#dev 2021-11-25

2021-11-25 UTC
tetov-irc, superkuh, akevinhuang2 and jjuran joined the channel
# 04:27 
micahrl[m] I got posting from Quill working with Interpersonal 😎 I didn't realize that the client sending the "me" value was optional and my code expected it. Ended up having to make some substantial changes bc Interpersonal supports multiple blogs at once, and I didn't have a way to determine the right blog for a given request right away, but now I do.
# 04:28 
micahrl[m] Needs a bunch more grit and polish, but I'm pretty happy that I got to see something new work today
kimberlyhirsh[d] and kogepan joined the channel
# 08:50 
jamietanna[m] <micahrl[m]> "I got posting from Quill working..." <- Nice one! That requirement was only added last year, when there were some significant changes to the spec, and some clients haven't yet updated, so that's likely why ☺
omz13_, omz13, rommudoh[m], nertzy__, tetov-irc, schmudde, [schmarty], chenghiz_, akevinhuang, ranuzz, squarepants and noobranu joined the channel; omz13_ left the channel
# 15:59 
capjamesg[d] How should one go about limiting resource access in accordance with Ticket Auth?
# 16:07 
sknebel not sure I understand the question
# 16:33 
GWG capjamesg[d]: Can you elaborate?
jamietanna joined the channel
# 16:38 
jamietanna[m] I think this would be based on Resource Indicators so you'd issue a ticket for a given set of resources
# 16:39 
GWG Ticket Auth outlines using a resource parameter
# 16:40 
GWG Resources aren't required for IndieAuth, but Ticket Auth needs them
# 16:47 
capjamesg[d] I am at the "Redeem the ticket for an access token" part of the Ticket Auth spec.
# 16:47 
capjamesg[d] I am going to save a "resource" value that I can decode in the JWT token.
# 16:47 
capjamesg[d] When someone actually uses the token, how can I know that they are using it for the intended purpose?
# 16:48 
GWG Well, I updated that to be more spec-like after the initial draft.
# 16:48 
GWG capjamesg[d]: You would verify whether the token had that resource in it?
# 16:49 
capjamesg[d] Yeah. I'm a bit confused though. I can verify what the resource is but how do I know that the client is requesting a resource that is permitted by the "resource" value and not something else?
# 16:50 
GWG The path is in the request.
# 16:50 
capjamesg[d] Oh, of course!'
# 16:50 
capjamesg[d] Ah, that was a silly question now I think about it.
# 16:50 
capjamesg[d] Thank you!
# 16:51 
capjamesg[d] GWG++
# 16:51 
Loqi GWG has 13 karma in this channel over the last year (78 in all channels)
# 16:51 
capjamesg[d] That might be useful to add to the spec.
# 16:51 
GWG capjamesg[d]: Any feedback on the spec overall?
# 16:51 
GWG I've been editing it lately, but not adding anything, just clarifying
# 16:53 
capjamesg[d] I am still in the early stages of implementing it. Overall, I understand what is being said but I do think more clarity on what I mentioned earlier re: verifying a token is allowed to access something would be useful. I know the IndieAuth spec doesn't lay out how to issue resource-limited tokens but I'd love to see more on that. I do need to look at the GitHub issue linked in the wiki page though. Again, I'm not far into this yet.
# 16:54 
capjamesg[d] Are there any other explored use cases outside of private feed fetching? That's my primary goal for supporting this spec.
# 16:55 
GWG Individual private posts
# 16:55 
aaronpk there's some level of detail that is not relevant for a spec, but would be more appropriate in an implementation guide
# 16:55 
aaronpk in general the spec should describe only things that are required for interoperability, not telling you how to make the inner working of your system work
# 16:56 
GWG capjamesg[d]: Are you doing the rel link or using metadata?
# 16:56 
GWG aaronpk: Speaking of which, I'm thinking of making implementing all the pending PRs in the IndieAuth plugin as my 2022 commitment
# 16:56 
GWG So, adding the new endpoints and noting the old ones will be removed in future
# 16:57 
capjamesg[d] Very true aaronpk.
# 16:57 
aaronpk that is a good goal! I should do the same :)
# 16:57 
capjamesg[d] An accompanying "how to get started with ticket auth" blog post would be useful, separate from the spec... But that's a whole other thing haha.
# 16:57 
GWG capjamesg[d]: We need people to work together to interop
# 16:57 
capjamesg[d] GWG I am going to use metadata, I think. Any pros / cons of metadata vs. rel?
# 16:58 
GWG capjamesg[d]: I think we should stop Rel before it starts.
# 16:58 
GWG The spec is early enough we can do that
# 17:00 
jamietanna capjamesg[d] remember that `resource` is an array of values :)
# 17:02 
GWG It's much easier than my Microsub work
# 17:03 
GWG Getting IndieAuth updated
nertzy_, schmudde and angelo joined the channel
# 21:33 
capjamesg[d] I agree re: rel.
Seirdy joined the channel
# 22:33 
Seb[d] I wrote a lot of tests for my IndieAuth endpoint today
# 22:34 
Seb[d] one more box to tick (PKCE) and then I'll look into Ticket Auth
schmudde joined the channel
# 23:25 
Loqi Seb has 4 karma in this channel over the last year (9 in all channels)
# 23:25 
Loqi testing has 3 karma in this channel over the last year (4 in all channels)
# 23:25 
[snarfed]1 Seb++ testing++
edburns[d] and tetov-irc joined the channel