#dev 2021-11-05

2021-11-05 UTC
KartikPrabhu, nertzy_, strugee, alex11, Seirdy, hendursa1, [jgmac1106]1, IWSlackGateway, IWSlackGateway4, [tantek]1, moose333, kogepan and [Paul_Walk] joined the channel
# 09:59 
[Paul_Walk] ↩️ That has been precisely my experience too
schmudde, tetov-irc, capablecable[d], kimberlyhirsh[d], ralismark[d], sayanarijit[d], _hepphepp[d], System[d], indieweb-irc-bri, tracydurnell[d], Zegnat[d], marksuth[d], daiyi[d], akevinhuang, P1000[d] and shoesNsocks joined the channel
# 13:50 
@Cambridgeport90 ↩️ I'm also going to subscribe to your RSS feed, too. (You should make that interactive via the Webmention Wordpress plugin. That way you can get conversations started from across the web. being a writer and all...) (twitter.com/_/status/1456619674335125504)
kogepan_ and [jacky] joined the channel
# 14:53 
[jacky] schmarty: I ended up going with just tokens but I was thinking of storing the header value of 'Set-Cookie' and using that to send back as `Cookie`. After doing some reading, that proved to be a bit of a janky approach (even if I used SessionStorage)
# 14:55 
@justincox ↩️ The shortcut does not require Toolbox Pro, or any of the other Shortcuts enhancement apps. And I’ll have to look into the Webmention plugin, I’m not aware of it. Thank you! (twitter.com/_/status/1456635210662035460)
[schmarty] joined the channel
# 14:55 
[schmarty] jacky: it sounds like a weird approach! Like isn't that what the built-in browser cookie handling does? 😅
# 15:09 
[jacky] indeed! but it seems like doing that with XHR requests isn't compatible (which makes sense with the advent of JWTs and the like)
# 15:10 
aaronpk that definitely should be how it works normally with XHR too, you shouldn't have to do anything special
# 15:24 
[jacky] hm, I'm doing something _very_ wrong then
# 15:25 
[jacky] because I remember this working in other projects and at work
# 15:27 
[schmarty] is it a cross-domain request? could be CORS or a need to set a flag to allow sending credentials.
# 15:28 
[jacky] It technically is (from two localhost endpoints)
# 15:28 
[jacky] I completely forgot about CORS tbh
# 15:28 
[jacky] I'll try that tonight
# 15:28 
[schmarty] https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials maybe?
# 15:30 
[schmarty] CORS is definitely gonna interfere if it's two endpoints that appear different to the browser. you might also need the receiving endpoint to set a *`Access-Control-Allow-Credentials`*  header
# 15:31 
[schmarty] oh these docs are more comprehensive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
# 15:31 
[schmarty] sometimes i miss the messy old days of pjax
# 15:32 
[jacky] I had `fetch` use `credentials: "include"` (which IIRC is the equivalent of withCredentials)
# 15:32 
[jacky] this looks like it might be it tbh!
# 15:33 
[schmarty] sounds like the right thing on the client side!
# 15:33 
[schmarty] i'd check to see if the endpoint is sending Access-Control-Allow-Credentials and then see if the endpoint is getting receiving a Cookie header.
# 15:35 
[schmarty] also lol i got my terminology messed up. i should have said sometimes i miss the messy old days of jsonp
# 15:38 
[jacky] ha
# 15:42 
[jacky] just want this indieauth server to get to a point where I can give people a binary to run and it does everything else
# 15:42 
[schmarty] jacky++ sounds rad!
# 15:42 
Loqi jacky has 17 karma in this channel over the last year (62 in all channels)
# 15:43 
[schmarty] with my recent forced updates of some sta(b)le nodejs-based indieweb projects on glitch I am once again back on my BS of "what if composable expressJS plugins for indieweb building blocks?"
# 15:46 
[jacky] heh that'd be perf
# 15:47 
[jacky] tbh something I want is to do some "preflight" work to generate cached mf2-json forms of pages on my site (and only update it if it notices a change in its caching values)
# 15:47 
[jacky] I could see something like that helping with rel=alt and clients that might not have a parser handy
# 15:54 
capjamesg[d] jacky++
# 15:54 
Loqi jacky has 18 karma in this channel over the last year (63 in all channels)
# 16:32 
[jacky] quickly tinkered with this during lunch and it def worked (the `Access-Control` headers)!
