#dev 2022-03-22

2022-03-22 UTC
jacky, ShinyCyril, kimberlyhirsh140, P1000[d], Pharalia, angelo, mro, cybi, tetov-irc, [schmarty] and edburns[d] joined the channel
jacky joined the channel
#
jacky
what is a group
#
Loqi
group in the context of the indieweb (also "indie group" or "indie groups") is a place where people can deliberately share content with each other, not necessarily on their own domain (though likely copied from via webmention etc.) https://indieweb.org/group
[snarfed]1, angelo, mro, baracurda, cybi and jacky joined the channel
#
[fluffy]
Just want to validate my thinking on something: If someone’s IndieAuth identity is https://example.com, and then they later get a TicketAuth grant as http://example.com, those identities shouldn’t be considered equivalent, right?
#
[fluffy]
Like I see it as the same issue as trying to log in as https://example.com and then having the IndieAuth endpoint return a me of http://example.com, which is also forbidden.
Ramon[d] joined the channel
#
sknebel
Yes, I don't see a reason to allow that
cybi joined the channel
#
jan6
imho they should be equivalent, simply because they are almost certainly the same site, but might just use different defaults, e.g. if you type in "mydomain.com" then it might assume https:// but you yourself might only use the http:// version (or vice versa)
#
jan6
ideally you'd only use one or the other, sure, but I don't think that a different protocol for the same domain should mean any difference, as it's most likely just a typo or mistake, but small enough to not really matter (and further on, if you make a http website, and sign on to stuff, and later on figure out how to set up https, why should you need to have two different accounts? and if you
#
jan6
set the http one to redirect, would you even be able to log in with that?)
#
[fluffy]
I’m much more interested in things being secure and consistent.
#
[fluffy]
If everyone has to start supporting various schema-upgrade (or in this case downgrade) mechanisms then you have to start to worry about everyone implementing it correctly
#
[fluffy]
Also strictly-speaking you can serve up different sites on http vs https, and misconfigurations happen
#
jan6
sure
#
jan6
but imho, the handling of "I didn't have https before, but I do now" should probably still be handled, so there's no duplicate abandoned account
#
[fluffy]
In this specific case, I have a user who was logging in via IndieAuth using the https URL, then was testing TicketAuth using the http URL, and then was surprised that the TicketAuth-granted bearer token didn’t have the same permissions/identity as the IndieAuth-granted bearer token.
#
[fluffy]
And when I pointed out this difference he insisted that the http URL was canonical, not https (even though his profile page and IndieAuth endpoint were both specifically making https canonical)
#
jan6
I don't really know how exactly it works internally, but maybe you could have a warning of "you've also used other-protocol:// url before, are you sure you're using the correct one?"
angelo joined the channel
#
[fluffy]
That’s not something that I’d be able to provide useful UX for in this situation.
#
[fluffy]
and also a hell of a lot of work for something that feels like an edge case.
#
[fluffy]
It’d be much better to have this formalized in a standard. I don’t personally care whether the standard says that identity URLs should be scheme-agnostic or not, I just care that it’s consistent and there’s something someone can point to to say “yeah this is okay” or “yeah don’t do that”
#
[fluffy]
If everyone makes up their own rules about how this stuff should work then we end up with a gigantic mess.
#
[fluffy]
The user who reported this issue is also on team “they should be equivalent anyway” FWIW.
cybi joined the channel
#
[fluffy]
And given how most (all?) IndieWeb standards consider the scheme to be part of the canonicalization of the URL and require a strict match, I don’t see why there should be an exception for this one case.
#
jan6
they should be, indeed, but more importantly, I've not seen any clear mention that they AREN'T, with a cursory glance
#
jan6
but sure, I guess it would make a mess after all...
#
[fluffy]
You have to dig in through the specs, but like IndieAuth is very explicit about this. Let me see if I can find it in the (admittedly hard to navigate) spec.
#
jan6
well, unless you're building your own program to handle the stuff, most people probably won't go around reading the specs
#
[fluffy]
… This is the #indieweb-dev channel
#
[fluffy]
literally about people building their own programs to handle the stuff
#
[fluffy]
and also about TicketAuth, which is a new-ish protocol that a bunch of us are trying to get established before it becomes a spec. All TicketAuth things are being newly-developed.
#
jan6
yeah but I mean @ the "why doesn't this work" confusion
#
[fluffy]
The person with the confusion is building his own TicketAuth stuff
#
jan6
oh, then yeah
cybi joined the channel
#
[fluffy]
And like I mean he’s totally right to get a TicketAuth token with differing URLs, but I’m trying to figure out if I’m right to treat those differing URLs as being different identities when it comes to *access control to private entries on my site*
#
[fluffy]
given that this is entirely about privacy and access control I think I’m right to require a strict match.
cybi and jacky joined the channel
#
[fluffy]
If consensus forms around identity URLs being scheme-agnostic then I would be fine with coding that into Publ’s identity layer but I’m not going to go through that work for something that I do not expect to be the consensus.
#
angelo
i'm literally going through a variant of this problem again right now for the umpteenth time
#
[fluffy]
Oh also Publ’s identity layer supports mailto: URLs as well, and theoretically could support any other scheme that could be used to verify someone’s identity. I’d really rather avoid context collapse.
#
jacky
[fluffy]: I try to resolve those URLs (to handle if someone didn't add a `s`) so no, in my case
#
[fluffy]
no which?
