?
#ZegnatIf you now request my homepage with an authorization token, my display photo should swap out for a picture I just took before :D I wanted to do this to show of my new hair colour, but I need much better lighting :(
#ZegnatIt will also put a little "welcome $URL" at the top, so you know you are browsing the page in logged in mode
#sknebelrealistically I shouldn't use this code because whoever wrote it was an idiot who wrote hard to understand code I'm not actually sure it does it right
#Zegnatticket is pretty much the same as code, but with grant_type authroization_code the spec requires e.g. redirect_uri to be set. So I think really the only reason for ticket is to use a different grant_type and being able to separate the two paths that led to a valid token
#Zegnatis reading Token Introspection again and comparing to IndieAuth token verification and having thoughts^{tm}
#ZegnatSo here is a question: is anyone using token verification requests for anything?
#aaronpkwell that's how Aperture is able to verify tokens from my site
j9hs joined the channel
#GWGZegnat: I just built token verification. Does your endpoint support it?
#ZegnatI was just thinking because it does not follow some of the security considerations of token intropection, which is basically the same thing but a separate OAuth extension
#ZegnatGWG: no, my resource servers just access the db directly so I do not need to support that
#aaronpkso for Aperture to support the OAuth token introspection spec, I would need to create an additional setup step for people to enter some sort of credentials from their token endpoint into Aperture so that it could make authorized introspection requests
#sknebeltoken introspection is "trusted" access to see details about a token?
#aaronpkbut yeah the more interesting question is that
#aaronpkhow much of the token details you want to expose to the application and end user
#ZegnatI was also thinking about this because I am thinking of ticket auth, and if more information might end up in that response
#sknebelhm, I think I can justify breaking support for the private webmention spec only sebsel ever implemented while doing this :D
#ZegnatAlso re refresh discussions, about maybe putting expiration time in the token verification response. I just feel like there is a risk where a fuzzy line is crossed and we might leak too much token information public.
#ZegnatBut maybe not that big a concern. I was just wondering if it could go the way of other older features and be dropped from indieauth if nobody is using it (all introspection happens proprietary behind the scenes) and we could just point at the introspection spec for interop
#aaronpkthere is definitely use of it currently with aperture
#sknebelah, hm, I still use tickets.indieauth.com for my main page. so I need to send tickets for other urls, not for that :D
[fluffy] joined the channel
#[fluffy]My tickets/tokens are a signed content blob (using ItsDangerous), and only contain the identity, the scope, and the expiration. All other access information is purely managed server-side.
#aaronpki'm doing this entirely server-side with random strings for everything
#aaronpkwell, "better" considering certain priorities
#[fluffy]Eventually I want to add the option to make pure-server-side token storage to Publ, itโs just that I have an underlying design decision that Publ should be as stateless as possible.
#[fluffy]I did eventually add an abstraction to Authl to allow stateful token storage as a configuration thing and I plan on putting that in Publ too. And Publ can use stateful sessions since thatโs a standard Flask feature, but tokens use a different mechanism.
#[fluffy]Publ tokens basically reimplement Flask sessions the long way around, which is annoying but I couldnโt figure out how to use Flaskโs built-in stuff without committing some major layer violations.
#GWGI just added the code to delete tokens from my external token store when expired, only allow the user who owns the store to retrieve tokens from it, and if there's a refresh token, to try to redeem it on expiry.
#[fluffy]The way I implemented refresh tokens, once the original token expires, so has the refresh token. Is the general guidance that the consumer should refresh before expiration, or that the producer should provide some leeway?
#aaronpkthe idea with refresh token is that they last longer than the access token
#aaronpkotherwise there's no point in a refresh token
#aaronpkit's meant to last for the duration of the authorization being granted
#aaronpkwhereas you may want an access token to last significantly shorter than the authorization
#[fluffy]I was taking my intuition from how WebSub refresh tokens work, where itโs up to the consumer to refresh before it expires, rather than up to the producer to honor a refresh token thatโs already expired.
#aaronpkso you might say "I am authorizing this micropub client to create posts on my website indefinitely" but you might not want access tokens to last forever
#[fluffy]like the way things stand in Publ, when you get a token, the access token will have an expiration of, say, 1 month, and the refresh token will also have an expiration of 1 month, and you can use the refresh token to acquire a new access token before the access token expires.
