#Seb[d]I think that one is the newest iteration in trying to solve private feed fetching
#Seb[d]For example: you can (I hope it still works?) login to my site via IndieAuth and then see my ‘private’ checkins (I don’t check in that much atm)
#Seb[d]But those posts are not visible in any feed reader, because feed readers only fetch public feeds.
#Seb[d]Ticket Auth is trying to have some kind of token exchange so that I know your feed reader is you, so I can give it private posts I want to share with you.
#Seb[d]Complicated stuff because there are a lot of parties involved
kogepan and nertzy_ joined the channel
#ZegnatPretty much what Seb[d] said. The driver behind Ticket Auth is that the person who owns the private feed actually initiates.
#ZegnatSo instead of the reader knowing a feed is private and going out to request access, the publisher send the reader an invite (a ticket) that will get them access (an OAuth token) to a private feed.
#Zegnat(Or, wherever I said feed, read post/resource/...)
tetov-irc, kogepan and [fluffy] joined the channel
#[fluffy]Yeah Publ supports it fully, in theory, although there's still no readers that do the crucial last bit of “send the granted bearer token with the request”
#[fluffy]Publ’s security model is that it just sends a ticket grant to anyone who signs in by IndieAuth (because the token is granted to a user, not to a resource) so it should be pretty seamless… someday
#ZegnatI fully believe that is the way to go because it is the way that people find the most intuitive: tokens to identify people
#ZegnatI know OAuth thinks about tokens differently, and then there is the resource scoping and all that, which is nice to have support for. But I think for most IndieWeb usecases token = proof of identity is better conceptually
#[fluffy]Theoretically TicketAuth isn't even tied to IndieAuth although it's very difficult to imagine a world in which that is anything other than theoretical
#[fluffy]But like one could build an RSS reader that has a TicketAuth endpoint and then, say, Twitter starts to let people add arbitrary endpoints to their user profile
#ZegnatTrue. TickAuth can probably (and maybe should?) stand on its own as an OAuth extension, just like IndieAuth does. But I think there can be a difference in the technical truth of the spec and how the possible features are presented :)
#[fluffy]It's not gonna happen but it could. And when it does, Publ/Authl are ready for it
#[fluffy]TicketAuth isn't even tied to OAuth, it just happens to be OAuth-shaped
#[fluffy]I mean you can argue it's an alternate token grant flow for OAuth I guess
#ZegnatI think there is some gain in being able to say that TicketAuth is a new grant type for OAuth flows. But yeah, you do not need a full OAuth compatible setup to offer redeem tickets
#[fluffy]And right now TicketAuth is the only thing Publ supports in its token endpoint. Eventually I need to make that accept plugins for things like micropub or whatever though. Lots of circle-squaring needs to happen.
#[fluffy]I made a very simple page submission system for novembeat.com which exposed a lot of issues in how I was assuming that content updates work, and I'm now thinking the file watchdog is kind of a mistake. Or at least shouldn't run in production, and that production sites should be explicitly reindexed.
#GWG[fluffy]: With metadata in, the spec might switch to that for discovery
#[fluffy]Which spec? And what metadata? I haven't been keeping up with IndieWeb spec discussions lately.
#ZegnatIndieAuth is syncing up with the OAuth Server Metadata spec. Which enables an IndieAuth capable service to declare all its different capabilities and endpoint URLs in a single metadata file, which hopefully makes things easier on clients.
#[fluffy]Ah, cool. Although my pessimism is thinking, great, another thing that will be implemented in a Cartesian product of wrongness ;)
#[fluffy]But as long as traditional discovery remains a requirement I won't have to fix Authl (which, as a client, only cares about authorization_endpoint).
hendursaga joined the channel
#GWG[fluffy]: It will be deprecated, but it will likely be a long time before anyone removes it entirely
#[fluffy]“It” meaning traditional endpoint discovery?
#GWG[fluffy]: Yes. Eventually, people will stop putting in the two headers in favor of the 1 header
#[fluffy]I guess I should look into this spec change. What’s the tl;dr on it? Am I going to have to replace my simple flow of ‘fetch the page and then know the endpoint’ with ‘fetch the page and then fetch another resource to know the endpoint’?
#GWG[fluffy]: Yes, the flow will be, fetch the page, fetch another resource to know the endpoint. If the page doesn't have the new endpoint, fall back on the old endpoint.
#GWGBear in mind, we haven't finished the spec update yet. This has been merged, but a bunch of related changes are still pending.
