#dev 2021-08-31

2021-08-31 UTC
#
[fluffy]
It’s about time I finally get around to adding PKCE support to Authl. Are there any IndieAuth providers that I can use for the purpose of testing the implementation?
#
[fluffy]
something like indieauth.rocks except, y’know, existing
#
[fluffy]
I guess I could see if SelfAuth supports it yet
#
rattroupe[d]
Authorio uses PKCE
#
aaronpk
Indielogin.com does too
#
aaronpk
oh providers nvm
#
rattroupe[d]
In fact until recently it required PKCE, I had to fix a bug to make it work with legacy clients like beesbuzz
#
[fluffy]
Authl is the client, beesbuzz.biz is just a site that uses Authl 😛
#
[fluffy]
From the IndieAuth spec it isn’t clear to me what the PKCE verification flow is, or what this actually does to help with verification in the first place.
maxwelljoslyn[d] joined the channel
#
aaronpk
I don't think IndieAuth is the place to describe the underlying ideas there
#
[fluffy]
I have trouble following RFC7636
#
aaronpk
i do have plenty of material in my OAuth videos that talk about the why
#
aaronpk
I even talked about it on the latest Changelog podcast episode
#
rattroupe[d]
It’s actually pretty simple, as long as you have libraries that do sha256 and base64 encoding
#
[fluffy]
okay so the thing with Authl is that it doesn’t actually use tokens
#
[fluffy]
it only cares about the login side of things, it’s not using it to make any remote API requests or anything. it’s purely an identity service.
#
rattroupe[d]
The code_challenge you generate is independent of the token flow
#
[fluffy]
and from what I’m seeing, PKCE is used to verify the authenticity of a token, is that correct?
#
aaronpk
No, it makes sure that the same thing that redeems the authorization code is the same thing that requested it
#
rattroupe[d]
No, PKCE is used also on the no-token flow, which is why Authorio originally didn’t work with Authl
#
[fluffy]
ah okay so it’s part of the auth code verification too?
#
aaronpk
s/too/only
#
[fluffy]
okay, the RFC’s just kinda hard for me to parse for whatever reason. So, if I understand correctly: when I initiate the auth request I include a code_challenge=base64(sha256(garbagestring)), and then when I do the verification request I include code_verifier=garbagestring ?
#
rattroupe[d]
PKCE aid used in the token flow too, when the client requests a token
#
aaronpk
Yes exactly
#
[fluffy]
ok, it’s that last bit I wasn’t getting
#
[fluffy]
that seems easy enough for me to add
#
aaronpk
if you don't care about why, the IndieAuth spec should have enough in it to ignore RFC7636
#
[fluffy]
the indieauth spec talks about sending the code_challenge but I’m not seeing where it talks about the code_verifier
#
[fluffy]
or maybe I’m just dumb
#
[fluffy]
oh I’m just dumb
#
[fluffy]
now that I know what to look for I found it 😛
#
rattroupe[d]
You should probably also include code_challenge_method=S256 although I’m not sure any implementation actually checks for that
#
[fluffy]
yeah I figured that was implied
#
[fluffy]
but good to call that out explicitly for the log’s sake
#
Loqi
it is probable
#
[fluffy]
so, interesting wrinkle… Authl by default stashes the state data in the state value itself. Which means if someone’s savvy to that and notices that Authl is using an itsdangerous signed session cookie thing for that storage, they’d be able to extract the verifier out of it.
#
rattroupe[d]
aaronpk[d] if I want to propose a change to the indieauth spec is the best way to just make a PR?
#
[fluffy]
Authl *can* be configured to use local storage for things but this was a design decision I made to keep things simple for deployment.
#
aaronpk
rattroupe[d]: If it's relatively straightforward yes, otherwise an issue first to discuss it
#
rattroupe[d]
Oh I actually meant an issue
#
rattroupe[d]
State is sent in the clear as a param on the initial GET request to the auth endpoint
#
rattroupe[d]
So putting secrets in there is a security hole I would think
#
[fluffy]
yeah, exactly why I raise that as a concern
#
[fluffy]
I think this might be why I abandoned adding PKCE the last time I looked into it? It feels familiar.
