#dev 2021-08-29

2021-08-29 UTC
#
GWG
[fluffy]: We missed you earlier
#
aaronpk
I thought we defined a few fields in the spec
#
[fluffy]
Ah, yeah, I guess I overlooked the actual definition
#
[fluffy]
and yeah I meant to join this morning but spaced out
#
[fluffy]
So here’s a question… for Authl’s sake, which should be considered more authoritative: the information from the profile scope, or the h-card?
#
[fluffy]
Like, regardless of the profile being returned I”m gonna parse h-card. But if there’s matching fields, which takes priority?
#
GWG
[fluffy]: The return is what the site in theory, wants the client to use
#
GWG
So, in that case, I would say that
#
[fluffy]
so profile takes priority over h-card? That’s what I figured but, y’know. Thoguht I’d ask opinions.
#
GWG
That's my opinion based on what we said when we added the feature
#
[fluffy]
also, if someone specifically removes the profile and email scopes, does that mean Authl shouldn’t parse those out of h-card? Or does it just mean that it’ll be fine for Authl to still consume the public information on the h-card?
#
[fluffy]
That’s more a user expectation thing rather than an implementation thing.
rockorager joined the channel
#
GWG
I would say yes it is. Because there isn't a preference noted. I would suggest there is a way to not use the full detail.
#
Rattroupe
@fluffy what do you mean you don't see support for profile? In Authorio?
#
Rattroupe
I have support for full name, email, url, and image
#
Rattroupe
"which should be considered more authoritative: the information from the profile scope, or the h-card?": in my case, it's much easier for a user to edit his profile vs an h-card
#
[fluffy]
@rattroupe I’m not sure what I said that you’re asking about there
#
Rattroupe
(from #indieweb) "BTW I didn’t see that you’d added specific support for profile scope. What fields did you end up settling on for the profile? I’ve been wanting to add that into Authl but I haven’t had anything that provides a profile to parse yet."
#
[fluffy]
Oh, what I meant was: I hadn’t noticed that until today
#
[fluffy]
when I read that blog entry you linked to
#
[fluffy]
and now since you actually have an endpoint which provides profile in the IndieAuth response I’m going to add that to the Authl client.
#
Rattroupe
did you read the other post where I complained that I implemented profiles but there's no client site that uses them? :)
#
[fluffy]
Authl has actually requested profile scope for *ages* and it’s (sort of ) in the wild, but it hasn’t done anything with the returned profile because nobody had implemented it yet 🙂
#
Rattroupe
cool, let me know when you're ready for me to test
#
[fluffy]
I think there’s a gap in understanding here, because like. Authl requests profiles (but doesn’t use them) and I was excited to see that you’ve implemented them at the indieauth server level 🙂
#
[fluffy]
SO far I’ve only had the ‘profile’ scope as a placeholder because a scope is required for the client request and it seemed innocuous and unlikely to cause conflicts.
#
[fluffy]
but anyway it’s incorrect to say that *nothing* requests a profile out there, just that you hadn’t found anything which does. 🙂
#
Rattroupe
oh? What does?
#
Rattroupe
oh you mean authl
#
Rattroupe
nothing actually *uses* profiles yet. Hopefully changing soon.
#
[fluffy]
but I mean I’m sure someone else has actually implemented something as a test
#
[fluffy]
Authl has used h-card profiles for ages now, but not IndieAuth response profiles.
#
[fluffy]
righ tnow I’m finishing up a crappy unit test for that
Khuforzu[d] joined the channel
#
GWG
I tried my hand at a PR for refresh tokens https://github.com/indieweb/indieauth/pull/90
#
GWG
Anyone?
#
Loqi
[dshanske] #90 Refresh Tokens
#
rattroupe[d]
I’ve noticed in some other oauth-related specs that a client must request and be granted an offline_access scope in order to get a refresh token. Is that something we care about?
#
GWG
rattroupe: It isn't in the refresh token spec though.