#aaronpkah, the "expire if not used by" model works too
#[fluffy]Given that refresh tokens donโt even exist in the indieauth spec right now, I feel comfortable waiting for use cases and semantics to be settled better ๐
#aaronpki still don't think there is any need to define any specific behavior about refresh tokens in indieauth
#aaronpkas far as i can tell there is nothing unique to indieauth about anything to do with refresh tokens
#[fluffy]I was just defaulting to how WebSub refresh tokens work because thatโs the first spec I ever implemented that spelled it out
#[fluffy]Yeah itโs just that likeโฆ the way that tokens are used for ticketauth is different than how theyโre used for, say, micropub, apparently
#ZegnatI would need to check up on WebSub. It feels a little weird to me. Intuitively I would be using an access token all the time, until I hit a 4xx with it, then I will dig up the refresh token to get myself a new one. If the refresh token then fails, I need to go request authorization from scratch.
#[fluffy]or at least thatโs what Iโm inferring from your micropub example
#aaronpkbut still nothing particularly special about refresh tokens in either case
#[fluffy]okay I was misremembering websubโs expiration thing
#ZegnatOnce you have redeemed the ticket at the token endpoint, we are back in default OAuth 2.0 land, I think?
#aaronpkyep ticket auth is just a different way to get an access token (and potentially could include a refresh token too)
#[fluffy]In websub, the lease_seconds just tells you how long the subscription will stay active, as guidance to the consumer for when to initiate a new subscription request. Thereโs no such thing as a refresh token in it.
#[fluffy]and in Feed On Feeds I chose to make it preemptively refresh the subscription at poll time if itโs about to expire.
#GWGI still want IndieAuth to reference the refresh_token spec.
#GWGZegnat: By the way, used that Firefox addon to get your alternative picture
#aaronpkindieauth can mention refresh tokens but there's nothing to reference since it's not adding any new behavior about refresh tokens
#ZegnatGWG: aah, it worked? Always good to have someone else confirm it! :D
#aaronpkalso refresh tokens are part of the core oauth 2 spec, so technically they are already referenced by indieauth
#[fluffy]I like when specs provide the information about the โsee alsoโ for other specs that they rely on
#[fluffy]like as someone whoโs implementing indieauth directly but gives approximately zero craps about the underlying OAuth itโd be nice for the section to at least call out the โsee moreโ from the original spec.
#ZegnatI found it very hard to implement IndieAuth without implementing OAuth. Had to do lots of dives into OAuth for error responses and the likes
#[fluffy]Anyway I think that if the IndieAuth spec on token grants were to point to the OAuth spec on token grants with language like โIndieAuth tokens also support token refresh per [the OAuth spec](blahblahblah)โ thatโd be satisfactory to me. I had no idea refresh tokens were even an option until GWG opened the issue.
#[fluffy]ah, yeah, I can see IndieAuth providers being a lot more complicated than clients. Iโve only done the client side of things.
#[fluffy]well, aside from the token endpoint in Publ, which only implements the tiny subset necessary for Ticket Auth.
#GWGaaronpk: As the spec editor, would linking to various recommendations be an issue for the next revision?
#[fluffy]Supporting Micropub in Publ is gonna be weird because Micropub uses a token grant from the IndieAuth provider, but Publ isnโt actually integrated with the provider. Like I use SelfAuth to log in to my own Publ instance.
#[fluffy]I guess it could do something like get a token from the userโs IndieAuth provider and then use that to grant a Publ token?
#[fluffy]well, like, get the token, then verify it, then go โokay youโre cool, hereโs a token for realsโ
#[fluffy]I still donโt quite understand the Micropub flow though.
#aaronpkGWG: yes editorial changes like that are a good idea
#[fluffy]Iโll probably understand it better when I get around to implementing Micropub for Publ (MicroPubl?)
#ZegnatI think nothing in Micropub requires IndieAuth. It just mentions IndieAuth as a way to obtain a token, and that is what most (all?) Micropub clients now require.