#
[fluffy]
I think I’ll add a configuration note to Authl that it’s highly recommended to use a local token store instead of signed tokens.
#
[fluffy]
I forget if Publ just uses signed session tokens or if it actually implements a local store.
#
[fluffy]
oh wait I was wrong, Authl defaults to local storage. Phew.
#
[fluffy]
I forget when I made that change.
#
[fluffy]
but the original reason for using signed session cookie-style things was to make it easier to support a load-balanced configuration and I guess at some point I decided that wasn’t a reasonable default to go with? Who knows.
#
[fluffy]
Wait no, the Flask wrapper actually defaults to using the signed cookies. Well, that’s the place to change that then.
#
aaronpk
if you can use signed cookies you can probably use encrypted cookies, in which case it's fine to tuck that into the state parameter
#
[fluffy]
itsdangerous doesn’t support encryption, just HMAC-style signing 😞
#
[fluffy]
It’s intended to be tamper-proof, not secret.
#
[fluffy]
I should look into an alternate storage mechanism for that stuff though, it wouldn’t be that hard to change the serializing token store to use an actual encryption library instead of simple signing
#
Loqi
definitely
#
[fluffy]
@rattroupe mind testing logging in at authl-dev.plaidweb.site?
#
[fluffy]
It should do PKCE now.
#
rattroupe[d]
Just a sec…
#
[fluffy]
to paraphrase Knuth, I’ve only unit tested it, not verified that it works
#
aaronpk
i saw PKCE in the request, but my site returned HTTP 400 on the verification
#
[fluffy]
it looks like rattroupe was able to log in but maybe his PKCE verification is broken 🙂
#
[fluffy]
oh, one possible problem is that I’m using random bytes rather than URL-safe characters
#
[fluffy]
so maybe something along the way is hecking that up
#
[fluffy]
wait no I changed to secrets.token_urlsafe which only uses URL-safe characters
#
[fluffy]
so no encoding issues should be happening in the verifier
#
rattroupe[d]
It does look ok on my end…
#
[fluffy]
maybe a bug on aaron’s verifier then? 😉
#
rattroupe[d]
I’m instrumenting my code path and will try again
#
[fluffy]
yeah I can add some extra logging on my end too
#
rattroupe[d]
Sigh, problem is on my end, it’s not actually verifying
#
[fluffy]
[aaronpk] try again? I have logging for the challenge and verifier
#
[fluffy]
although I’m going to eat dinner now so it’ll be a bit before I can check
#
rattroupe[d]
Meanwhile I have to try and figure out why I’m losing the challenge code
hendursaga joined the channel
#
[fluffy]
oh I bet I need to use `b64_urlencode` instead of `b64encode`
#
[fluffy]
er, `urlsafe_b64encode`
#
aaronpk
also make sure your sha256 function is returning raw bytes that you're encoding. sometimes those functions return hex strings by default
#
[fluffy]
yeah it does
#
[fluffy]
anyway I have it running with urlsafe_base64
#
[fluffy]
in case you want to try aga}n, Aaron
#
[fluffy]
oh except when I redeployed I lost the debug logging that would have helped diagnose fiddly bits
#
[fluffy]
but maybe it works now
#
aaronpk
same error
#
aaronpk
it remembered what I typed in the login box, nice touch
#
[fluffy]
dang, let me add the debug logging back in and we can sort it out
#
[fluffy]
yeah I care about UX 🙂
#
[fluffy]
okay, I have some debug logging added in
#
[fluffy]
try again?
#
[fluffy]
so on the request I got verifier=vBwzVHgdeSqHY9Ntrr40mkuRaifMDvh-KOjge6tlP8c and a redirect URL of
#
Loqi
Aaron Parecki
#
[fluffy]
thank you loqi
#
aaronpk
oh i think you left the trailing = on the code challenge
#
[fluffy]
yeah, does the spec say I shouldn’t do that? 😛
#
[fluffy]
so it does
#
aaronpk
ooh, indieauth doesn't actually spell it out explicitly. that would be a good note to add
#
[fluffy]
well, it sort of does say that
#
[fluffy]
but the RFC does
#
[fluffy]
okay so the RFC actually gives a base64-url-encode that’s different than what python’s urlsafe_b64encode does
#
[fluffy]
well, slightly different
#
aaronpk
yeah i don't know what the python function is
#
[fluffy]
okay the python function does the same encoding substitution but it doesn’t remove the trailing padding
#
aaronpk
i always just write my own around the built in base64 encode because it's not that complicated
#
[fluffy]
Okay, should be fixed now, try again?