# 16:32 
[jacky] finally lol
akevinhuang joined the channel
# 16:38 
[schmarty] 🎉
joshproehl, [tw2113_Slack_] and schmudde joined the channel
# 17:42 
GWG !tell jamietanna Refreshed the introspection endpoint PR to utilize the metadata method for discovery
# 17:42 
Loqi Ok, I'll tell them that when I see them next
vtvg, KartikPrabhu and jamietanna joined the channel
# 19:22 
jamietanna Thanks GWG - I'll have a look
# 19:22 
Loqi jamietanna: GWG left you a message 1 hour, 39 minutes ago: Refreshed the introspection endpoint PR to utilize the metadata method for discovery
# 19:31 
GWG jamietanna: We got one PR in, I aim to get them all so we can write a celebratory blog post
# 19:35 
jamietanna That would be good :) Only minor tweaks on token introspection, so unless anyone has strong thoughts against it, that can go
# 19:39 
Zegnat I think this weekend might be the weekend I get back to my IndieAuth code. Anything specific I should make my focus, GWG?
# 19:40 
GWG Zegnat: We just added a metadata endpoint, but wouldn't suggest you deprecate the header links for the other endpoints yet
# 19:41 
GWG Returning the iss property in conjunction with that to prevent mixup attacks
# 19:41 
GWG Refresh tokens?
# 19:41 
GWG I don't know
# 19:41 
GWG Introspection?
# 19:42 
jamietanna Would be good to have another person using Introspection :)
# 19:49 
Zegnat I am very interested in Introspection, true, that might be my focus!
# 19:50 
Zegnat The more I have been thinking about the metadata the more I like it. It will be easier to build a thing completely separate from the website’s own engine if all people need to include is the one link in their head (or HTTP headers)
Seb[d] joined the channel
# 20:04 
jamietanna I'm glad we're doing it now, before we have too many endpoints, and we can have a while where both options are available, but hopefully we'll get clients supporting the new means to nudge people over
# 20:05 
Seb[d] what is Introspection?
# 20:05 
Loqi It looks like we don't have a page for "Introspection" yet. Would you like to create it? (Or just say "Introspection is ____", a sentence describing the term)
# 20:09 
Zegnat Seb[d]: https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
# 20:10 
Zegnat It is where OAuth applications can ask for information about a token. Something that IndieAuth put on the token endpoint to solve.
# 20:25 
Seb[d] Ah, yes, I see. https://github.com/indieweb/indieauth/pull/94
# 20:25 
Loqi [dshanske] #94 Token Introspection
# 20:28 
Zegnat As long as we are not starting to gatekeep the simple flows, all standard OAuth behaviour we can get in is a win in my book
kogepan joined the channel
# 20:32 
jamietanna > gatekeep the simple flows
# 20:32 
jamietanna what do you mean by that Zegnat?
# 20:33 
Zegnat If for someone to write an endpoint that lets them login to the wiki, they need to setup multiple endpoint URLs following multiple OAuth specs, I feel like we failed the promise of the easy decentralised identity provider
# 20:33 
Zegnat If that makes more sense :)
# 20:35 
jamietanna ah gotcha, yeah that's fair - I guess with this it'd now be two endpoints instead of just one for that, but one "endpoint" can "just" be a static JSON file
# 20:36 
jamietanna Still, more complex than just one!
# 20:36 
Zegnat Yes, the metadata endpoint is a new one. But also not really? Because the metadata JSON could be hosted on the base authorization endpoint
# 20:40 
jamietanna Also true :)
# 20:48 
aaronpk Hopefully this makes it easier to set up since it's only 1 html tag now
# 21:11 
[schmarty] in some ways it is only pushing the complexity around
# 21:11 
aaronpk correct, hopefully onto the part that it's expected fewer people will build
# 21:12 
aaronpk we don't expect everyone to build their own indieauth server into their site, so it'd be great if adding an existing indieauth server to your site was as simple as possible
# 21:13 
[schmarty] possibly! this reminds me that i need to try and catch up on the last 2-ish years of iOS Shortcuts development and fix my IndieAuth- and Micropub- related shortcuts 😒
_wackycity[d], Saphire, astralbijection[, mackeveli_, benatkin, nsh, reed, LaBcasse[m] and diegov joined the channel
# 21:36 
GWG I need to write a PR for the revokation endpoint next
EvanBoehs[m] joined the channel
# 21:56 
Seb[d] [schmarty]: same boat here. Even Quill stopped working because my IndieAuth endpoint is too old
# 21:57 
Seb[d] so much to do before Düsseldorf
# 21:59 
Seb[d] ‘too old’ is probably ‘read the spec wrong years ago’ tbh
# 22:04 
aaronpk there have been a couple updates that might break, and i will admit with quill and others i have been on the more aggressive side of keeping up with the spec vs compatibility
# 22:10 
[jacky] getting people to understand rel=me is like trying to convince them that HTML exists and hasn't broke
# 22:10 
[jacky] (this is in relation to the bluesky group)
# 22:10 
[jacky] I want them to adopt rel=me mainly to make it easier to do Web sign-in\
jeremycherfas and daiyi[d] joined the channel
# 22:39 
GWG aaronpk: As a reference implementation, Quill should always be up to spec
Seirdy and tetov-irc joined the channel