#dev 2021-12-06

2021-12-06 UTC
Seirdy, KartikPrabhu, Prash, [schmarty], oodani, justSleigh, [fluffy]1, sayanarijit[d], tetov-irc, willnorris, [jeremycherfas], naaekluue`_numbe, P1000[d], [snarfed], [benji], grantcodes[d], [manton], [tantek], [jacky], [jeremyfelt], jjuran, balupton[d], doosboox, [KevinMarks], chenghiz_, IWSlackGateway, jeremycherfas, joshproehl, srushe, edburns[d], lahacker[d], kloenk, gerben, lanodan, benji, wrmilling, klez, BinarySavior, rattroupe[d], edgeduchess[d], daiyi[d], petermolnar, mikeputnam, feoh, sknebel, bneil, Ruxton, moose333, unrelentingtech, MarkJR84[d], eco, push-f, nolith2, Abhas[m], samwilson, LaBcasse[m], rrix, Allie, stevestreza and kogepan joined the channel
#
jamietanna[m] Has anyone thought about setting up their IndieAuth server to be an OIDC provider so you can use it in GitHub Actions for something?
#
capjamesg[d] What does that entail?
#
jamietanna[m] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect has some info, but still looking at it
#
jamietanna[m] It's primarily for cloud providers, where you want to deploy via GitHub actions but don't want to store long-lived credentials in the CI platform
#
capjamesg[d] That is an excellent idea jamietanna[m].
#
aaronpk Do they not require you have a GitHub enterprise plan or something? I feel like it's pretty uncommon for major players like GitHub to accept arbitrary Open ID providers except for enterprise customers
#
@dletorey The awesome @iamchrisburnell has written a node package to cache #webmentions in @11ty so only the new webmentions are fetched each time and not all of them. #indieWeb https://chrisburnell.com/eleventy-cache-webmentions/ (twitter.com/_/status/1467793483083747328)
jamietanna joined the channel
#
jamietanna[m] Hmm possibly, but https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers doesn't mention any requirements?
#
sknebel that's not having your site as an OIDC provider if I understand it right
#
sknebel but your site using OIDC to verify a token is from Github
#
jamietanna[m] Ah sorry yeah that's a good distinction
#
jamietanna[m] + correction :)
#
sknebel having your site trust github is a lot easier for github to justify than github trusting your site :D or something like that
Seirdy joined the channel
#
jamietanna[m] So it looks like this'll be fairly straightforward - it's up to us, on our sites, how to exchange the ID token for the access token, and gives control over what can be done with the token. Not sure if I can think of something right now that'd be useful to do this with 🤔
#
aaronpk Oh no what are they doing ..
#
aaronpk exchanging an ID token for an access token goes against all the rules of OAuth and OIDC
#
jamietanna[m] :D
MrShaheer[d] joined the channel
#
jamietanna As an aside aaronpk, looking forward to your talk at APIDays Paris :)
#
sknebel aaronpk: as I understand it, a Actions run gets a token with claims about the run (e.g. which repo, who triggered it, ...), which can be given to other parties (like your site in this scenario), who then can validate it and can use the claims to decide which access to give to the build run
jamesg_oca and tetov-irc joined the channel
#
aaronpk Sounds like maybe they've used JWTs and are calling it OpenID Connect? I'm gonna have to look into this more then
#
aaronpk jamietanna: hope you enjoy the talk! I'm actually on vacation so I prerecorded it sorry 🙈
#
jamietanna[m] All good ☺ I prefer prerecorded talks generally, and either way I know it'll be a good one!
#
jamietanna[m] So it does look like an OIDC `id_token` https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
#
jamietanna[m] But maybe they're using it over just "a JWT" to make it easier for libraries to say they support it?
#
aaronpk also I messed up the recording of my first take of the talk so hopefully the second take is better :-)
#
vikanezrimaya since when indieauth has PKCE? >.< I'm currently implementing client sign-in for private feeds
#
vikanezrimaya that definitely wasn't in the spec last time I implemented it
#
aaronpk vikanezrimaya: this might be a useful post to review! https://aaronparecki.com/2020/12/03/1/indieauth-2020
#
Loqi [Aaron Parecki] IndieAuth Spec Updates 2020
#
vikanezrimaya aaronpk: thank you
#
[KevinMarks] https://twitter.com/katebevan/status/1467790845260750854?s=20
#
@katebevan Dear God. If you needed another reason to stop using SMS for two-factor authentication, this is surely it. https://twitter.com/jamesrbuk/status/1467782665206214657 (twitter.com/_/status/1467790845260750854)
#
aaronpk i don't really see what that has to do with 2FA
#
vikanezrimaya <aaronpk> "i don't really see what that has..." <- then you're probably using 2FA properly, without SMS 🤣
#
GWG vikanezrimaya: We may have more spec adjustments coming soon also... after two sessions this summer.