#GWGaaronpk: I think I'll go create a page for next month's popup, if there isn't one.
#aaronpkcorrect, indieauth is a way to get an access token, ticket auth is a way to get an access token, and you could also get an access token using oauth core, or the oauth device flow, etc
#[fluffy]okay, so the problem for Publโs weirdness is that the indieauth token_endpoint isnโt going to be the same as the ticketauth token_endpoint
#GWGBy the way, there is now a Microsub popup wiki page for people to put possible topics.
#Zegnat[fluffy]: it does not need to be. You do not even neccessarily need a token_endpoint for Micropub at all.
#[fluffy]Publโs token_endpoint assumes it already has a valid identity provided by external means.
#[fluffy]Oh, interesting. So could there be a client that lets you give it a token in some other way?
#[fluffy]I mean you said that already yeah bu tlike
#[fluffy]Are there any clients which would be amenable to a flow other than โsign in with indieauth, then use that same siteโs token_endpoint to get a token from the indieauth instanceโ
#ZegnatI think Omnibear might have had the option to just drop a token into a form instead of doing IndieAuth
#[fluffy]like thereโs probably some major disconnect that Iโm not understanding here but on my site the authorization_endpoint points to SelfAuth but the token_endpoint points to Publ, and Publ knows nothing about how SelfAuth validates an identity.
#[fluffy]but Iโm thinking that Publ *could* go โokay this thing is asking for an access_token against this identity with this authorization code, Iโll look up that identityโs authorization_endpoint and token_endpoint and use that to validate the codeโ
#[fluffy]but this has all been a low priority for me anyway since I donโt personally care about using micropub to post to my site. Iโd love to support micropub so that other people have less friction in using Publ though.
#[fluffy]And also that might be nice for social reader integration.
#ZegnatIt is definitely a balancing act of wants and needs et al. IndieAuth is an extension to OAuth for letting unregistered clients discover the correct OAuth endpoints to be able to request tokens. So if you want to support IndieAuth as a way for clients to request tokens, the must be a way for the authorization_endpoint and the token_endpoint to speak to eachother.
#GWGaaronpk: It says it can't find the token endpoint, I believe.
#[fluffy]One reason why I donโt want to integrate the IndieAuth authorization_endpoint into Publ is that Publ itself is just the site publishing engine, and itโs not necessarily going to be for a single-author site. Like one specific reason I do want to support Micropub is to allow a community blog sort of thing. Iโm not sure if thatโs compatible with how Micropub clients expect identity to work though.
#Zegnataaronpk: I currently store the ticket endpoint I sent a ticket to as the "client"
#aaronpk[fluffy]: there's also nothing about micropub or micropub clients that assume single-user websites
#sknebelah no, seems my code failed to handle the request :/
#GWGsknebel: Yes. I'm fixing the error messages to be more helpful now
#[fluffy][aaronpk] yeah but I mean likeโฆ donโt micropub clients all at least assume that youโre going to be signing in as the identity of the site itself? Or if not, thatโs probably where my massive disconnect lies.
#aaronpkno not really, the micropub client doesn't really care what identity you're signing in as, because it's not trying to know *who* you are, it's trying to get an access token to be able to create posts at the micropub endpoint
#[fluffy]okay but thatโs still where thereโs a weird little edge case in supporting Micropub on Publโฆ let me try to flesh out an explanation of why this is weird to me
#aaronpkin practice, some micropub clients will show the "me" URL to show the user which site they are posting to, but that URL could be a user-specific URL on the site, or could be the site's home page, it doesn't really matter
#ZegnatMost (all?) Micropub clients use IndieAuth to discover the authorization_endpoint, but that is just the place they send their user to authorize a token. sink.zegnat.net for instance will let users write in their own site address and do IndieAuth with their own setup rather than relying on an identity issued by sink.zegnat.net itself
#[fluffy]If someone tries to post to beesbuzz.biz, theyโd be asking beesbuzz.bizโs token_endpoint for an access token to post to it, right? And that token has to go through some sort of authentication flow to make sure that the token is valid, which it would do presumably by asking that someoneโs IndieAuth endpoint.