#
rattroupe[d]
I’m still trying to figure out why I’m losing my session
#
[fluffy]
seems like having Aaron test is enuogh
#
[fluffy]
I trust his implementation to be exactingly correct
#
rattroupe[d]
Alright I think I’ve figured out what the issue on my end is, but it’s late fir me so I’m going to have to pick this up tomorrow
#
aaronpk
I am back
#
aaronpk
but on phone now, let's see if this works
#
aaronpk
It worked!
#
[fluffy]
thanks aaronpk++
#
Loqi
aaronpk has 39 karma in this channel over the last year (114 in all channels)
#
[fluffy]
woo, Authl 0.5.2 released and deployed to beesbuzz.biz, with PKCE and also the fixes to profile caching
#
capjamesg[d]
Search engine is open source snarfed, GWG, sknebel, [tantek]: https://github.com/capjamesg/indieweb-search
#
capjamesg[d]
[edit] Search engine is open source snarfed, GWG, sknebel, [tantek]: https://github.com/capjamesg/indieweb-search
#
Loqi
[capjamesg] indieweb-search: Source code for the IndieWeb search engine.
#
Loqi
[capjamesg] indieweb-search: Source code for the IndieWeb search engine.
Seirdy, hendursa1, grantcodes[d] and Nezteb[d] joined the channel
#
[KevinMarks]
[tantek] what I meant by 'speed gate' was that Google's oneboxes have to complete within a deadline (100ms or so) or it ignores them in constructing the results page. That's harder if you're calling multiple separate endpoints (though doable if the various algorithms are running locally and you're loading them as modules)
tetov-irc joined the channel
#
capjamesg[d]
That's interesting.
rommudoh[m], reed, hala-bala[m], lasr[m], Abhas[m], astralbijection[, Lohn, vikanezrimaya, SamWilson[m], diegov, cambridgeport90[, P[m], LaBcasse[m], nekr0z, benatkin, nertzy__, nolith and chenghiz_ joined the channel
#
[snarfed]
capjamesg++ congrats!
#
Loqi
capjamesg has 6 karma in this channel over the last year (9 in all channels)
#
capjamesg[d]
Thanks [snarfed]. The index is 35,000 documents large so far. It's been working in the background today / yesterday.
#
capjamesg[d]
Unfortunately the search engine is really slow on PythonAnywhere but on localhost it's super quick. So I need to research that before saying "hey, this indieweb search engine exists"
#
capjamesg[d]
PythonAnywhere's advice is to move to MySQL / PostgreSQL.
#
capjamesg[d]
Because it's faster on their infrastructure. I just can't be bothered to set up a web server but it looks like I'll have to.
nolith and [arush] joined the channel
#
[tantek]
capjamesg++ yay! 🎉
#
Loqi
capjamesg has 7 karma in this channel over the last year (10 in all channels)
#
Loqi
giggles
#
capjamesg[d]
You can laugh Loqi?
#
[schmarty]
gives Loqi a laugh
#
Loqi
runs away from the laugh
#
[tantek]
gives Loqi a joke
#
Loqi
laughs at the joke
#
[schmarty]
well well well
#
[KevinMarks]
that is literally the sociology of laughter
KartikPrabhu, Seirdy and jjuran joined the channel
#
rattroupe[d]
@[fluffy] aaronpk[d] I finally got all the bugs worked out of Authorio’s PKCE
[aciccarello] and Seirdy joined the channel
#
@djangonewsbot
[Projects] easy-as-python/django-webmention A way to integrate webmention endpoint discovery and webmention receipts into a Django project. #djangonews https://github.com/easy-as-python/django-webmention
(twitter.com/_/status/1432840630988730373)
tetov-irc joined the channel