#
vikanezrimaya eh, PKCE was just two imports and 7 lines of code to generate
Ramon[d] joined the channel
#
vikanezrimaya now I have to debug endpoint discovery because it doesn't work :c
#
vikanezrimaya I even for a moment thought it's my implementation at fault and tried to run the discovery algorithm on aaronpk's website
#
vikanezrimaya nah, didn't work
#
vikanezrimaya does anyone publish their IndieAuth authorization_endpoint in a Link: header? I need to test it out with a wild implementation
#
vikanezrimaya oh, nevermind, aaronpk does
#
vikanezrimaya and it didn't work still
#
GWG I've been wondering, a year after we made PKCE mandatory, if I should stop letting it be optional on my implementation
#
vikanezrimaya I wonder if I should make PKCE mandatory in my implementation when I start making it
#
GWG After a year,. maybe
#
vikanezrimaya (it'll happen somewhere at the start of 2022 or slightly earlier)
#
GWG The alternative is that you flag it on the Consent Screen
#
GWG I currently show a lock if there is PKCE
#
GWG I may switch to showing a warning if there isn't first
#
GWG Go the way browsers did for https
#
vikanezrimaya Good point, I should probably do that
#
capjamesg I think I show the link header vikanezrimaya.
#
Loqi capjamesg: [chrisaldrich] left you a message on 2021-08-25 at 3:05pm UTC: I notice in your line width post you've got some CSS that targets the `e-content` microformat. Experience (especially in WordPress and other large, shared code bases) has shown me that it's better practice to add another class at the same level to target for CSS and display and let the microformats only serve a semantic function. There's nothing functionally wrong with it, but it's a small thing that's worth
#
Loqi capjamesg: [chrisaldrich] left you a message on 2021-09-07 at 11:10pm UTC: you're looking for a fun micropub related server project outside of just for your own site, I've always thought it would be fun to build a brid.gy like micropub service (perhaps using Granary as a translation layer) that would take a feed input (RSS, Atom, h-feed, JSON feed, etc..) from silos and create a micropub post to anyone's site as a means of universal PESOS to a variety of indieweb sites.
#
capjamesg GWG I show a message in a green box if the request is sent via PKCE. Otherwise, I show a notice that says the site does not support PKCE.
#
capjamesg I hadn't thought about making it mandatory. All of my own services support PKCE I think.
#
capjamesg Yep. I have a few link headers you can play around with vikanezrimaya :)
#
GWG capjamesg: Eventually, you want to close the loophole
akevinhuang joined the channel
#
vikanezrimaya why the heck is `Set-Cookie` not working
#
vikanezrimaya I do `Set-Cookie` on a 302 redirect and it is not working
#
vikanezrimaya is it too long?...
#
vikanezrimaya ...634 characters
#
vikanezrimaya AHA
#
vikanezrimaya SameSite=Strict hides cookies on redirects!
#
vikanezrimaya Clever!
#
vikanezrimaya turns out DevTools has a cookie explorer that can show cookies that are hidden due to security requiremenets
#
vikanezrimaya s/requiremenets/requirements/
#
capjamesg SQLite << https://www.sqlite.org/mostdeployed.html
#
Loqi ok, I added "https://www.sqlite.org/mostdeployed.html" to the "See Also" section of /SQLite https://indieweb.org/wiki/index.php?diff=78174&oldid=77819
#
sknebel I know which HN thread you just read :P
#
capjamesg I didn't read the thread. Should I?
#
capjamesg I just saw it on the home page :)
[jgmac1106] joined the channel
#
[tantek] good article [KevinMarks]++
#
Loqi [KevinMarks] has 16 karma in this channel over the last year (46 in all channels)
#
[tantek] what are security codes
#
Loqi It looks like we don't have a page for "security codes" yet. Would you like to create it? (Or just say "security codes is ____", a sentence describing the term)
#
[tantek] security codes are /MFA
#
Loqi ok
#
[tantek] aaronpk ^ that's what it has to do. "security codes" are a more user friendly term for 2FA. See also screenshots in the article: https://www.thebureauinvestigates.com/stories/2021-12-06/swiss-tech-company-boss-accused-of-selling-mobile-network-access-for-spying
#
aaronpk right but what does selling access to cell phone data have to do with being a SMS provider for sending security codes?
#
aaronpk in other words, it's possible to sell access to that data independently of sending SMS codes
#
[tantek] when it's the same *person* with access to the data, and financial incentive to do so, the proper capitalist incentive assumption is that it *is* happening unless proven otherwise
#
[tantek] also, read the article: "In at least one instance, a phone number associated with a senior US State Department official was targeted in 2019 for surveillance through third party use of Mitto’s systems, according to documents reviewed by the Bureau and a cybersecurity analyst familiar with the incident"
#
aaronpk is the implication that the company has special access to the carriers because of their business of sending SMSs?
