#dev 2021-10-12

2021-10-12 UTC
#
[fluffy] What’s the appropriate status response for a malformed `Authorization` header?
#
aaronpk i would think HTTP 400 "invalid_request" https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
#
[tantek] astralbijection, one of the use-cases for h-entry in blog posts is easier content recovery, e.g. any blog posts with h-entry that make it into the Internet Archive can be more semi-automatically recovered by parsing them with an mf2 parser, and then re-importing that structured content into a new CMS
#
aaronpk oh hey i should reference oauth 2.1 instead :) https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-5.2.3
#
[tantek] and this is a big difference from say, RSS or other feed files, which are NOT archived by the Internet Archive AFAIK, and even if they were, are detached from the actual permalink URLs of the posts
#
astralbijection[ ah, i see
#
GWG How is 2.1 going?
#
aaronpk GWG: feel free to tune in wednesday! we have an official meeting
#
[fluffy] Okay, and what about an expired one?
#
aaronpk https://events.oauth.net/2021/10/oauth-virtual-interim-meeting-oauth-2-1-DS63xoUOZkQx
#
[fluffy] should that be 401 Unauthorized?
#
aaronpk i think these are all captured in that section
#
astralbijection[ maybe i'll spread the indieweb/microformats/archiveable websites gospel to the other people in the club ;)
#
[fluffy] That section says 401 for both cases I’m referring to
#
[fluffy] “The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code.”
#
aaronpk you said malformed authorization header, not malformed access token
#
[fluffy] Oh, sorry, my bad. Yeah I meant malformed/expired token.
#
aaronpk if those sections are not clear on which codes to return when, this is the time to update the spec ;-)
#
[fluffy] Yeah it’s totally clear, I just wasn’t looking there since I wasn’t specifically looking at OAuth here
#
aaronpk yep i don't think there's anything special about IndieAuth in this case
#
GWG aaronpk: I'll see if I can adjust my lunchtime to coincide.
#
aaronpk i am hoping the session is relatively uneventful
#
aaronpk tho i am expecting our favorite commenter to show up and will be doing my absolute best to not lose my patience on the call
#
GWG I'm just curious what these meetings are like. I might learn something
#
GWG At the least, I might get better at writing those IndieAuth PRs
#
[fluffy] I mean this wasn’t entirely about IndieAuth either, just like… generic use of bearer tokens. Which may or may not be obtained via IndieAuth in this case (like, with Publ you can get an auth token from any identity provider). But in any case, thanks. I was doing a 401 before but my handling of that was leading to a dumb bug in my implementation and I figured while I was fixing it I should verify I was using the right response code
#
[fluffy] anyway.
#
[fluffy] https://github.com/PlaidWeb/Publ/pull/467 in any case
#
Loqi [fluffy-critter] #467 Feature/fix misparsed tokens
ShinyCyril joined the channel
#
micahrl[m] Whoa, I just made a working IndieAuth implementation 🤯. At least, indielogin.com and indieweb.org let me authenticate.
#
micahrl[m] Took a lot of inspiration from Sellout Engine <https://github.com/unrelentingtech/sellout> and it was super helpful to get to study that code. I wanted something similar to that but not quite the same. I host my Hugo blog on netlify, and I wanted to keep doing that. I also wanted to be able to keep the blog up even if the indieauth app goes down. I'm using Flask behind Apache, while Sellout uses uwsgi somehow.
#
Loqi [unrelentingtech] sellout: IndieAuth/Micropub for static (Zola+GitHub) websites, runnable on Lambda
#
nekr0z <[Ed_Beck]> "↩️ This is a blog post- pushed..." <- The thing with Brid.gy is that it can watch for comments on Facebook or Twitter and send them back to your site as webmentions so that you can have them as comments on the site.
#
micahrl[m] I called my system Interpersonal. Eventually I'd like to do micropub as well like Sellout Engine does. https://github.com/mrled/interpersonal/
#
@mrled Little alpha release tonight: Interpersonal connects sites to the IndieWeb. Right now it just does IndieAuth. https://github.com/mrled/interpersonal (twitter.com/_/status/1447793038198247425)
#
@mrled ↩️ As an aside, I think it would be cool to build a little Tor community with IndieAuth. Tor is actually nicer in some respects as you don’t need to pay for a domain name or bother with HTTPS and you can host from home. (Of course, you do have to set up Tor itself.) (twitter.com/_/status/1447793044477120512)
#
@mrled ↩️ IndieAuth is pretty interesting. It let’s you log in to supporting websites with your own website - sort of like “Log in with Facebook” except it’s your own domain, not tied to a third party. (twitter.com/_/status/1447793042056941569)
#
micahrl[m] Hmm. I did not expect those tweets to show up here lol
#
[tantek] Interpersonal is a great name
Seirdy joined the channel
#
Ruxton Umm re tor: you should still use HTTPS, You can't and shouldn't trust the TOR nodes
#
[fluffy] yeah back in the day the whole push to https was because intermediate routers could theoretically snoop on traffic, although thta was incredibly unlikely. In the world of tor, however? extremely likely.