#
GWG
rattroupe[d]: Excuse me, wrong rattroupe
#
rattroupe[d]
Sorry I’m jumping around
#
GWG
But according to the spec, and I read through it just this evening again, it says that the authorization server decides whether it will give refresh tokens. So, if you want it to decide based on the granting of a scope, you can.
#
GWG
But that doesn't have to be in IndieAuth, it is an implementation detail.
#
rattroupe[d]
I guess the thinking is, with a refresh token a client could potentially remain authorized indefinitely, which is something a user might not want automatically granted
#
aaronpk
This is something that's entirely up to the IndieAuth server to decide how to do and how to surface to the user
#
aaronpk
the offline_access scope is something some implementations of OAuth did but has never been captured in a standard
#
GWG
I looked at what the spec, and the security recommendations, and OAuth2.1 talk about refresh tokens.
#
aaronpk
Sorry, not in an OAuth standard. It's in openid connect
#
GWG
There is the discussion of refresh token rotation.
#
GWG
Whether you should issue a new refresh token every time you redeem.
#
GWG
There's a security recommendation that if a client isn't used for a period, you should invalidate their token
#
GWG
But again, implementation details. The worst that could happen is your client has to go through the flow again
#
rattroupe[d]
It’s a little more than an implementation detail. If the client has the burden of requesting a refresh token, that means an endpoint doesn’t have to burden the user at all if no refresh is requested. But if it’s up to the endpoint implementation then the endpoint has to ask the user every time, if it wants to implement refresh tokens at all
#
GWG
rattroupe: Clients don't request refresh tokens. They are just provided.
#
GWG
If they aren't, the decision on why is that of the endpoint.
#
GWG
If your client doesn't use them, then it is the same as we have now. You have to go through the indieauth flow again
#
GWG
If you had one, redeem it, and don't get a new one, or the old one is revoked, you still have to go through the indieauth flow again
#
GWG
aaronpk is the OAuth2 expert, but if I understand it correctly, and why I was one of those pushing for it, is that short-lived access tokens with refresh are better than a long-lived token for clients where you want them to have access for a longer period of time
#
GWG
What I haven't implemented, and not sure if anyone has, is actually changing how my endpoint gives out credentials based on the client.
#
GWG
Because how would I do that?
#
GWG
That's also why I wanted resource indicators.
#
GWG
So my endpoint would know what resource it was giving access to and could do all sorts of stuff. Although still not sure I would.
#
[fluffy]
did refresh tokens ever get added to the TicketAuth spec? Publ’s ticket endpoint provides them as a matter of course but it’d be nice for it to be formalized
#
GWG
[fluffy]: We were talking about it for IndieAuth. Why would they be needed for Ticket Auth?
#
GWG
If you get an access token from a ticket, and you have refresh tokens...
#
[fluffy]
they’d be needed if the ticket auth grant is given manually
#
[fluffy]
this is something we’d talked about not too long ago I think?
#
GWG
[fluffy]: A lot going on. I might have forgotten
ralismark joined the channel
#
Zegnat
I would say that, in TicketAuth, you redeem the ticket for a token at an OAuth token endpoint. Refresh tokens are just a feature of the token endpoint, so not sure there is a need to add anything specific about them to TicketAuth?
hendursa1 joined the channel
#
[fluffy]
ah, right
#
[fluffy]
sorry, my head is always so focused on TicketAuth that I forget that it’s an initiation flow for the OAuth token stuff
#
[fluffy]
@rattroupe I had to take a break from Authl stuff but I’ve released a new version that hopefully supports IndieAuth profiles (or at least the unit tests say it do), and it’s been deployed to https://beesbuzz.biz/ - feel free to visit https://beesbuzz.biz/blog/profile and see if it works as you expect!