#ZegnatGWG: I think I was wrong before, I do support token verification, I do not support revocation
#[fluffy]And thatโs all well and good with how things are set upโฆ but then if *I* try to post to beesbuzz.biz, my IndieAuth identity (validated by SelfAuth) is also beesbuzz.biz, and so my token_endpoint would appear to be publโs, not SelfAuthโs
#[fluffy]and again I probably am fundamentally misunderstanding the authorization flow for micropub
KartikPrabhu joined the channel
#[fluffy]but my understanding is that thereโs some dance that occurs with the token_endpoint provided by the userโs identity URL
#[fluffy]and that itโs an โimplementation detailโ about how the identity URLโs token_endpoint and authorization_endpoint talk to each other
#[fluffy]but like, beesbuzz.biz as an identity would have a different token_endpoint than beesbuzz.biz as a resource.
#GWG[fluffy]: If they are not integrated, there is what was used in the earlier version of the spec, which so far no one turned into an extension
#[fluffy]The obvious workaround would be for me to have a separate identity URL for signing in to my own site
#aaronpktoken endpoints are not part of identity, they are only part of authorization of access to resources
#[fluffy]okay, so how does a token_endpoint grant a token against an identity?
#ZegnatYou probably only want to trust tokens from publโs own token endpoint for micropub requests to publ. Trusting tokens created by external token endpoints might be risky, as they can claim to be for any value of `me`. So you need impersenation checks etc.
#aaronpkthat's between the two endpoints to figure out
#aaronpkwhich typically are part of the same software, so it's an "implementation detail"
#[fluffy]see, thatโs the problem, I donโt want Publโs token endpoint to have to know how to talk to every IndieAuth authorizatoin_endpoint
#aaronpkthis is why there was originally a part in the indieauth spec that described how the two endpoints can talk to each other, which is how tokens.indieauth.com works
#[fluffy]Like in this case, Publ is explicitly *not* part of the same software as the IndieAuth authorization_endpoint
#[fluffy]yes, because Publ is providing the tokens for TicketAuth
#ZegnatI would expect to point a Micropub client at a Publ site, end up on a login page provided by Publ (the authorization_endpoint), when I login there (proofing my identity in some way to Publ) I will be redirected back to the Micropub client with a code. The Micropub client then exchanges the code against Publโs token_endpoint to get a token to send along with Micropub requests.
#[fluffy][Zegnat] but Publ doesnโt provide an authorization_endpoint
#aaronpkso if you want to continue down the path of completely separate and interoperable token and authorization endpoints, you'll need a contract between the two, which we've moved out of the core indieauth spec but could be done as an extension
#aaronpkpersonally i am not interested in continuing to support tokens.indieauth.com or that model, so i have no interest in that extension, but that's not to say someone else couldn't take it and run with it
#GWGaaronpk: Did we dump it into a wiki page somewhere for reference?
#[fluffy]IIRC the tokens.indieauth.com approach isnโt workable either though, and Iโm having too much difficulty articulating it and should probably give up again before I get frustrated and another giant pain flare from this
#ZegnatI guess I do not understand why publ canโt support a login box at the authorization_endpoint. Which is all it would need to be able to issue tokens
#[fluffy]but anyway the tl;dr of the problem as I see it is that beesbuzz.biz-as-identity is different than beesbuzz.biz-as-resource as far as what the token_endpoint should be
#[fluffy]because beesbuzz.bizโs authorization_endpoint points to my SelfAuth because thatโs what Iโm using to sign in to my site
#[fluffy]I donโt want to give user accounts to my indieauth endpoint for everyone who might be posting to my site
#[fluffy]I want them to be signing in with their own identities
#[fluffy]I purposefully do not want publ to be in the business of providing identities beyond the profile URL
#[fluffy]if publ provides an authorization_endpoint that then lets people proxy a login to their own identity then anyone can just log in as me if theyโre able to log in to my site.
#aaronpkif you want other users to sign in to beesbuzz.biz, that site would be acting as an indieauth *client* and would go discover the authorization endpoint of the user
#[fluffy]maybe beesbuzz.biz is a bad example for this
#[fluffy]because I have no interest in allowing other people to post to it anyway
angelo joined the channel
#aaronpki guess i don't see the problem then? this seems like it works
#[fluffy]but like. beesbuzz.biz lets people sign in using indieauth (among other things) as an indieauth client, but it also provides an authorization_endpoint that lets me sign in to other things.