#
[tantek] given that it was apparently a hard problem for big tech companies with plenty of $, I'd say yes
#
[tantek] "special access" that money alone was unable to directly purchase
#
[tantek] frankly, given the government owned/managed aspect of how telcos typically work, I wouldn't be surprised if the surveillance was actually baked into the deal for access
#
[tantek] yeah you can send SMS on our networks, if you provide us with surveillance services across other networks
[Joe_Crawford] and [jacky] joined the channel
#
[jacky] question: let's say I'm making something like indiebookclub or some sort of aggregation place that has permalinks to content
#
[jacky] if I visited said place (which involves me signing in and giving it access to my site); what would be a "IndieWeb-y" way to allow them to show information like things I've liked or bookmarked?
#
[jacky] What I'm thinking is to take a social-reader-esque approach and upon visiting, to query for said info from one's Micropub server
#
[jacky] _but_ I'd like to be able to compose such a list in advance. I wonder if this is up to the visitor to do
#
[jacky] the _actual_ thing I'm thinking about is mimicking something like Wordpress' theme gallery and how it can show you your rating and what not from your installation/site
#
[tantek] jacky, I'd say less work, less protocols, less APIs
#
[tantek] in particular, replace "query for said info from one's Micropub server" with "query for said info from one's public feeds"
#
[tantek] "show information like things I've liked or bookmarked" -> your discoverable post archives
#
[tantek] HTTP + HTML + h-feed + h-entry + PTD (for "liked or bookmarked")
#
[jacky] hm okay
#
[jacky] I tihnk that's doable if instead of asking on the fly - I can instead maybe listen for an incoming Webmention from one's site and use PTD there to determine if it's a like or bookmark of an item
#
[tantek] if an aggregator is interested in "listening" to a source on an ongoing basis, then it should use WebSub to get notifications of new posts
#
[jacky] definitely!
#
[tantek] jacky, while you're here, re-asking because I missed if you answered, was the new WordPress theme with mf2 you asked about last week meant for anyone to try using? i.e. would it be ok to link to it as a gift in the IndieWeb Gift calendar?
#
capjamesg What is microsub extensions?
#
Loqi It looks like we don't have a page for "microsub extensions" yet. Would you like to create it? (Or just say "microsub extensions is ____", a sentence describing the term)
#
capjamesg GWG Are there any proposed Microsub extensions that are mature?
#
[jacky] it's for my partner! I actually plan to write something about it (with her permission) when it's ready but it would essentially be a gift, yeah!
#
GWG capjamesg: No, because the spec is not finalized
#
GWG It's classified as early
#
capjamesg Oh, of course :facepalm:
#
GWG Same process, but it would enter the spec
#
[tantek] jacky, since you're saying "when it's ready" I presume that means not yet, so won't link to it. Hopefully for another day this month!
[chrisaldrich] joined the channel
#
capjamesg [tantek] Does this qualify for the calendar? https://github.com/capjamesg/python-indieauth-helpers#usage
#
capjamesg I had the same code copied over at least three different services and thought it was time to finally make it into a library. It's small but incredibly useful for me.
#
Loqi [capjamesg] python-indieauth-helpers: IndieAuth authorization and callback helpers written in Python.
#
[jacky] hopefully! my 'deadline' is christmas itself 🙂
#
[tantek] jacky++ 🙂
#
Loqi jacky has 19 karma in this channel over the last year (64 in all channels)
#
[tantek] capjamesg very close! per https://indieweb.org/2021-12-indieweb-gift-calendar#Considerations (which I'm now realizing could be more readable themselves) ...
#
[tantek] What use-case does it solve for others?
#
[tantek] In this case, can you state clearly what this code does for "an IndieAuth-compliant authentication flow" and vs what your own code still has to do?
#
capjamesg[d] The usage section is a bit better at describing what the module contains.
#
[tantek] description of its contents is not the same as "what problem does this solve"
#
capjamesg[d] It’s two functions. One function returns any endpoints you need from a URL. The other does some callback work.
#
[tantek] it needs a "Why" statement, beyond the What ("what the module contains"), or the How ("usage section")
#
capjamesg[d] Problem? It takes away a lot of the repetitive code you might write when implementing a sign in flow.
#
capjamesg[d] Yeah, the docs need work.
#
capjamesg[d] I’ll be implementing it across all of my modules for endpoint discovery and callback management.
#
capjamesg[d] A why statement would be a great idea.
#
capjamesg[d] I’ll add one tomorrow!