#
Loqi
fluffy
#
[fluffy]
yes loqi
#
Loqi
Ok, I'll tell them that when I see them next
#
[fluffy]
!tell rattroupe IndieAuth profile implementation is live on https://beesbuzz.biz/ although there’s an issue where it’ll cache stuff from the IndieAuth server response erroneously if e.g. someone logs out and back in without the scopes set. I’ve already fixed that in the code but I’m going to hold off on doing another release so quickly.
#
Loqi
fluffy
[Zegnat] joined the channel
#
[Zegnat]
fluffy: I often find that it helps me to think of everything IndieAuth as merely an initiation flow of OAuth, haha!
rockorager, tetov-irc, alex11 and sebbu2 joined the channel
#
GWG
Any Indieweb plans today for anyone?
#
rattroupe[d]
Going to test out indieauth profiles with @fluffy bees buzz site
#
GWG
Great
#
rattroupe[d]
Just discovered a bug where Authorio won’t work if the client site doesn’t use PKCE
chenghiz_ joined the channel
#
jamietanna
rattroupe[d] that should be fine - didn't we make PKCE required in the spec? So it's fully up to us as to whether we support legacy sites or not
#
jamietanna
GWG when I implemented refresh token (https://www.jvt.me/posts/2021/01/31/refresh-token-indieauth/) I opted for single use refresh tokens, which provided shorter-lived access tokens, and longer-lived refresh tokens
#
rattroupe[d]
The problem is, I wanted to test with fuzzy’s site and their site doesn’t use PKCE
#
Loqi
[Jamie Tanna] Implementing the Refresh Token Grant in my IndieAuth Server
#
jamietanna
and the option for the human to grant a refresh token, not anything automagic
#
rattroupe[d]
I thought I had coded it to support legacy non-PKCE sites but I didn’t test it and it turns out there was a bug. Should be easy to fix though
#
GWG
jamietanna: Did you read the PR I started?
#
GWG
I tried to summarize refresh and expiry in new text, based on existing specs
#
GWG
Then I started reading about refresh token rotation, and such...
#
GWG
jamietanna: Where did p-achievement come from on your resume?
#
rattroupe[d]
!tell [fluffy] I logged in to beesbuzz and saw the profile scope in my log, and the login appeared to work, but I don’t see the profile information used anywhere on the site.
#
Loqi
Ok, I'll tell them that when I see them next
#
[fluffy]
@rattroupe Did you go to the user profile page? https://beesbuzz.biz/blog/profile
#
[fluffy]
That’s literally the only place the profile appears to users :)
#
[fluffy]
On my admin view I do see a homepage and email address for your user profile.
#
rattroupe[d]
Is there a link from the home page to the profile page or do I just have to type in that url?
#
[fluffy]
Although I notice that your identity is shown as reiterate.app which appears to not be specific to you?
#
[fluffy]
There’s a “view profile” type link at the top of most article paginations.
#
[fluffy]
like there should be something like a “Hello, [your name here]. [sign out]” pair of links. The ‘your name here’ one would take you to your profile.
#
rattroupe[d]
Oh, it only appears if there’s more than one article
#
[fluffy]
The point to the profile page is so that you can see how you look to me, and so that I can see who you are so that I can grant you access to private entries.
#
[fluffy]
eh? it should appear on all index pages regardless of article count
#
rattroupe[d]
Yes it says Hello, [Michael Meckler] so that is working…
#
[fluffy]
it won’t appear on an individual article’s page though
#
rattroupe[d]
Ok it’s got name, email, and the image
#
[fluffy]
Generally if you’re viewing an article you already have access to it so there’s no need to see how I see you :)
#
[fluffy]
and presumably you don’t have an h-card that provides those things, right?
#
[fluffy]
In my unit tests I also make sure that if you have both an h-card and an IndieAuth profile, the IndieAuth profile takes priority.
#
rattroupe[d]
I was confused because I didn’t see a profile link on the home page, and the first few links I clicked on didn’t go to a page with a profile link either
#
[fluffy]
But it’ll aggregate stuff together, since h-card provides way more information (bio, pronouns, etc.)
