#[fluffy]so profile takes priority over h-card? That’s what I figured but, y’know. Thoguht I’d ask opinions.
#GWGThat's my opinion based on what we said when we added the feature
#[fluffy]also, if someone specifically removes the profile and email scopes, does that mean Authl shouldn’t parse those out of h-card? Or does it just mean that it’ll be fine for Authl to still consume the public information on the h-card?
#[fluffy]That’s more a user expectation thing rather than an implementation thing.
rockorager joined the channel
#GWGI would say yes it is. Because there isn't a preference noted. I would suggest there is a way to not use the full detail.
#Rattroupe@fluffy what do you mean you don't see support for profile? In Authorio?
#RattroupeI have support for full name, email, url, and image
#Rattroupe"which should be considered more authoritative: the information from the profile scope, or the h-card?": in my case, it's much easier for a user to edit his profile vs an h-card
#[fluffy]@rattroupe I’m not sure what I said that you’re asking about there
#Rattroupe(from #indieweb) "BTW I didn’t see that you’d added specific support for profile scope. What fields did you end up settling on for the profile? I’ve been wanting to add that into Authl but I haven’t had anything that provides a profile to parse yet."
#[fluffy]Oh, what I meant was: I hadn’t noticed that until today
#[fluffy]when I read that blog entry you linked to
#[fluffy]and now since you actually have an endpoint which provides profile in the IndieAuth response I’m going to add that to the Authl client.
#Rattroupedid you read the other post where I complained that I implemented profiles but there's no client site that uses them? :)
#[fluffy]Authl has actually requested profile scope for *ages* and it’s (sort of ) in the wild, but it hasn’t done anything with the returned profile because nobody had implemented it yet 🙂
#Rattroupecool, let me know when you're ready for me to test
#[fluffy]I think there’s a gap in understanding here, because like. Authl requests profiles (but doesn’t use them) and I was excited to see that you’ve implemented them at the indieauth server level 🙂
#[fluffy]SO far I’ve only had the ‘profile’ scope as a placeholder because a scope is required for the client request and it seemed innocuous and unlikely to cause conflicts.
#[fluffy]but anyway it’s incorrect to say that *nothing* requests a profile out there, just that you hadn’t found anything which does. 🙂
#rattroupe[d]I’ve noticed in some other oauth-related specs that a client must request and be granted an offline_access scope in order to get a refresh token. Is that something we care about?
#GWGrattroupe: It isn't in the refresh token spec though.
#GWGBut according to the spec, and I read through it just this evening again, it says that the authorization server decides whether it will give refresh tokens. So, if you want it to decide based on the granting of a scope, you can.
#GWGBut that doesn't have to be in IndieAuth, it is an implementation detail.
#rattroupe[d]I guess the thinking is, with a refresh token a client could potentially remain authorized indefinitely, which is something a user might not want automatically granted
#aaronpkThis is something that's entirely up to the IndieAuth server to decide how to do and how to surface to the user
#aaronpkthe offline_access scope is something some implementations of OAuth did but has never been captured in a standard
#GWGI looked at what the spec, and the security recommendations, and OAuth2.1 talk about refresh tokens.
#aaronpkSorry, not in an OAuth standard. It's in openid connect
#GWGThere is the discussion of refresh token rotation.
#GWGWhether you should issue a new refresh token every time you redeem.
#GWGThere's a security recommendation that if a client isn't used for a period, you should invalidate their token
#GWGBut again, implementation details. The worst that could happen is your client has to go through the flow again
#rattroupe[d]It’s a little more than an implementation detail. If the client has the burden of requesting a refresh token, that means an endpoint doesn’t have to burden the user at all if no refresh is requested. But if it’s up to the endpoint implementation then the endpoint has to ask the user every time, if it wants to implement refresh tokens at all
#GWGrattroupe: Clients don't request refresh tokens. They are just provided.
#GWGIf they aren't, the decision on why is that of the endpoint.
#GWGIf your client doesn't use them, then it is the same as we have now. You have to go through the indieauth flow again
#GWGIf you had one, redeem it, and don't get a new one, or the old one is revoked, you still have to go through the indieauth flow again
#GWGaaronpk is the OAuth2 expert, but if I understand it correctly, and why I was one of those pushing for it, is that short-lived access tokens with refresh are better than a long-lived token for clients where you want them to have access for a longer period of time
#GWGWhat I haven't implemented, and not sure if anyone has, is actually changing how my endpoint gives out credentials based on the client.
#GWGSo my endpoint would know what resource it was giving access to and could do all sorts of stuff. Although still not sure I would.