#ZegnatAah. Hmm. I see now. You would want authorization_endpoint both to be your Selfauth instance because you want to use beesbuzz.biz as your identity. But for the IndieAuth multi-user workflow you would also want the authorization_endpoint to point at the external-user login form.
#[fluffy]but it also provides a token_endpoint for TicketAuth, but that token_endpoint knows nothing about how to talk to the authorization_endpoint.
#aaronpkso in that case there are two indieauth/oauth flows happening
#aaronpkone from the micropub client to the group blog, and a second from the group blog to each user's own authorization endpoint
#[fluffy]right, and I think in the case of a theoretical group blog, nobody would be signing into that blog as that blogโs own identity
#[fluffy]so this *might* be a non-issue. but itโs something that trips me up when I think about it too hard.
#aaronpkhow the user authenticates at the authorization endpoint is not described in oauth or indieauth, intentionally
#aaronpkthat authentication could be username/password, or it could be relmeauth, or it could be another indieauth flow
#ZegnatSo sink.zegnat.net is a group blog in that way. So its authorization_endpoint is actually an IndieAuth login page and lets anyone login. Then when they are logged in the sink.zegnat.net token_endpoint can issue a token matching their identity (because they have proven who they are). But that obviously would not work if the sink.zegnat.net authorization_endpoint was also the thing I personally wanted to use to proof my own identity.
#[fluffy]okay so Iโm thinking, then, that the authorization_endpoint on a group blog could even just point to an Authl signin page and people could therefore use non-IndieAuth identities to sign in for this
#ZegnatCrap, ignore me, my IRC is on the fritz so I have no idea when my messages come in compared to the conversation others are having :(
#[fluffy]yeah. Iโm fine with just not supporting the use case of a group blog that is also an individual identity.
#[fluffy]Thereโs still the issue that likeโฆ if a group blog has an authorization_endpoint that accepts any login to it, then theoretically *anyone* could use that group blog to identify to another site (even if they arenโt granted post access to that group blog)
#aaronpkyou'd only send a "me" URL as the root URL when *you* log in, and you'd return URLs with paths for all the other users
#[fluffy]but I guess thatโs just something to keep in mind for a group blog site - to only authenticate people known as authors on the blog.
#aaronpkthe authorization endpoint is the one that decides what "me" URL to send back to the client, and it can use whatever criteria it wants to make that decision
#sknebelGWG: "500 {"error":"unknown","error_description":"Unable to Store External Token"}"
#[fluffy]Wait but the me URL thing wonโt work because of how โdifferent profile URLโ works
#aaronpkthe key here is separating this out into the two oauth flows rather than thinking about it as one single flow
#aaronpkthe group blog would have to use author sub-pages for the other users
#GWGsknebel: That means I couldn't figure out who you were sending the token to. Was there a me property in the redeemed token?
#[fluffy]yeah but then that gets back to the problem of requiring people to have a means of signing in to their author page identity which may or may not be IndieAuth. I suppose that could b epushed down a layer and the author profile can have a list of allowed third-party identities.
#[fluffy]in the case of Publ I was definitely going to be making the Micropub stuff in a separate library that would only be optionally pulled in so that means this doesnโt have to complicate Publ itself. and it can provide a route like /_author/<name> which provides their h-card and whatever, and is configured at an admin level such that <name> maps to third-party identities.
#[fluffy]the ticket issuer isnโt going to do anything based on what the ticket endpoint replies with, and 200/202/whatever and fun message seems :thumbsup: to me
#aaronpkbut yeah it's helpful to inclue some sort of message to tell people who are looking at the responses when writing code
#ZegnatAs with webmention, it could signify whether the ticket is send synchronous or asynchronous, I guess?
#[fluffy]and yeah I am very tempted to add a ticket endpoint to Feed-on-Feeds, even though I really want a reason to finally work on my reader project.
