#dev 2021-10-12
2021-10-12 UTC
# aaronpk i would think HTTP 400 "invalid_request" https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
# [tantek] astralbijection, one of the use-cases for h-entry in blog posts is easier content recovery, e.g. any blog posts with h-entry that make it into the Internet Archive can be more semi-automatically recovered by parsing them with an mf2 parser, and then re-importing that structured content into a new CMS
# aaronpk oh hey i should reference oauth 2.1 instead :) https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-5.2.3
# astralbijection[ ah, i see
# astralbijection[ maybe i'll spread the indieweb/microformats/archiveable websites gospel to the other people in the club ;)
# [fluffy] I mean this wasn’t entirely about IndieAuth either, just like… generic use of bearer tokens. Which may or may not be obtained via IndieAuth in this case (like, with Publ you can get an auth token from any identity provider). But in any case, thanks. I was doing a 401 before but my handling of that was leading to a dumb bug in my implementation and I figured while I was fixing it I should verify I was using the right response code
# [fluffy] https://github.com/PlaidWeb/Publ/pull/467 in any case
ShinyCyril joined the channel
# micahrl[m] Whoa, I just made a working IndieAuth implementation 🤯. At least, indielogin.com and indieweb.org let me authenticate.
# micahrl[m] Took a lot of inspiration from Sellout Engine <https://github.com/unrelentingtech/sellout> and it was super helpful to get to study that code. I wanted something similar to that but not quite the same. I host my Hugo blog on netlify, and I wanted to keep doing that. I also wanted to be able to keep the blog up even if the indieauth app goes down. I'm using Flask behind Apache, while Sellout uses uwsgi somehow.
# micahrl[m] I called my system Interpersonal. Eventually I'd like to do micropub as well like Sellout Engine does. https://github.com/mrled/interpersonal/
# @mrled Little alpha release tonight: Interpersonal connects sites to the IndieWeb. Right now it just does IndieAuth. https://github.com/mrled/interpersonal (twitter.com/_/status/1447793038198247425)
# @mrled ↩️ As an aside, I think it would be cool to build a little Tor community with IndieAuth. Tor is actually nicer in some respects as you don’t need to pay for a domain name or bother with HTTPS and you can host from home. (Of course, you do have to set up Tor itself.) (twitter.com/_/status/1447793044477120512)
# @mrled ↩️ IndieAuth is pretty interesting. It let’s you log in to supporting websites with your own website - sort of like “Log in with Facebook” except it’s your own domain, not tied to a third party. (twitter.com/_/status/1447793042056941569)
# micahrl[m] Hmm. I did not expect those tweets to show up here lol
Seirdy joined the channel
[chrisaldrich], ben_thatmustbeme and gerben joined the channel
# capjamesg[d] What should I be aware of if I decided to implement the IndieAuth spec?
# capjamesg[d] I have thought about setting up a provider. I know a few people here have (aaronpk, jamietanna, fluffy).
# capjamesg[d] My concern is that I don’t want to mess anything up.
# capjamesg[d] I need to read into it more. I have a little feeling that authentication mistakes are a whole lot worse than any other 😅
hendursa1 joined the channel
# capjamesg[d] I think I will start with the authorization endpoint 🙂
# capjamesg[d] This looks really helpful: https://indieweb.org/authorization-endpoint
# capjamesg[d] I now have a new project for when I return from vacation haha.
hendursaga and amcorrigal joined the channel
# unrelentingtech <micahrl[m]> "Whoa, I just made a working..." <- wow, I pretty much didn't advertise sellout anywhere at all, didn't expect it to inspire anything :D nice
# capjamesg[d] I am a bit confused about the role token endpoints ply.
# capjamesg[d] *play
# capjamesg[d] When does an authorization server interact with a token endpoint?
tetov-irc joined the channel
# capjamesg[d] Also, what is the easiest way to send an email from a web app? I’ll need to have some kind of email with code system so I can authenticate with my domain.
# capjamesg[d] I don’t really make use of other social networks so I am not thinking about implementing the full rel me with.
# capjamesg[d] *rel me auth
# unrelentingtech <capjamesg[d]> "I am a bit confused about the..." <- when the user clicks allow, they get redirected to the client with a temporary code. the client can exchange the code either with the authorization-endpoint to only verify it and maybe get profile info, OR with the token-endpoint to also get a token that can be used to access resources like micropub/microsub on the site
# unrelentingtech if the token-endpoint is an independent service, it would use the authorization-endpoint for the verification part
# unrelentingtech if they're all integrated they would just call the same verification function
# [KevinMarks] sending email is hard now, you pretty much need a pre-approved cloud service to do it, as the amount of crap you have to do to auth things is prohibitive
# capjamesg[d] That makes sense. So the token endpoint issues tokens for Micropub/Microsub.
# capjamesg[d] It’s annoying how difficult sending email is in an app.
# capjamesg[d] I might just implement rel me auth for socials then (Twitter).
# capjamesg[d] To save the trouble of adding an email verification service.
# [KevinMarks] you can use mailchimp or amazon to do it, but it is an extra thing to set up
akevinhuang joined the channel
# micahrl[m] <unrelentingtech> "wow, I pretty much didn't..." <- It was perfect for me - was having trouble understanding the spec without example code, and I’m more comfortable with Python than most other languages I’ve seen it implemented in. Thank you for publishing the code :)
# micahrl[m] <capjamesg[d]> "Also, what is the easiest way to..." <- You can do it without email or other social networks - the actual authentication part is left up to you. I just use a static code that is set at deployment time. No email, no other social platforms.