#[fluffy]did refresh tokens ever get added to the TicketAuth spec? Publ’s ticket endpoint provides them as a matter of course but it’d be nice for it to be formalized
#GWG[fluffy]: We were talking about it for IndieAuth. Why would they be needed for Ticket Auth?
#GWGIf you get an access token from a ticket, and you have refresh tokens...
#[fluffy]they’d be needed if the ticket auth grant is given manually
#[fluffy]this is something we’d talked about not too long ago I think?
#GWG[fluffy]: A lot going on. I might have forgotten
ralismark joined the channel
#ZegnatI would say that, in TicketAuth, you redeem the ticket for a token at an OAuth token endpoint. Refresh tokens are just a feature of the token endpoint, so not sure there is a need to add anything specific about them to TicketAuth?
#[fluffy]sorry, my head is always so focused on TicketAuth that I forget that it’s an initiation flow for the OAuth token stuff
#[fluffy]@rattroupe I had to take a break from Authl stuff but I’ve released a new version that hopefully supports IndieAuth profiles (or at least the unit tests say it do), and it’s been deployed to https://beesbuzz.biz/ - feel free to visit https://beesbuzz.biz/blog/profile and see if it works as you expect!
#[fluffy]!tell rattroupe IndieAuth profile implementation is live on https://beesbuzz.biz/ although there’s an issue where it’ll cache stuff from the IndieAuth server response erroneously if e.g. someone logs out and back in without the scopes set. I’ve already fixed that in the code but I’m going to hold off on doing another release so quickly.
#rattroupe[d]Just discovered a bug where Authorio won’t work if the client site doesn’t use PKCE
chenghiz_ joined the channel
#jamietannarattroupe[d] that should be fine - didn't we make PKCE required in the spec? So it's fully up to us as to whether we support legacy sites or not
#rattroupe[d]I thought I had coded it to support legacy non-PKCE sites but I didn’t test it and it turns out there was a bug. Should be easy to fix though
#GWGI tried to summarize refresh and expiry in new text, based on existing specs
#GWGThen I started reading about refresh token rotation, and such...
#GWGjamietanna: Where did p-achievement come from on your resume?
#rattroupe[d]!tell [fluffy] I logged in to beesbuzz and saw the profile scope in my log, and the login appeared to work, but I don’t see the profile information used anywhere on the site.
#[fluffy]That’s literally the only place the profile appears to users :)
#[fluffy]On my admin view I do see a homepage and email address for your user profile.
#rattroupe[d]Is there a link from the home page to the profile page or do I just have to type in that url?
#[fluffy]Although I notice that your identity is shown as reiterate.app which appears to not be specific to you?
#[fluffy]There’s a “view profile” type link at the top of most article paginations.
#[fluffy]like there should be something like a “Hello, [your name here]. [sign out]” pair of links. The ‘your name here’ one would take you to your profile.
#rattroupe[d]Oh, it only appears if there’s more than one article
#[fluffy]The point to the profile page is so that you can see how you look to me, and so that I can see who you are so that I can grant you access to private entries.
#[fluffy]eh? it should appear on all index pages regardless of article count
#rattroupe[d]Yes it says Hello, [Michael Meckler] so that is working…
#[fluffy]it won’t appear on an individual article’s page though
#[fluffy]Generally if you’re viewing an article you already have access to it so there’s no need to see how I see you :)
#[fluffy]and presumably you don’t have an h-card that provides those things, right?
#[fluffy]In my unit tests I also make sure that if you have both an h-card and an IndieAuth profile, the IndieAuth profile takes priority.
#rattroupe[d]I was confused because I didn’t see a profile link on the home page, and the first few links I clicked on didn’t go to a page with a profile link either
#[fluffy]But it’ll aggregate stuff together, since h-card provides way more information (bio, pronouns, etc.)
#[fluffy]ah, right, that could be a bit more clear. On the home page it’ll show a login link if you’re logged out and there’s a recent private entry, but there’s no profile link there.
#[fluffy]I’m always trying to balance the UX of a “this is my personal website and portfolio” site and a “this is my online social presence” site.
#rattroupe[d]I do have an h-card on the home page of my site
#[fluffy]PKCE has been a low priority because of the use case of Authl so far but I definitely do want to support it eventually since Authl isn’t *just* for Publ’s private-entry login.