#GWGSo, I'd say you could probably wait till it goes live at indieauth.spec.indieweb.org
#GWGThen you can implement the full range of changes
#[fluffy]I guess my big question is what does it save or make easier? like, the existing spec is already straightforward to implement, and the cost of adding an additional HTTP header or <link> element is trivial and involves less overhead than issuing an entire additional HTTP transaction.
#GWGBut the metadata endpoint will allow adding of additional endpoints without having to add headers
#[fluffy]but as long as it isn’t using .well-known I guess it’s not the worst thing to happen :P
#ZegnatIt is mostly that. Instead of having people put up <link> elements for discovery of authorization endpoint, token endpoint, ticket endpoint, introspection endpoint, it will just be a single <link> element for the metadata.
#Loqi[aaronpk] #43 Consider using OAuth Server Metadata
#GWGAlthough it mentions you can use well-known for compatibility with stock OAuth2
#ZegnatAlso means that users of an external service like a future indieauth.com-like thing only need to have the one link, and the service can continuously evolve its capabilities
#GWGIndieAuth metadata adopts OAuth 2.0 Authorization Server Metadata [[RFC8414]], with the notable difference that discovery of the URL happens via the IndieAuth link relation rather than the <code>.well-known discovery</code> method specified by RFC8414. For compatibility with other OAuth 2.0 implementations, use of the <code>.well-known</code> path as defined in RFC8414 is RECOMMENDED but
#[fluffy]oh god i thought i was only joking about well-known
#aaronpkIt doesn't require well-known because we have a better discovery method
#[fluffy]so now there’s three potential mechanisms for discovering the endpoints, of which one is required, one is deprecated but still needs to be supported, and one is optional? that’s gonna be a mess.
#GWGjamietanna: You probably have the Introspection and revocation endpoints up and running already too.
#[fluffy]yeah. I suppose I can wait on even adding the metadata change until someone opens a ticket against authl because they tried to sign in with metadata-only and couldn’t.
#jamietannano revocation yet, but introspection yes
#ZegnatI am not even sure how that .well-known is supposed to help jamietanna. Because I can only find that if I already know your auth server is hosted on indieauth.jvt.me surely? Or do you have the same .well-known for www.jvt.me?
#GWGI just wonder when I should deprecate old IndieAuth features
#jamietannaThat helps due to the OAuth Server Metadata spec, where knowing my `issuer` is `https://indieauth.jvt.me` allows discovery of the metadata
#GWGFor example, when should we stop supporting interactions without PKCE?
#jamietannaBut I have `rel=indieauth-metadata` for IndieAuth purposes :)
#ZegnatAh, I guess that makes sense. If I somehow already have the issues information that is all I need for the lookup. Did not thin kabout that
#ZegnatGWG: whenever you want? Your logs might be able to show you what percentage of calls without PKCE you still get in the wild
#GWGZegnat: I don't think I'm logging it, but I might start
#ZegnatIt could be interesting if aaronpk could see from indielogin how much is PKCE-less. As I guess the majority of IndieAuth traffic goes through there for indieweb.org
#Seb[d]Curious: why is is `indieauth-metadata` and not `indieauth_metadata`, like the old `authorization_endpoint` and `token_endpoint`?
#Loqi[Zegnat] #17 Link relations in HTTP Link header conflict with RFC 5988.
#Seb[d]Zegnat: makes sense that it was an old spec somewhere and you found it 😅
#ZegnatIt is not actually a problem, because HTTP itself obviously allows underscores in headers. And it looks like nobody bothers to validate Link headers specifically.
#ZegnatBut for compliance sake, we now have the chance to fix it
hendursaga joined the channel
#[fluffy]basically which thing do you want to be inconsistent with
#GWGI just adjusted Ticket auth to note that the ticket endpoint should be discovered in Indieauth metadata, noting the previous option as deprecated. Being as Ticket Auth is still early days, I don't think we have to keep compatibility.
#[fluffy]I’m somewhat surprised that underscores aren’t allowed in link headers but I guess it’s nice that the spec takes a stand. I generally prefer dashes to underscores anyway and I really dislike how many programmers default to underscores for everything, for reasons which usually boil down to “that’s what my compiler makes me name variables with”
#[fluffy]every now and then I come across a hostname with an underscore in it and I’m like… how is that working and how was this problem not caught at any of the myriad steps which were involved in setting this hostname up
#[fluffy]and then somehow it mostly works until it doesn’t, and then people think the problem is on my end that whatever random thing isn’t able to support a spec-violating hostname
#Seb[d]Yea Vim sees `bla_bla` as one word and `bla-bla` as three. But oh well, in this case I can just `ci"` to change it in one stroke anyway.
#[fluffy]so wait link headers don’t support _ but what about HTML rel attributes?