#
jacky
oh my fault - I meant yes that those would be equivalent but only if they resolve (when doing a HEAD/GET to get the 'final' URL) to the same thing
#
[fluffy]
I think my TicketAuth token flow should at least be looking at rel=“canonical” and make another request if there’s a mismatch
#
[fluffy]
that would have probably handled this situation better
#
angelo
so you'd be looking for a rel=canonical on the http pointing to the https?
#
jan6
that sounds like a good idea
#
angelo
for the case where there /isn't/ a redirect
#
angelo
after hand-drawing those IndieMark concentric cirlces and realizing that they're effectively overlapping pie charts i looked up a d3 pie chart recipe and got to work on a "scorer/validator" http://159.89.143.168:5010/
#
jan6
that's cool
#
jan6
aaaand immediately ran into unhandled stuff, lol
#
jan6
AttributeError: 'NoneType' object has no attribute 'get_data' and a traceback or whatever
#
angelo
early, early days.. just really wanted to get the rendering of the visualization working.
#
jan6
and it seems to have some early functionality too, which is cool
#
angelo
there's actually a lot of ground that can be covered here.. overlapping with tools like [webmention|micropub|indieauth].rocks but less speccy
#
angelo
i've added "http/https reconciliation" to the TODO list.. possible under the https://indieweb.org/IndieMark#security axis?
#
Murray[d]
angelo++ that's a cool POC
#
Loqi
angelo has 4 karma in this channel over the last year (6 in all channels)
#
Murray[d]
I'm intrigued what this means though:
#
angelo
it's only checking for a rel=icon.. need to have it check for a /favicon.ico
#
e-snail
angelo++ does the code live anywhere yet?
#
Loqi
angelo has 5 karma in this channel over the last year (7 in all channels)
#
sknebel
jacky [fluffy] I wouldn't take that canonicaliztion rule as "they are the same"
#
sknebel
[fluffy]: what is the flow in their case? they go to your site and put their URL in a form field which then triggers your site to send them a ticket?
#
sknebel
or how did this happen?
#
[fluffy]
This is the provisional TicketAuth request flow, where someone can make a POST request to my token endpoint with action=ticket_request&subject=http://foo.example and that initiates the ticketauth flow.
#
sknebel
ok, so s/form/API ;)
#
[fluffy]
yeah basically
#
[fluffy]
I mean I also have a user-visible form they can do that on as well, same diff
#
angelo
e-snail the backend code is still trivial, just parse the page for microformats. the visualization rendering is in the HTML source.
#
[fluffy]
Digging into this made me realize I’m also not properly canonicizing the case on domains, so example.com and Example.com are being treated as different, when IndieAuth’s spec explicitly says they should be the same
#
sknebel
hm, right, we dont really have the "get URL from redirects" rules anymore, so cant rely on that
#
[fluffy]
yeah, but in this case the person did have a rel=“canonical” on their h-card page.
#
sknebel
I was hoping to get by with stuff we have :D
#
[fluffy]
which I wasn’t respecting, but which is easy for me to respect
#
sknebel
i.e. fetch the http://, see that it points canonical to https://, fetch that, work off that?
#
sknebel
and only for http->https, or are we suddenly allowing more?
#
sknebel
I don't like that
#
[fluffy]
… ugh no actually adding in rel=“canonical” support is gonna be annoying
#
sknebel
and HTTPS needs to be involved for the actual endpoints either way
#
[fluffy]
right, but you can have a canonical http URL that has an https endpoint
cybi joined the channel
#
sknebel
https://indieauth.spec.indieweb.org/#differing-user-profile-urls I guess that is the most relevant bit of the main IndieAuth spec in a way, but doesn't really apply since we don't have a response telling us the right one.
#
sknebel
in principle we dont even want to start the initial lookup on HTTP if we can help it, since the lookup of where to send the token is security relevant
#
[fluffy]
Yeah differing user profiles are a different thing
#
sknebel
well its how indieauth resolves that problem
#
[fluffy]
IIRC the way we resolved that was allowing it as long as they both have the same endpoint?
#
sknebel
by having the endpoint as the source of truth and verifying
#
[fluffy]
looks like indieauth itself makes no mention of rel=canonical
#
sknebel
nope, not used for anything
#
[fluffy]
and so like Authl doesn’t support rel=canonical, but Publ’s TicketAuth implementation leans on Authl to do the endpoint discovery, and I don’t want to have to fetch the profile page again from Publ just to see if there’s a rel=canonical
#
sknebel
makes sense
#
[fluffy]
but I also don’t want to special-case this stuff in Authl, which I’m trying to keep agnostic of consumer (even though I think Publ is the only consumer at present)
#
[fluffy]
and Authl doesn’t handle TicketAuth either, because that’s very application-domain-specific IMO
#
sknebel
I'd be tempted to punt it for now
#
sknebel
play complicated games, win complications as prizes :D
justOkay and jacky joined the channel
#
jacky
feel free to use my site for testing: angelo! open to anything that I can do to help
bababb, mro and cybi joined the channel
#
Loqi
[fluffy-critter] #487 Canonicize user identity URLs
cybi and jacky joined the channel
#
jacky
[fluffy]++
#
Loqi
[fluffy] has 6 karma in this channel over the last year (27 in all channels)
strugee, mro, mro_, cybi, jacky and Seirdy joined the channel