#[fluffy]like I intend to use it on any app I build that requires login, and I designed it to be straightforward to integrate into any Python app (with it being especially easy for Flask but there’s no Flask requirement)
#rattroupe[d][fluffy]: I posted a rant about profile URLs, in the end I decided to have a single-user config for Authorio and reiterate.app is running in single user mode
#rattroupe[d]So, yay, I believe this is the first active instance of IndieAuth profile information exchange between client and endpoint
#[fluffy]Yeah I saw that rant, that’s what led me to your thing about profile support
#[fluffy]I *sort of* agree with your rant in principle but in practice IndieAuth does support the idea of things like reiterate.app/rattroupe/ or whatever.
#[fluffy]Back when I used OpenID for login in a lot of places I used a hack to have my profile URL be beesbuzz.biz/fluffy/ which just had a couple of links to things.
#[fluffy](that URL doesn’t work now though, this was aeons ago)
#[fluffy]anyway as far as ‘first active instance’ goes I feel like this should be recorded on the wiki somewhere.
#[fluffy]I guess we don’t actually have verification that it’s your IndieAuth profile that was used, though; if you have the same data on your h-card then it *could* have been pulled from that.
#rattroupe[d]I can edit my home page to take it out, then log out and back in…
#[fluffy]oh also the cache lifetime is 1800 seconds.
#rattroupe[d]If I edit the profile information that my endpoint returns, will that override any cache?
#[fluffy]I could make that shorter too although that’s currently hardcoded into Authl itself. It’s just there to make it so that the h-card doesn’t have to be re-fetched after a successful login.
#[fluffy]but yeah the h-card should always get refreshed on a new indieauth login
#[fluffy]oh, I guess if something gets removed from the h-card that’ll remain in the cache. That’s easy enough to fix though.
#[fluffy]I should also reduce the cache time. There’s no reason for it to be half an hour.
#[fluffy](And if you deny the ‘email’ scope on the login then the public email address will be used, if your auth endpoint implements scopes correctly)
#rattroupe[d]Hmm.. Ed my profile settings back to what they should be, logged out and back in of beesbuzz, but I’m still seeing the (cached) test values
#[fluffy]Hmm, only the h-card should be getting cached at all… oh, but the endpoint discovery is also cached, so yeah I guess it’d only refresh after the cache expires.
#[fluffy]The initial h-card cache occurs as part of endpoint discovery
#[fluffy]For now it’ll take 30 minutes for that to reset, although in the next release of Authl it’ll only take 5.
#rattroupe[d]A little confusing since your view profile page explicitly says “if this info is outdated, log out and back in” but that doesn’t fix it
#[fluffy]Yeah, that’s more for like “hey I changed my name on Mastodon why is it still showing me my old Mastodon name”
#[fluffy]Arguably I could just make it not cache anything but then people will probably get annoyed at how many times it makes a request back to the server. You can never really win.
#rattroupe[d]I can see in my logs that you are requesting and receiving the updated profile info each time I relog but I guess you’re discarding it in favor of your cache?
#[fluffy]no, the updated profile should always take precedence
#[fluffy]if the profile is cached it shouldn’t be requesting anything at all. Did you make sure to update the IndieAuth profile too?
#[fluffy]oh yeah there’s definitely a caching bug that was causing the indieauth profile to become part of the cache
#[fluffy]although the new indieauth profile should still be overriding it
#[fluffy]unfortunately the cache is all in-process and I don’t have debugging logging enabled for beesbuzz.biz (since that’d make my site really slow) so I can’t do any forensics on this particular thing.
#[fluffy]I should add a unit test for server profile updates
#rattroupe[d]I’m logged in to beesbuzz with my laptop. I then visited the site with my iPad, and I’m not logged in there. So I tried logging in on my iPad, and it went through normal flow. I authenticated with my site, but then it redirected to beesbuzz homepage and I was still not logged in.
#rattroupe[d]The endpoint is reiterate.app/authorio/auth. I get redirected there just fine, that’s where I authenticate on my end. Then I get redirected to http://dev-authl.beesbuzz.biz/cb/ia and eventually to the homepage
#[fluffy]yes, but I mean there’s more stuff in the URL
#rattroupe[d]Ok I’ve found a problem on the authorio side, somehow it thinks I’m hitting the cancel button but only on iPad?
#[fluffy]Weird. Maybe some messed-up form elements?
#[fluffy]like maybe wrong value on an <input type=“submit”> or whatever
#[fluffy]anyway good to know this isn’t some weird hard-to-debug Authl bug.
#rattroupe[d]Ah it’s because I was tapping return on the iPad, but clicking the submit button on my laptop, and the cancel button is the default because it’s the first one in the form