#[fluffy]like, I thought that those were supposed to be one and the same?
#ZegnatThey are not. WHATWG accepts any string, treats it as any text attribute value ever
#ZegnatI don’t think the HTML spec ever references the HTTP Link spec when talking about <link>
#Zegnat> Links are a conceptual construct, created by a, area, form, and link elements, that represent a connection between two resources, one of which is the current Document.
#[fluffy]yeah i was just perusing that, didn’t find that specific section but the description of rel is just that it’s case-insensitive and space-delimited
#[fluffy]and I don’t see any mention of dashes or underscores, but I do note that all of their listed known rel types (which is non-normative/non-exhaustive) all use dashes.
#[fluffy]well, rather, the one listed one (dns-prefetch) does.
#ZegnatHonestly it is fine that HTML is not following HTTP specs. But for our usecase where we want it to be i both places that makes it a little more restricted
nsh joined the channel
#ZegnatAnd even then only if you really want to conform to the HTTP Link spec, which the last years have shown we do not need to do to have it work. But conformance is nice to have anyway
#[fluffy]I mean, it seems to me like the whole point to HTTP Link is to support <link> on things that aren’t HTML, so shouldn’t they have rel-equivalence?
#[fluffy]My mental model is probably oversimplifying though
#[schmarty]GWG: i find that issue very hard to understand. (the description literally just references two other things by number: "as proposed in #82 to address #83"
#[schmarty]maybe the description could be updated to explain how this feature would be used and at least one real world use case?
#[schmarty]having read over the PR i could _really_ use some examples.
#[schmarty]maybe i should add my questions to the PR discussion 🤔
#ZegnatI still find resource and/or realm scoping tough to discuss, and that is after reading up on it a lot. It does not help that I am not sure we have ever seen a real world need for them yet in our implementations
#ZegnatBut I am still not sure if there was a direct need, other than wanting to scope scopes to the correct endpoints, which with the scopes we are currently used to may not even be needed yet.
#ZegnatWhich is why I think the real world example thing might be a little hard
#[schmarty]GWG: not sure i have found where you gave the definition. can you drop a link here?
johs1 and barryf[d] joined the channel
#[schmarty]aaronpk++ 1000% agree that Resource Indicators needs some real-world experimentation and spec-ing out as an extension before it becomes part of the spec
#Loqiaaronpk has 34 karma in this channel over the last year (117 in all channels)
#Loqi[martymcguire] I have a few questions about how this would be used:
1. The language so far in #96 covers how an IndieAuth client can include `resource`s in an authorization request, but doesn't mention any mechanism for discovery of resources. Some examples:
...
#GWGTo quote 2020 aaronpk : So the idea with resource indicators is it's a way for the client to tell the authorization server, "I only need an access token to go and talk to this particular resource server, and I'm never going to bother sending it to any of these other ones."
#ZegnatIf a token has unscoped scopes, I guess in higher security cases you would drop the scope.
#GWGZegnat: But it is still a implementation detail, not a spec issue
#ZegnatWhile in low security things you can assume that the scope was meant for you even without the resource specified
#GWGThat's the counter argument to [schmarty]'s concerns. His server can keep working the way it always did.
#ZegnatJust thinking out loud on what to do if someone only sends 1
#jamietannaSorry, I meant on the Resource Server side, I'll be validating both `scope` and `resource` in the token
#GWGFor me, if you only request scope, I'd probably issue scope, and then restrict the token by default to the resource that scope reflects, if I only have one resource using it.
#GWGAnd if it has no scope, I'll work purely on the resource.
#ZegnatIs there still a need for resource if no scopes were requested?
#jamietannaHmm, I guess that'd commonly be the case of "I want to read this single resource / feed, please"?
#Loqi[dshanske] #105 Discuss Creation of a User Info Endpoint Extension
#GWGA place to ask for the profile return we already outlined, outside of the interaction.
#ZegnatHmm, I guess that is some sort of usage narrowing then. A token without scopes does not grant you any priveledges. So it to me maps to an identity token. If the token does nothing other than showing your identity to me, I am not sure I will ever care on which URL you are telling me your identity. So I guess I wouldn’t immediately think to get a resource associated with it.
#ZegnatBut there is some sort of security there, I guess, if you have a token that can only identify who you are to 1 place it cannot be stolen and used against other URLs.
#GWGZegnat: A token under this can now have either scopes, resources, or both, but not neither
#GWGSo, you can either say that the token can give you permission to do X, or access to Y, or both permission to X and access to Y
#GWGBut your permission to X is now limited to access to Y, assuming the scope could apply to multiple resources
#ZegnatI get that. Just trying to figure out why I would care, or if it is still fine to issue tokens with neither
#GWGIf you request no scopes, then no token should be issued.
