2021-08-31 UTC
# 00:28 [fluffy] It’s about time I finally get around to adding PKCE support to Authl. Are there any IndieAuth providers that I can use for the purpose of testing the implementation? # 00:29 [fluffy] something like indieauth.rocks except, y’know, existing # 00:31 rattroupe[d] In fact until recently it required PKCE, I had to fix a bug to make it work with legacy clients like beesbuzz # 00:32 [fluffy] Authl is the client, beesbuzz.biz is just a site that uses Authl 😛 # 00:33 [fluffy] From the IndieAuth spec it isn’t clear to me what the PKCE verification flow is, or what this actually does to help with verification in the first place. maxwelljoslyn[d] joined the channel
# 00:33 aaronpk I don't think IndieAuth is the place to describe the underlying ideas there # 00:34 aaronpk i do have plenty of material in my OAuth videos that talk about the why # 00:35 aaronpk I even talked about it on the latest Changelog podcast episode # 00:37 rattroupe[d] It’s actually pretty simple, as long as you have libraries that do sha256 and base64 encoding # 00:37 [fluffy] okay so the thing with Authl is that it doesn’t actually use tokens # 00:38 [fluffy] it only cares about the login side of things, it’s not using it to make any remote API requests or anything. it’s purely an identity service. # 00:38 [fluffy] and from what I’m seeing, PKCE is used to verify the authenticity of a token, is that correct? # 00:39 aaronpk No, it makes sure that the same thing that redeems the authorization code is the same thing that requested it # 00:39 rattroupe[d] No, PKCE is used also on the no-token flow, which is why Authorio originally didn’t work with Authl # 00:40 [fluffy] ah okay so it’s part of the auth code verification too? # 00:41 [fluffy] okay, the RFC’s just kinda hard for me to parse for whatever reason. So, if I understand correctly: when I initiate the auth request I include a code_challenge=base64(sha256(garbagestring)), and then when I do the verification request I include code_verifier=garbagestring ? # 00:41 rattroupe[d] PKCE aid used in the token flow too, when the client requests a token # 00:42 aaronpk if you don't care about why, the IndieAuth spec should have enough in it to ignore RFC7636 # 00:43 [fluffy] the indieauth spec talks about sending the code_challenge but I’m not seeing where it talks about the code_verifier # 00:44 rattroupe[d] You should probably also include code_challenge_method=S256 although I’m not sure any implementation actually checks for that # 00:44 [fluffy] but good to call that out explicitly for the log’s sake # 00:45 [fluffy] so, interesting wrinkle… Authl by default stashes the state data in the state value itself. Which means if someone’s savvy to that and notices that Authl is using an itsdangerous signed session cookie thing for that storage, they’d be able to extract the verifier out of it. # 00:45 rattroupe[d] aaronpk[d] if I want to propose a change to the indieauth spec is the best way to just make a PR? # 00:46 [fluffy] Authl *can* be configured to use local storage for things but this was a design decision I made to keep things simple for deployment. # 00:46 aaronpk rattroupe[d]: If it's relatively straightforward yes, otherwise an issue first to discuss it # 00:49 rattroupe[d] State is sent in the clear as a param on the initial GET request to the auth endpoint # 00:53 [fluffy] I think this might be why I abandoned adding PKCE the last time I looked into it? It feels familiar. # 00:53 [fluffy] I think I’ll add a configuration note to Authl that it’s highly recommended to use a local token store instead of signed tokens. # 00:54 [fluffy] I forget if Publ just uses signed session tokens or if it actually implements a local store. # 01:03 [fluffy] oh wait I was wrong, Authl defaults to local storage. Phew. # 01:06 [fluffy] but the original reason for using signed session cookie-style things was to make it easier to support a load-balanced configuration and I guess at some point I decided that wasn’t a reasonable default to go with? Who knows. # 01:06 [fluffy] Wait no, the Flask wrapper actually defaults to using the signed cookies. Well, that’s the place to change that then. # 01:47 aaronpk if you can use signed cookies you can probably use encrypted cookies, in which case it's fine to tuck that into the state parameter # 01:50 [fluffy] itsdangerous doesn’t support encryption, just HMAC-style signing 😞 # 01:52 [fluffy] I should look into an alternate storage mechanism for that stuff though, it wouldn’t be that hard to change the serializing token store to use an actual encryption library instead of simple signing # 01:55 [fluffy] @rattroupe mind testing logging in at authl-dev.plaidweb.site? # 01:56 [fluffy] to paraphrase Knuth, I’ve only unit tested it, not verified that it works # 01:56 aaronpk i saw PKCE in the request, but my site returned HTTP 400 on the verification # 01:57 [fluffy] it looks like rattroupe was able to log in but maybe his PKCE verification is broken 🙂 # 01:57 [fluffy] oh, one possible problem is that I’m using