#
sknebel since they mention "no domain name", they speak about hidden services
#
sknebel very different model than visiting normal websites over Tor, where you indeed should very much worry about *exit* nodes
#
Ruxton fluffy: not unlikely, it happened here in Aus. sensitive govt docs were snooped out of a major link and the guy allegedly responsible refused to give up his passwords for his encryption keys and was strung up for that and not allowed to use computers for 10 years
[chrisaldrich], ben_thatmustbeme and gerben joined the channel
#
sknebel (there is actually one CA now that will give you a DV cert for a hidden service, but it doesn't add that much. and ~nobody is going to buy an EV cert for private purposes)
#
capjamesg[d] What should I be aware of if I decided to implement the IndieAuth spec?
#
capjamesg[d] I have thought about setting up a provider. I know a few people here have (aaronpk, jamietanna, fluffy).
#
capjamesg[d] My concern is that I don’t want to mess anything up.
#
Ruxton what are you concerned about messing up?
#
sknebel take it step by step, then I think it's not that much trouble
#
capjamesg[d] I need to read into it more. I have a little feeling that authentication mistakes are a whole lot worse than any other 😅
#
Ruxton stress less, start building pieces
#
Ruxton or spend forever thinking about what could be and not doing ;P
hendursa1 joined the channel
#
capjamesg[d] I think I will start with the authorization endpoint 🙂
#
capjamesg[d] This looks really helpful: https://indieweb.org/authorization-endpoint
#
capjamesg[d] I now have a new project for when I return from vacation haha.
hendursaga and amcorrigal joined the channel
#
unrelentingtech <micahrl[m]> "Whoa, I just made a working..." <- wow, I pretty much didn't advertise sellout anywhere at all, didn't expect it to inspire anything :D nice
#
capjamesg[d] I am a bit confused about the role token endpoints ply.
#
capjamesg[d] *play
#
capjamesg[d] When does an authorization server interact with a token endpoint?
tetov-irc joined the channel
#
capjamesg[d] Also, what is the easiest way to send an email from a web app? I’ll need to have some kind of email with code system so I can authenticate with my domain.
#
capjamesg[d] I don’t really make use of other social networks so I am not thinking about implementing the full rel me with.
#
capjamesg[d] *rel me auth
#
unrelentingtech <capjamesg[d]> "I am a bit confused about the..." <- when the user clicks allow, they get redirected to the client with a temporary code. the client can exchange the code either with the authorization-endpoint to only verify it and maybe get profile info, OR with the token-endpoint to also get a token that can be used to access resources like micropub/microsub on the site
#
unrelentingtech if the token-endpoint is an independent service, it would use the authorization-endpoint for the verification part
#
unrelentingtech if they're all integrated they would just call the same verification function
#
[KevinMarks] sending email is hard now, you pretty much need a pre-approved cloud service to do it, as the amount of crap you have to do to auth things is prohibitive
#
capjamesg[d] That makes sense. So the token endpoint issues tokens for Micropub/Microsub.
#
capjamesg[d] It’s annoying how difficult sending email is in an app.
#
capjamesg[d] I might just implement rel me auth for socials then (Twitter).
#
capjamesg[d] To save the trouble of adding an email verification service.
#
[KevinMarks] you can use mailchimp or amazon to do it, but it is an extra thing to set up
akevinhuang joined the channel
#
micahrl[m] <unrelentingtech> "wow, I pretty much didn't..." <- It was perfect for me - was having trouble understanding the spec without example code, and I’m more comfortable with Python than most other languages I’ve seen it implemented in. Thank you for publishing the code :)
#
micahrl[m] <capjamesg[d]> "Also, what is the easiest way to..." <- You can do it without email or other social networks - the actual authentication part is left up to you. I just use a static code that is set at deployment time. No email, no other social platforms.
#
micahrl[m] I share your concern about security though. I have never implemented an authorization system before and I have a lot of reading to do now that the proof of concept is working. I’m sure it needs some hardening.
#
micahrl[m] That’s one reason I built it this way actually. I wanted to keep it separate from my staticly hosted blog so that if I don’t have time to pay attention to my website for personal reasons for a while I can take down the endpoint but leave my content up.
#
capjamesg[d] My site is static too so I’ll be running my endpoints elsewhere.
#
capjamesg[d] I’ll start with the authorization endpoint and maybe look at token endpoints after that.