#aaronpkmy assumption is that either everything is bundled into a single piece of software (e.g. wordpress with a built in reader), or all authorization stuff is a standalone thing that is used by all the various parts
#GWGBut [fluffy]'s thought makes sense. If the ticket endpoint is integrated with the Microsub endpoint. I've been integrating mine with my token and auth endpoint code.
#[fluffy]Iโve been sort of avoiding thinking about the webmention side of things because I feel like mixing webmention and private content is inherently risky
#aaronpki think i am going to add an endpoint to my new app so that my website can ask "do you have an access token that might work at X resource", that way it could be used for feed fetching as well as webmention
#GWGSo, like the idea of having non-integrated authorization and token endpoints, that is another spec.
#aaronpkit's eventually going to be a full indieauth server
#[fluffy]I keep meaning to add bearer token support to Pushl but it was going to be based on sideband token grants, rather than trying to use anything like ticketauth etc., but then the whole mention verification thing becomes difficult, etc.etc.
#[fluffy]like if I have a private post that links to another private post, Pushl needs to be able to see the source post, it needs to be able to get the mention endpoint of the target post, and the mention endpoint needs to be able to see the source post.
#GWGI may, after this is more stable, contemplate the idea of a second POST request to the ticket endpoint, with a required bearer token from my token endpoint, scoped to allow it to return the token in question.
#[fluffy]and even if all that stuff does work, in the common case you potentially have a public post thatโs replying to a private post and then that causes drama/privacy violations/etc.
#aaronpkmaking all these parts modular and interchangeable is definitely adding challenges that don't need to be there for the basic interop to work
#GWGSo, a redemption flow. I know that's one of the things AUTOAuth had trouble with
#[fluffy]thus why I prefer having native private comments on my site instead of using mentions for comments on private posts ๐
#GWGaaronpk: That's why I thought being able to redeem a ticket and get a token needed to work before the other stuff.
#GWGBecause in some implementations, you don't need them.
#[fluffy]Itโs really annoying when people post a public tweet in response to my private post stubs. So far there hasnโt been anything particularly awful from that, just the occasional โOh, Iโm sorryโ in response to a โPrivate post: [akjdflkajsf]โ tweet.
#aaronpkyeah twitter is not a good example of that, since public twitter accounts that reply to private tweets still have the public reply visible
#Zegnataaronpk: what sort of endpoint do you mean? You mean that Aperture could go to aaronpk.com and ask "is there a token for subject aaronpk.com at resource vanderven.se that I can use for fetching?"
#Loqi[fluffy-critter] #1012 allow webmention endpoint discovery on non-2xx responses
#aaronpkso that when aperture is fetching your home page for me, it could include an access token that you have sent me
#GWGaaronpk: What endpoint at aaronpk.com would it be asking?
#aaronpkwell it would be an endpoint at my new authorization server
#aaronpkthis does not need to be standardized, it's a private API
#ZegnatThat is pretty close to the autoauth case, yeah. Probably with the difference that for autoauth, you would make that request, and then that endpoint goes of to the mentioned resource to see if it can request a token in your name
batkin joined the channel
#aaronpkbut i need to receive tickets first so let me go finish that
#batkin[m]Going back to something I was trying to figure out several weeks ago - I'm wondering how to make it so I could enter any-subdomain.benatkin.com into a micropub client, and have it use the identity benatkin.com.
#Zegnatbatkin[m]: have all of those pages point at the same authorization_endpoint, which results in me=benatkin.com
#sknebel"so that when aperture is fetching your home page for me, it could include an access token that you have sent me" - that's what autoauth had requests and extra scopes for
#sknebelwhich I think makes sense as a pattern still
#GWGsknebel: That was some of what I was thinking might work
#ZegnatIt is really just a question of interop/standardisation for all those steps. And the question whether it even all belongs in the same spec or not. Ie. does it belong in TicketAuth or separate? Can it only work by having one huge sped like Autoauth? etc.
#GWGsknebel: In theory, if we wanted an external API, it could be a token scoped with a token requesting scope, that posted to the ticket endpoint to get back tokens.
#ZegnatYou should be storing the resource values from the first ticket request for that, surely? That is what it says "these resources should accept the token"
#sknebelthat's the "resource" value in the ticket request
#aaronpkright, but i need some limit on who can claim what resource values
#GWGAnd that is where you are getting the token endpoint?