#
[fluffy]
ah, right, that could be a bit more clear. On the home page it’ll show a login link if you’re logged out and there’s a recent private entry, but there’s no profile link there.
#
[fluffy]
I’m always trying to balance the UX of a “this is my personal website and portfolio” site and a “this is my online social presence” site.
#
rattroupe[d]
I do have an h-card on the home page of my site
#
[fluffy]
on reiterate.app?
#
rattroupe[d]
Yes, and it does duplicate the info sent in the indieauth profile
#
[fluffy]
Ah, but doesn’t have anything more than that?
#
rattroupe[d]
No just that
#
[fluffy]
Authl supports a bunch of stuff in the profile; the current canonical list is at https://authl.readthedocs.io/en/latest/authl.html#authl.disposition.Verified
#
rattroupe[d]
Btw your site doesn’t support PKCE
#
[fluffy]
Yeah I know, I have an open issue for that
#
Loqi
[fluffy-critter] #92 IndieAuth: add PKCE support
#
[fluffy]
I haven’t looked into how to support it just yet.
#
rattroupe[d]
That uncovered a bug in Authorio, I thought I was supporting legacy sites without PKCE but it turns out I had to fix that
#
[fluffy]
Ah, well, then that’s a good thing ;)
#
[fluffy]
PKCE has been a low priority because of the use case of Authl so far but I definitely do want to support it eventually since Authl isn’t *just* for Publ’s private-entry login.
#
[fluffy]
like I intend to use it on any app I build that requires login, and I designed it to be straightforward to integrate into any Python app (with it being especially easy for Flask but there’s no Flask requirement)
#
rattroupe[d]
[fluffy]: I posted a rant about profile URLs, in the end I decided to have a single-user config for Authorio and reiterate.app is running in single user mode
#
rattroupe[d]
So, yay, I believe this is the first active instance of IndieAuth profile information exchange between client and endpoint
#
[fluffy]
Yeah I saw that rant, that’s what led me to your thing about profile support
#
[fluffy]
I *sort of* agree with your rant in principle but in practice IndieAuth does support the idea of things like reiterate.app/rattroupe/ or whatever.
#
[fluffy]
Back when I used OpenID for login in a lot of places I used a hack to have my profile URL be beesbuzz.biz/fluffy/ which just had a couple of links to things.
#
[fluffy]
(that URL doesn’t work now though, this was aeons ago)
#
[fluffy]
anyway as far as ‘first active instance’ goes I feel like this should be recorded on the wiki somewhere.
#
[fluffy]
I guess we don’t actually have verification that it’s your IndieAuth profile that was used, though; if you have the same data on your h-card then it *could* have been pulled from that.
#
rattroupe[d]
I can edit my home page to take it out, then log out and back in…
#
[fluffy]
Sure, that’d work.
#
rattroupe[d]
Ok just a sec…
#
[fluffy]
The h-card data remains cached for a while though.
#
[fluffy]
Oh wait no, the cache gets refreshed on a new IndieAuth login.
#
rattroupe[d]
Ok logged out
#
[fluffy]
… I think.
#
rattroupe[d]
Is there some way you can verify the cache is cleared?
#
[fluffy]
I can restart my site app 🙂
#
[fluffy]
just a sec
#
rattroupe[d]
I can also edit my profile information
#
[fluffy]
ok, cache cleared
#
[fluffy]
oh also the cache lifetime is 1800 seconds.
#
rattroupe[d]
If I edit the profile information that my endpoint returns, will that override any cache?
#
[fluffy]
I could make that shorter too although that’s currently hardcoded into Authl itself. It’s just there to make it so that the h-card doesn’t have to be re-fetched after a successful login.
#
[fluffy]
but yeah the h-card should always get refreshed on a new indieauth login
#
[fluffy]
oh, I guess if something gets removed from the h-card that’ll remain in the cache. That’s easy enough to fix though.