#
capjamesg[d] I don’t think there is an official test suite yet which would help me harden my implementation when I start.
#
capjamesg[d] Nevertheless, I’ll just read through the spec and supporting materials on the wiki 🙂
#
capjamesg[d] I might just go for a static password then:
#
capjamesg[d] And leave rel me auth and such for further down the line. I just want to dip my toe into this area without taking on too much too soon.
#
capjamesg[d] How do you know whether to make a request to an auth or token endpoint?
#
aaronpk depends on whether you are trying to get an access token, described here https://indieauth.spec.indieweb.org/#request
#
aaronpk that's a risky fragment link... why don't we include the actual section numbers in those fragments
#
aaronpk https://indieauth.spec.indieweb.org/#x5-3-1-request
#
[KevinMarks] are they likely to be renumbered?
#
aaronpk possibly yes
#
capjamesg[d] Thanks aaronpk. That is very helpful!
#
capjamesg[d] Thanks aaronpk. That link is helpful!
#
GWG aaronpk: Definitely yes if we add the new segments, I think
#
aaronpk this is one of the reasons i like the ietf method a bit better, where new versions *only* exist at permalinks
KartikPrabhu joined the channel
#
GWG aaronpk: We have historic versions, couldn't the current url be a redirect to the last updated version?
#
aaronpk we have historic versions, but only when we decide to publish one. with the IETF the only way to get an update out at all is to publish a version that is snapshotted
#
aaronpk also we don't publish a historic snapshot until the version is replaced. for example right now the current version (Nov 26) doesn't have its own standalone page
#
GWG aaronpk: Is it worth changing that?
#
GWG I'm hoping after the session on Saturday we can finalize enough
#
aaronpk maybe we should add this as a topic of discussion
#
GWG Is it just for IndieAuth though? The same script is used for the other specs, isn't it?
#
aaronpk there's nothing automated about it no
#
GWG aaronpk: I thought that was what put in the numbers for the sections. Didn't look that closely
#
aaronpk that's some js from w3c embedded in the page
#
aaronpk it's a manual process to save that as a snapshot and add to git
#
GWG aaronpk: Wonder if the conversation is scripting that and using a GitHub action or something?
#
aaronpk scripting it isn't practical because it runs in the browser
#
aaronpk a different conversation would be to switch to the new ietf script which makes these style pages https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html
[jeremycherfas] and hs0ucy joined the channel
#
unrelentingtech <capjamesg[d]> "And leave rel me auth and such..." <- you *won't* need rel-me auth if you're doing custom endpoints
#
unrelentingtech rel-me auth is just what the indieauth dot com endpoint does, so anyone can very quickly get indieauth working with like zero effort (just adding rel=me links to supported services)
#
GWG aaronpk: Is that script documented somewhere?
#
capjamesg[d] unrelentingtech thank you for all of your help today!
#
capjamesg[d] I haven’t even started coding yet but I have just had to get my head around things.
shoesNsocks joined the channel
#
capjamesg[d] In that case I might just use a basic pass phrase auth for v1.
#
capjamesg[d] And then maybe look into other methods of verification later.
#
capjamesg[d] So: if password valid, authenticate as jamesg.blog. And then I’ll be shown the consent screen and continue with the flow.
#
GWG capjamesg[d]: I use the wordPress password system as my way of verifying identity for IndieAuth. Nothing wrong with authenticating locally to authenticate globally
#
aaronpk GWG: it's this https://respec.org/docs/
#
GWG aaronpk: I meant the IETF one?
[Justin_Walsh] joined the channel
#
[Justin_Walsh] Super excited that WebAuthn is at ~90% now. Passwords are lame. 🙂
#
GWG [Justin_Walsh]: People have to start somewhere
#
[Justin_Walsh] I guess to clarify, supporting passwords and users is lame, maybe WebAuthn makes this easier and requires less effort from me to allow a user to have some kind of personal profile on a site / tool I build.
#
[Justin_Walsh] Be careful of your wording, you can not re-write history here. Haha.
#
[Justin_Walsh] Users are not lame, they are great. The problems that users have with passwords though.
#
GWG [Justin_Walsh]: Webauthn is still weak on the adoptin side
#
[Justin_Walsh] iOS just rolled out support for it in their webview, so now alt browsers and apps can use it in web based login flows.
#
[Justin_Walsh] I think this is the moment where we see more adoption
#
@DaanDebie ↩️ Interesting! Hadn't heard about Microsub yet! https://indieweb.org/Microsubi haven't even implemented webmentions yet, so will do that first at some point (twitter.com/_/status/1447970459841142791)
#
GWG [Justin_Walsh]: I'm just pointing out that it is still early days on things.
#
[Justin_Walsh] Oh for sure, I get excited about the early days, to see where they go, how they fail, etc. So this is just an exciting moment for me where I think it may be worth trying it out and seeing how it works, what it does, etc.