# micahrl[m] I share your concern about security though. I have never implemented an authorization system before and I have a lot of reading to do now that the proof of concept is working. I’m sure it needs some hardening.
# micahrl[m] That’s one reason I built it this way actually. I wanted to keep it separate from my staticly hosted blog so that if I don’t have time to pay attention to my website for personal reasons for a while I can take down the endpoint but leave my content up.
# capjamesg[d] My site is static too so I’ll be running my endpoints elsewhere.
# capjamesg[d] I’ll start with the authorization endpoint and maybe look at token endpoints after that.
# capjamesg[d] I don’t think there is an official test suite yet which would help me harden my implementation when I start.
# capjamesg[d] Nevertheless, I’ll just read through the spec and supporting materials on the wiki 🙂
# capjamesg[d] I might just go for a static password then:
# capjamesg[d] And leave rel me auth and such for further down the line. I just want to dip my toe into this area without taking on too much too soon.
# capjamesg[d] How do you know whether to make a request to an auth or token endpoint?
# aaronpk depends on whether you are trying to get an access token, described here https://indieauth.spec.indieweb.org/#request
# [KevinMarks] are they likely to be renumbered?
# capjamesg[d] Thanks aaronpk. That is very helpful!
# capjamesg[d] Thanks aaronpk. That link is helpful!
KartikPrabhu joined the channel
# aaronpk a different conversation would be to switch to the new ietf script which makes these style pages https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html
[jeremycherfas] and hs0ucy joined the channel
# unrelentingtech <capjamesg[d]> "And leave rel me auth and such..." <- you *won't* need rel-me auth if you're doing custom endpoints
# unrelentingtech rel-me auth is just what the indieauth dot com endpoint does, so anyone can very quickly get indieauth working with like zero effort (just adding rel=me links to supported services)
# capjamesg[d] unrelentingtech thank you for all of your help today!
# capjamesg[d] I haven’t even started coding yet but I have just had to get my head around things.
shoesNsocks joined the channel
# capjamesg[d] In that case I might just use a basic pass phrase auth for v1.
# capjamesg[d] And then maybe look into other methods of verification later.
# capjamesg[d] So: if password valid, authenticate as jamesg.blog. And then I’ll be shown the consent screen and continue with the flow.
# aaronpk GWG: it's this https://respec.org/docs/
[Justin_Walsh] joined the channel
# [Justin_Walsh] Super excited that WebAuthn is at ~90% now. Passwords are lame. 🙂
# [Justin_Walsh] I guess to clarify, supporting passwords and users is lame, maybe WebAuthn makes this easier and requires less effort from me to allow a user to have some kind of personal profile on a site / tool I build.
# [Justin_Walsh] Be careful of your wording, you can not re-write history here. Haha.
# [Justin_Walsh] Users are not lame, they are great. The problems that users have with passwords though.
# [Justin_Walsh] iOS just rolled out support for it in their webview, so now alt browsers and apps can use it in web based login flows.
# [Justin_Walsh] I think this is the moment where we see more adoption
# @DaanDebie ↩️ Interesting! Hadn't heard about Microsub yet! https://indieweb.org/Microsubi haven't even implemented webmentions yet, so will do that first at some point (twitter.com/_/status/1447970459841142791)
# [Justin_Walsh] Oh for sure, I get excited about the early days, to see where they go, how they fail, etc. So this is just an exciting moment for me where I think it may be worth trying it out and seeing how it works, what it does, etc.
# [Justin_Walsh] Ohhh IndieAuth, let me just try that one first. 🚋
# [Justin_Walsh] I already have keybase setup so seems compatible with the key from keybase for auth...
# [Justin_Walsh] I was just quickly glossing over the parts about rel-me and a pgp key to sign.
# [Justin_Walsh] https://indielogin.com/api
# capjamesg[d] I admit I have been confused by the naming on many occasions.
# capjamesg[d] Yep.
# capjamesg[d] I vow not to name my personal IndieAuth server IndieAuth.
# capjamesg[d] Maybe “jamesg-IndieAuth” 😅
# capjamesg[d] And rel me auth was until recently in my mind very associated with IndieAuth.
# capjamesg[d] Then I realized they are independent.
# capjamesg[d] Oh, absolutely.
# capjamesg[d] I have no doubt that was the right approach.
# capjamesg[d] I just got confused. Which is due to my not reading as much into IndieAuth.
maxwelljoslyn[d], hendursaga and kogepan joined the channel
gRegor joined the channel
# [Justin_Walsh] Well crap, now I am more confused. IndieAuth.com tells me to use IndieLogin.com, but then also says I may be looking for IndieAuth.net, I don't even know what I am looking for 🤷 I just don't want to use Auth-0, and stay in frontend land as much as possible. All the AUTH!!!!
# [Justin_Walsh] Provide a mechanism for a user of a site to login so that I can push and pull some data they want to store in redis.
# aaronpk this is the guide for you then https://aaronparecki.com/2021/04/13/26/indieauth
# [Justin_Walsh] 🙏
# [Justin_Walsh] I was url encoding the data and using localhost to make the site usefull without a DB, but then I stood up a DB to shorten the long URLs to shorter ones.
# [Justin_Walsh] https://github.com/thejustinwalsh/catchy-links
# [Justin_Walsh] DB == redis instance with write enable, upstash in this exact instance.
# [Justin_Walsh] Now that I have cloud storage of some sort, might as well add in some more valuable features, if even only for myself. I use multiple computers and hate leaving a sample on one computer vs the other.
tetov-irc joined the channel