#
[fluffy]
I should also reduce the cache time. There’s no reason for it to be half an hour.
#
Loqi
agreed.
#
rattroupe[d]
Ok I’ve removed the card from the home page, and also made changes to the profile info
#
rattroupe[d]
So I should be able to log back in now and see the new profile?
#
[fluffy]
also if you have different information on the h-card vs. the indieauth profile, the info on the indieauth profile should take precedence.
#
[fluffy]
A typical example of that being a public vs. private email address.
#
rattroupe[d]
Ok, it’s working
#
[fluffy]
(And if you deny the ‘email’ scope on the login then the public email address will be used, if your auth endpoint implements scopes correctly)
#
[fluffy]
awesome
#
rattroupe[d]
I logged back in and I’m seeing the edited info that only exists on my indieauth profile
#
[fluffy]
awesome
#
[fluffy]
Good verification rattroupe++
#
Loqi
rattroupe has 1 karma over the last year
#
rattroupe[d]
Ty for my first karma ever 🙂
#
rattroupe[d]
Hmm.. Ed my profile settings back to what they should be, logged out and back in of beesbuzz, but I’m still seeing the (cached) test values
#
[fluffy]
Hmm, only the h-card should be getting cached at all… oh, but the endpoint discovery is also cached, so yeah I guess it’d only refresh after the cache expires.
#
[fluffy]
The initial h-card cache occurs as part of endpoint discovery
#
[fluffy]
For now it’ll take 30 minutes for that to reset, although in the next release of Authl it’ll only take 5.
#
rattroupe[d]
A little confusing since your view profile page explicitly says “if this info is outdated, log out and back in” but that doesn’t fix it
#
[fluffy]
Yeah, that’s more for like “hey I changed my name on Mastodon why is it still showing me my old Mastodon name”
#
[fluffy]
Arguably I could just make it not cache anything but then people will probably get annoyed at how many times it makes a request back to the server. You can never really win.
#
rattroupe[d]
I can see in my logs that you are requesting and receiving the updated profile info each time I relog but I guess you’re discarding it in favor of your cache?
#
[fluffy]
no, the updated profile should always take precedence
#
[fluffy]
if the profile is cached it shouldn’t be requesting anything at all. Did you make sure to update the IndieAuth profile too?
#
[fluffy]
I mean, if the h-card is cached.
#
rattroupe[d]
Pretty sure I did, let me double check…
#
[fluffy]
The current IndieAuth profile should always take priority regardless, and is never cached.
#
[fluffy]
All that’s cached is the h-card, at the time of endpoint discovery (which is also cached).
#
rattroupe[d]
Ok, I updated my indieauth profile but im not seeing it on your site
#
rattroupe[d]
Just double-checked
#
[fluffy]
but it’s possible that this is also running into one of the caching-related bugs I fixed since the last release 🙂
#
rattroupe[d]
I’ll try again in 30 to see if it updates then
#
[fluffy]
oh yeah there’s definitely a caching bug that was causing the indieauth profile to become part of the cache
#
[fluffy]
although the new indieauth profile should still be overriding it
#
[fluffy]
unfortunately the cache is all in-process and I don’t have debugging logging enabled for beesbuzz.biz (since that’d make my site really slow) so I can’t do any forensics on this particular thing.
#
[fluffy]
I should add a unit test for server profile updates
#
[fluffy]
And, done.
#
[fluffy]
(not yet released of course)
#
rattroupe[d]
Relogged again after 30 min and now my profile page on your site shows the updated, correct profile info.
nertzy_ joined the channel
#
rattroupe[d]
I’m seeing another issue, I’m not sure if it’s related to the cache or not
#
[fluffy]
What’s happening?
#
rattroupe[d]
I’m logged in to beesbuzz with my laptop. I then visited the site with my iPad, and I’m not logged in there. So I tried logging in on my iPad, and it went through normal flow. I authenticated with my site, but then it redirected to beesbuzz homepage and I was still not logged in.