#aaronpkoh maybe that's already handled by the fact that the token endpoint is discovered from the resource URL
#ZegnatAh, hmm, that is a lot harder. You would then want to go and check all the resource values to see which token_endpoints (if any) they mention?
#ZegnatYes, as long as we stick to single resources, that solves that part
#sknebelthat it's valid to the resource is checked that way
#sknebelwhat exactly counts *outside* the specific resource URL is tricky
#aaronpkso gwg can trick my site into requesting a token from zegnat but it will fail
#ZegnatI am trying to figure out if there is some sort of attack possible through multi resources, if we only ever check the first resource to find the token-endpoint, but would end up sending the token for requests to the second resource as well. Recourse 1 and 2 might be on different origins
#ZegnatBut I canโt think of a case where it would actually be a problem
#GWGLet's say I send you a ticket that has a page on my site that delivers Zegnat's token endpoint. When I try to redeem the ticket, it will fail. How could that be an issue?
#batkin[m]When trying to use micropub with a subdomain, and logging in with Quill, I got "The domain for the user returned did not match the domain of the user initially signing in"
#aaronpkooh quill might not be updated with the latest indieauth client
#batkin[m]I never specified notes.benatkin.com as a user, the rel=me on that page is benatkin.com
#aaronpkZegnat: how do i know if the token i got from you works? do you return something special on your home page?
#sknebelthinking about it a bit more, I feel like "path below the resource" (or maybe even same origin) + "advertises the same token endpoint" works as "is this token usable here" best
#sknebelyou want some way to know if you should use the token or not
#aaronpkyou could also always use the token once you know what resources it is for
#ZegnatI am not sure if "advertises" really is important, or if resource is enough. What is added by doing the check for the advertised token_endpoint?
#batkin[m]I got a token via a ticket from vanderven.se , by logging a request and using curl
#batkin[m]doesn't seem to have any easter eggs set up. or maybe just true easter eggs =)
#GWGSo, does this mean that we've answered the question of where the ticket endpoint goes looking for the token endpoint?
#Zegnataaronpk: OAuth question, I am looking at RFC 7009 (revocation) for security considerations, to see if I am implementing it right. And the following confuses me: "According to this specification, a client's request must contain a valid client_id, in the case of a public client". I cannot find an example in the spec on how it expects public clients to send their client_id along with the revocation request. Nor does IndieAuth hint at it
#aaronpkthe notes in the security consideration make sense though, you don't really gain any security by checking for the client_id for public clients since there's way worse things you can do if you are malicious and have the token
#sknebel(i.e. my mental model would be "sure, send the client_id, server might log it etc", but not "require a known client_id to accept a revocation request"
#ZegnatI do not feel like I need a client_id to let you revoke, because if you have the token you have access to resources.
#ZegnatBut the way some of it reads, it seems it only wants me to allow revokes if you know the matching client_id? Which then feels counterintuitive to me
#aaronpkusually these kinds of extra parameters that feel unnecessary at first are there to prevent mixup attacks of various sorts, but there isn't anything to mix up in this spec
#sknebelright, to me it is something that if I find a token I should be able to revoke it
#aaronpkspeaking of which, we should look at the new "iss" spec
#sknebel(again parallel to certs: doesnt matter who you are, if you tell a CA "here's the private key for a cert, revoke that!" it has to do so)
#ZegnatI would even say the oposite is true for this spec, aaronpk :D If you somehow got a random token that is valid for a private resource, I would lovev it for you to revoke it ;)
#ZegnatOne of these days, that will turn into an actual D&D set
#sknebelthat reminds me, I found this video snippet about "how the web works" from a German kids TV series again a while back (I can remember seeing the original episode!): https://www.youtube.com/watch?v=fpqhjEtznVk
#sknebelthat style would be so funny for some explainer videos
#ZegnatReading the iss draft now, those mix-up attacks were what I was thinking of wrt having multiple resources specified when sending a ticket. Trying to trick a client to leak its token to a resource I control. Just could not actually come up with a scenario that would sufficiently trick a client
#sknebelthis was productive, but I'm off to bed now. o/