random bytes rather than URL-safe characters # 01:58 [fluffy] wait no I changed to secrets.token_urlsafe which only uses URL-safe characters # 01:58 [fluffy] so no encoding issues should be happening in the verifier # 02:05 [fluffy] [aaronpk] try again? I have logging for the challenge and verifier # 02:11 [fluffy] although I’m going to eat dinner now so it’ll be a bit before I can check # 02:12 rattroupe[d] Meanwhile I have to try and figure out why I’m losing the challenge code hendursaga joined the channel
# 02:46 [fluffy] oh I bet I need to use `b64_urlencode` instead of `b64encode` # 03:04 aaronpk also make sure your sha256 function is returning raw bytes that you're encoding. sometimes those functions return hex strings by default # 03:10 [fluffy] oh except when I redeployed I lost the debug logging that would have helped diagnose fiddly bits # 03:11 aaronpk it remembered what I typed in the login box, nice touch # 03:11 [fluffy] dang, let me add the debug logging back in and we can sort it out # 03:14 [fluffy] so on the request I got verifier=vBwzVHgdeSqHY9Ntrr40mkuRaifMDvh-KOjge6tlP8c and a redirect URL of # 03:15 aaronpk oh i think you left the trailing = on the code challenge # 03:16 aaronpk ooh, indieauth doesn't actually spell it out explicitly. that would be a good note to add # 03:17 [fluffy] okay so the RFC actually gives a base64-url-encode that’s different than what python’s urlsafe_b64encode does # 03:17 [fluffy] okay the python function does the same encoding substitution but it doesn’t remove the trailing padding # 03:18 aaronpk i always just write my own around the built in base64 encode because it's not that complicated # 03:59 rattroupe[d] Alright I think I’ve figured out what the issue on my end is, but it’s late fir me so I’m going to have to pick this up tomorrow # 05:15 Loqi aaronpk has 39 karma in this channel over the last year (114 in all channels) # 05:56 [fluffy] woo, Authl 0.5.2 released and deployed to beesbuzz.biz, with PKCE and also the fixes to profile caching # 07:50 Loqi [capjamesg] indieweb-search: Source code for the IndieWeb search engine. # 07:51 Loqi [capjamesg] indieweb-search: Source code for the IndieWeb search engine. Seirdy, hendursa1, grantcodes[d] and Nezteb[d] joined the channel
# 10:20 [KevinMarks] [tantek] what I meant by 'speed gate' was that Google's oneboxes have to complete within a deadline (100ms or so) or it ignores them in constructing the results page. That's harder if you're calling multiple separate endpoints (though doable if the various algorithms are running locally and you're loading them as modules) tetov-irc joined the channel
rommudoh[m], reed, hala-bala[m], lasr[m], Abhas[m], astralbijection[, Lohn, vikanezrimaya, SamWilson[m], diegov, cambridgeport90[, P[m], LaBcasse[m], nekr0z, benatkin, nertzy__, nolith and chenghiz_ joined the channel
# 14:37 Loqi capjamesg has 6 karma in this channel over the last year (9 in all channels) # 14:38 capjamesg[d] Thanks [snarfed]. The index is 35,000 documents large so far. It's been working in the background today / yesterday. # 14:39 capjamesg[d] Unfortunately the search engine is really slow on PythonAnywhere but on localhost it's super quick. So I need to research that before saying "hey, this indieweb search engine exists" # 14:41 capjamesg[d] Because it's faster on their infrastructure. I just can't be bothered to set up a web server but it looks like I'll have to. nolith and [arush] joined the channel
# 16:32 Loqi capjamesg has 7 karma in this channel over the last year (10 in all channels) KartikPrabhu, Seirdy and jjuran joined the channel
# 22:18 rattroupe[d] @[fluffy] aaronpk[d] I finally got all the bugs worked out of Authorio’s PKCE [aciccarello] and Seirdy joined the channel
tetov-irc joined the channel
rattroupe[d] Authorio uses PKCE
[fluffy] https://aaronparecki.com/auth?redirect_uri=https%3A%2F%2Fauthl-dev.plaidweb.site%2Fcb%2Fia&client_id=https%3A%2F%2Fauthl-dev.plaidweb.site&state=76f4f5ba-2587-41cb-ad80-a1c9b3057522&code_challenge=a_ltfon2nhmvhTx7scE3N905eWJm8Wg_J6GhgvvSdTE%3D&code_challenge_method=S256&response_type=code&scope=profile+email&me=https%3A%2F%2Faaronparecki.com%2F
capjamesg[d] Search engine is open source snarfed, GWG, sknebel, [tantek]: https://github.com/capjamesg/indieweb-search
[KevinMarks] [tantek] what I meant by 'speed gate' was that Google's oneboxes have to complete within a deadline (100ms or so) or it ignores them in constructing the results page. That's harder if you're calling multiple separate endpoints (though doable if the various algorithms are running locally and you're loading them as modules)
@nekr0z Webmentions Again (And More): https://evgenykuznetsov.org/en/posts/2021/old-comments/ (twitter.com/_/status/1432678306474778628)
[schmarty] gives Loqi a laugh
@djangonewsbot [Projects] easy-as-python/django-webmention
A way to integrate webmention endpoint discovery and webmention receipts into a Django project. #djangonews
https://github.com/easy-as-python/django-webmention (twitter.com/_/status/1432840630988730373)