#GWGThe PR changes it to if you request neither scope nor resource, no token should be issued
#GWGBut we settled your issue of an identity token with the profile scope
#ZegnatJust trying to get the indieweb reasons sorted in my head, hehe
#GWGWe clarified your question on that. You can issue a token with just a profile scope
#GWGThus the creation of a user info endpoint, which we discussed and I just remembered lacked an Issue/PR
#GWGPrivate posts have been an issue because we've tried to solve all aspects at once. This would address the issuance of a token to read private posts... with the getting of said token being a separate issue
#GWGI'm working on Microsub right now, and it will support using tokens from a ticket Auth store when I'm done.
#[schmarty]I still think `resource` adds more confusion than it alleviates in most cases. It creates a lot of options that are currently implementation details. If a Micropub endpoint implementor and a Micropub client implementor make different choices they can become incompatible
#[schmarty]Like in jamietanna's case where his Micropub endpoint requires both scope and resource to match - a Micropub client won't work for his site unless it knows to ask for that resource
#[schmarty]To be backwards compatible his auth/token server could add that resource as a default for compatibility, but that's an _internal_ detail and doesn't require `resource` as part of the spec at all
#[schmarty]So while `resource` is proposed as being optional in the spec, its existence creates muddy situations without a lot of guidance about when and why you'd use it and when you _would not_ want to use it
#GWG[schmarty]: Maybe we can address that in the language
#[schmarty]The TokenAuth case you laid out makes some sense, but you don't need `resource` to be part of the spec for my resource server to offer your whatever endpoint a token that only has access to specific feeds or whatever
#[schmarty]Those can be details internal to my resource/auth/token server
#GWGIt's the requirement for a scope that creates the question
#GWGIf we decide not to adopt resource as a parameter, we can amend the spec to note that if resource indicators are used by a server, they can be used in lieu or in addition to a scope
#GWGSo, for me,. minimum viable is a note and citation
#aaronpkthe key feature resource indicators adds is the ability for the client to tell the indieauth server where it plans on using the token. if that's not a useful property, then we don't need it
#aaronpkas [schmarty] described, the AS and RS can already do their own internal logic for limiting capabilities of tokens. this lets the client become part of that negotiation
#[schmarty]Looking forward to seeing some working interoperable implementations of this in an experimental fashion, leading up to maybe an extension to the spec 😅
#aaronpkwe are already effectively using "scope" as a resource indicator since we have a list of scopes that are agreed upon between clients and servers
#aaronpkso the question is, is that okay, and can we continue to expand that list to cover the new use cases we are talking about
#GWGThinking about it, ticket Auth doesn't require this flow
#GWGThe ticket auth flow has the resource parameter
#GWGI think I need to amend the Ticket Auth proposal to clarify then
#GWGSo, how can we do some proof of concept stuff? They say it takes two to tango...I could use a partner
#Seb[d]Hmm, the IndieAuth specs says: "Additionally, host names MUST be domain names or a loopback interface and MUST NOT be IPv4 or IPv6 addresses except for IPv4 127.0.0.1 or IPv6 [::1]."
#Seb[d]And further down: "The authorization endpoint SHOULD fetch the client_id URL to retrieve application information [...]"
#Seb[d]Is that a good idea if it can point to 127.0.0.1 / localhost? Sounds like the start of scary things.
#aaronpkthat was meant to be the exception of the "SHOULD" but yea should probably be called out explicitly
#Seb[d]I'm not good with spec-language. Is that a "... but MUST NOT fetch the client_id URL if the host name is IPv4 `127.0.0.1` or IPv6 `[::1]`."?
#ZegnatIs there any different between a client_id URL being local vs any other URL being local? If we allow loopbacks in other places, why not there? (Haven’t given it much thought other than this question. If I am being dumb, point it out!)
hs0ucy joined the channel
#sknebelI think it's generally a thing of "be careful with that"
#sknebelAlways unsure how much worth calling out explicitly vs general assumption for anything fetching from externally supplied URL
#sknebelI think we added some language to webmention about it too
#aaronpkthe big difference is we specifically have a recommendation to fetch that URL vs just redirect to it
#aaronpkand that fetching the URL is a upgrade from not fetching it, which is different than say Micropub where fetching it is the whole point
kimberlyhirsh[d] joined the channel
#Seb[d]at least the specs says that ports are not valid in the client_id... that keeps the risk of internal fetches smaller I assume.
jamietanna1, Seirdy and tetov-irc joined the channel