#
GWG I implemented IndieAuth, but how I prove my identity to my site I have not upgraded. I could.
#
[Justin_Walsh] Ohhh IndieAuth, let me just try that one first. 🚋
#
[Justin_Walsh] I already have keybase setup so seems compatible with the key from keybase for auth...
#
GWG [Justin_Walsh]: IndieAuth is a standard. IndieAuth.com is an implementation.
#
[Justin_Walsh] I was just quickly glossing over the parts about rel-me and a pgp key to sign.
#
[Justin_Walsh] https://indielogin.com/api
#
GWG [Justin_Walsh]: Also an implementation.
#
aaronpk that API has nothing to do with IndieAuth, that's how a website can use indielogin.com to log users in
#
GWG Rel me and pgp aren't indieauth. They are just ways to prove your identity to the server where you don't have an account
#
capjamesg[d] I admit I have been confused by the naming on many occasions.
#
GWG capjamesg[d]: Naming is hard
#
capjamesg[d] Yep.
#
capjamesg[d] I vow not to name my personal IndieAuth server IndieAuth.
#
GWG When I first joined the community, everyone thought Indieauth was what Indieauth.com did...with the linking to Twitter/GitHub, etc.
#
capjamesg[d] Maybe “jamesg-IndieAuth” 😅
#
capjamesg[d] And rel me auth was until recently in my mind very associated with IndieAuth.
#
capjamesg[d] Then I realized they are independent.
#
GWG capjamesg[d]: If aaronpk hadn't used rel-me-auth to implement the site, then how would it be able to prove you had control of your domain? You'd need to register for an account or such
#
GWG It was a great self-service move
#
GWG Just prove to Indieauth/Indielogin that example.com and twitter.com/example were the same person, prove you have access to twitter.com, and it would issue you a token for example.com
#
GWG Completely stateless
#
capjamesg[d] Oh, absolutely.
#
GWG But it led to this conflation by a lot of people.
#
capjamesg[d] I have no doubt that was the right approach.
#
capjamesg[d] I just got confused. Which is due to my not reading as much into IndieAuth.
#
GWG But when I started using it, having to use Github, Twitter, etc to prove my identity didn't make sense to me...my site had a user auth flow.
#
aaronpk when i replace indieauth.com as a personal indieauth endpoint, i'm pretty sure i'm going to make you go through a traditional signup flow in order to use it
#
GWG So I dug in, like you, and realized what was going on.
#
aaronpk maybe not with a password, maybe with webauthn + email fallback, or maybe even still with twitter oauth, but in any case it's going to be an initial registration step before it tells you how to add it to your website
maxwelljoslyn[d], hendursaga and kogepan joined the channel
#
GWG aaronpk: That may help with understanding
gRegor joined the channel
#
[Justin_Walsh] Well crap, now I am more confused. IndieAuth.com tells me to use IndieLogin.com, but then also says I may be looking for IndieAuth.net, I don't even know what I am looking for 🤷 I just don't want to use Auth-0, and stay in frontend land as much as possible. All the AUTH!!!!
#
[tantek] needs a flow chart diagram 🙂
#
aaronpk what exactly are you trying to do?
#
aaronpk indieauth.net is just an informational site
#
[tantek] maybe we need indieauth.edu for that 😉
#
aaronpk i do already have oauth.school
#
GWG aaronpk: How much is a school?
#
[Justin_Walsh] Provide a mechanism for a user of a site to login so that I can push and pull some data they want to store in redis.
#
aaronpk this is the guide for you then https://aaronparecki.com/2021/04/13/26/indieauth
#
Loqi [Aaron Parecki] How to Sign Users In with IndieAuth
#
[Justin_Walsh] 🙏
#
aaronpk if you want them to be able to log in even if they don't have indieauth support, then you can also do rel-me-auth which is where you get the whole rel-me link thing
#
aaronpk indielogin.com is a service that does both of those on top of a simple API. however I am currently not offering that service to others, it's used only for the wiki and other community tools. you could spin up an instance of that if you want
#
[Justin_Walsh] I was url encoding the data and using localhost to make the site usefull without a DB, but then I stood up a DB to shorten the long URLs to shorter ones.
#
[Justin_Walsh] https://github.com/thejustinwalsh/catchy-links
#
Loqi [thejustinwalsh] catchy-links: A catchy link shortener for more memorable urls
#
[Justin_Walsh] DB == redis instance with write enable, upstash in this exact instance.
#
[Justin_Walsh] Now that I have cloud storage of some sort, might as well add in some more valuable features, if even only for myself. I use multiple computers and hate leaving a sample on one computer vs the other.
tetov-irc joined the channel