#
[fluffy]
Hmm, weird. Still on https://?
#
rattroupe[d]
Yes, everything is https
#
rattroupe[d]
Checking my logs, I’m not seeing the call to verify the token it receives when it redirects to your redirect_uri
#
[fluffy]
just spun up https://dev-authl.beesbuzz.biz/ as a testing thing, see if that works any better?
#
[fluffy]
also authl doens’t use token grants
#
rattroupe[d]
Do you want me to test with my laptop, iPad, both?
#
rattroupe[d]
Well not the token but the code
#
[fluffy]
hm, dunno what’s going on then
#
[fluffy]
I haven’t seen this problem before
#
[fluffy]
okay I see you logging in now
#
rattroupe[d]
Ok, logged in with the laptop ok
#
rattroupe[d]
Tried logging in with ipad, same issue
#
[fluffy]
yeah I don’t see the actual callback happening
#
rattroupe[d]
After the redirect from authorio I end up at the beesbuzz homepage and it says I’m not logged in
#
[fluffy]
weird, dev-authl.beesbuzz.biz shouldn’t ever try redirecting to beesbuzz.biz
#
rattroupe[d]
Oh not beesbuzz
#
[fluffy]
I suspect there might be something weird going on with authorio? I’ve never seen a problem like this
#
rattroupe[d]
I get redirected to dev-authl.beesbuzz.com like I should, except it says I’m not logged in
#
[fluffy]
what URL do you get sent to for your login?
#
[fluffy]
I don’t debug log that, but I could add that in temporarily
#
[fluffy]
okay, try logging in again on the iPad
#
rattroupe[d]
The endpoint is reiterate.app/authorio/auth. I get redirected there just fine, that’s where I authenticate on my end. Then I get redirected to http://dev-authl.beesbuzz.biz/cb/ia and eventually to the homepage
#
[fluffy]
yes, but I mean there’s more stuff in the URL
#
rattroupe[d]
No change
#
rattroupe[d]
I don’t log the full url, I can do that if you want
#
[fluffy]
I have that logged right now
#
rattroupe[d]
Ok what did you see just now?
#
[fluffy]
I’m suspecting that the problem is on authorio’s end, I’m never seeing anything try to talk to /cb/ia
#
rattroupe[d]
Hmm that’s odd, I don’t know what it would be different on the iPad
#
[fluffy]
it’s working fine with selfauth on my iPhone
#
[fluffy]
maybe authorio is doing something weird with cache-control headers?
#
[fluffy]
or maybe caching a callback response
#
[fluffy]
let me add some more debug logging, just a sec
#
[fluffy]
okay, try again
#
rattroupe[d]
Ok I’ve found a problem on the authorio side, somehow it thinks I’m hitting the cancel button but only on iPad?
#
[fluffy]
Weird. Maybe some messed-up form elements?
#
[fluffy]
like maybe wrong value on an <input type=“submit”> or whatever
#
[fluffy]
anyway good to know this isn’t some weird hard-to-debug Authl bug.
#
rattroupe[d]
Ah it’s because I was tapping return on the iPad, but clicking the submit button on my laptop, and the cancel button is the default because it’s the first one in the form
#
[fluffy]
ah! yeah
#
[fluffy]
anyway, mystery solved, I’m taking down the dev-authl thing now 🙂
#
rattroupe[d]
Thanks, sorry for the trouble
#
rattroupe[d]
All working now
[Rose] joined the channel
#
jamietanna
Would I be able to get added to https://github.com/indieweb so I can review PRs officially? :)
hendursaga, maxwelljoslyn[d], westie[d] and chee joined the channel
#
[snarfed]
jamietanna yes! let me try
#
Loqi
[snarfed]: capjamesg[d] left you a message 1 day, 9 hours ago: ^
tetov-irc, shoesNsocks, [Rose]1, gerben, nertzy_ and nertzy__ joined the channel