#
capjamesg[d] [tantek]++
#
Loqi [tantek] has 24 karma in this channel over the last year (78 in all channels)
#
[tantek] "a lot of the repetitive code" <-- sure, it's not clear *which* repetitive code it "takes away", and which code you still have to write
#
capjamesg[d] Yep. I’ll add some docs to make that clearer.
#
[tantek] awesome
#
[tantek] the meta "why" here is that anyone looking at such a project / library needs to be able to (preferably quickly) evaluate whether it actually fits with both the specific problem(s) they are solving, and how they are solving it/them
#
capjamesg[d] Indeed. This is my second Python package so forgive the docs.
#
capjamesg[d] I would recommend the library for anyone who doesn’t want to write the code to get a HTTP / link header or who wants to validate a /callback response from a server.
#
[tantek] yes that's much closer
#
capjamesg[d] I’ll also add a “why not” section.
#
capjamesg[d] There is already a library for protecting resources with IndieAuth verification and this is not it.
#
GWG That reminds me, I have a gift waiting to drop...I just need a review
#
@TheGreenGreek ↩️ Also everything else was about performance and this was my "fun" talk about eleventy and webmentions :) (twitter.com/_/status/1467934649120866308)
#
[tantek] capjamesg[d], in looking deeper into the code, I'd suggest using URL instead of domain for the discovery function
#
[tantek] in addition, the discovery function is also useful well beyond IndieAuth (e.g. Webmention, Micropub endpoint discovery) and thus is probably worth living in its own project
jjuran joined the channel
#
capjamesg[d] Good call. I hadn’t thought about breaking that out as I use similar logic for Micropub and Microsub endpoint discovery in other places.
#
capjamesg[d] I need to change a message too.
#
capjamesg[d] (This is very preliminary. I don’t consider it released quite yet.£
jjuran joined the channel
#
[tantek] I know this because I wrote a similar function (or set of functions IIRC?) in PHP 🙂
#
capjamesg[d] 👀
#
capjamesg[d] Thank you for the feedback [tantek]++
#
capjamesg[d] I really appreciate it!
#
capjamesg[d] I could break out my webmention validation logic too. Oh, exciting!
#
capjamesg[d] This has the potential to remove a lot of code from my services.
#
capjamesg[d] While I’m at it, I wonder if I should turn my PTD code into a library.
PeterMolnar[m] joined the channel
#
[tantek] such multipurpose (multi-protocol!) coding building blocks can be quite useful
#
[schmarty] buildingblocks++
#
Loqi buildingblocks has 1 karma over the last year
#
[snarfed] capjamesg re feed-to-Micropub, check out https://snarfed.org/2015-01-22_pesos-for-bridgy-publish, feedback is welcome!
#
capjamesg[d] I also have an authorship discovery implementation… but for now I’ll just work on getting the endpoint discovery function, which I’ll probably make it’s own package, working.
#
capjamesg[d] [snarfed] good idea! I spoke about this briefly earlier in the year. It will be quite a bit of work and doesn’t suit my web use now. But I see the value.
#
[tantek] capjamesg[d], yes authorship is very different, and I wouldn't technically call it "discovery", it's more like actual "determination" because at the end you actually have the information (authorship)
#
[tantek] whereas with "discovery", at the end all you have is a URL to go get the information or do the thing, not the thing itself
#
capjamesg[d] Indeed.
KartikPrabhu and balupton[d] joined the channel
#
[KevinMarks] Authorship inference?
#
capjamesg[d] What is authorship discovery?
#
Loqi It looks like we don't have a page for "authorship discovery" yet. Would you like to create it? (Or just say "authorship discovery is ____", a sentence describing the term)
#
capjamesg[d] Ah, it’s called the Authorship Specification. I couldn’t remember the name.
#
capjamesg[d] I like that phraseology [KevinMarks].
#
[tantek] what is authorship
#
Loqi authorship is how to indicate who the author is for a post, and an algorithm that determines the author of a post https://indieweb.org/authorship
#
[tantek] don't make things more complicated than necessary, e.g. phrases when words will do
#
[tantek] authorship discovery is /authorship
#
Loqi ok
gRegor joined the channel
#
[tantek] for the next time anyone suggests using XML to build something instead of HTML: https://www.adamhyde.net/one-enormous-step-at-a-time-now-jats/
KartikPrabhu1 joined the channel
#
capjamesg[d] +1 re: phrases.
KartikPrabhu and kimberlyhirsh[d] joined the channel
#
vikanezrimaya > Why is this a better solution than an XML editor? Well, the approaches I have seen where folks use an XML editor is that you must already have XML to load into it.
#
vikanezrimaya this is why I was afraid of android-studio
#
vikanezrimaya because it required XML for views (I didn't know back then that I could just create views completely programmatically, and Jetpack Compose didn't exist as Kotlin wasn't even developed yet)
tetov-irc, lanodan, kloenk and Seirdy joined the channel