#dev 2022-05-16

2022-05-16 UTC
mlncn, nixer and nixer1 joined the channel
# 01:28 
GWG Anyone have any thoughts on https://david.shanske.com/2022/05/15/thinking-about-planets-and-challenges/
# 01:28 
GWG I need someone to tell me why this is a bad idea
gRegor joined the channel
# 01:34 
gRegor I'm working on IndieAuth token introspection and wondering best way to add authorization, since it's a MUST in the spec. https://www.rfc-editor.org/rfc/rfc7662#section-2.1 gives an example "using a separate OAuth 2 access token" but I'm not sure how clients would get that separate token?
# 01:35 
gRegor I could support the Authorization: Bearer header with the same token, but that doesn't prevent token scanning attacks
# 01:39 
GWG gRegor: I was contemplating that. You can use basic auth also
# 01:39 
GWG We deliberately didn't define how. I believe jamietanna uses basic auth.
# 01:39 
gRegor Clients don't have a username and password, how would basic auth work?
# 01:40 
GWG gRegor: But Introspection isn't for clients
# 01:40 
GWG It's for resource servers
# 01:41 
gRegor I don't understand that distinction then, I guess.
# 01:42 
GWG gRegor:
# 01:42 
GWG gRegor: Think Micropub endpoint vs Micropub client.
# 01:43 
GWG The endpoint is the resource server.
# 01:43 
GWG The thing that handles authenticated requests with the access token
# 01:43 
GWG Introspection is what it uses to get more info on the token
# 01:44 
GWG https://datatracker.ietf.org/doc/html/rfc7662
# 01:44 
gRegor Thanks, will dig into this more
# 01:45 
gRegor I guess I misunderstood, was thinking it was for clients to check if a token is still valid.
# 01:46 
gRegor Makes more sense this way though, when endpoints aren't tightly coupled
# 01:46 
GWG No, that's expressly what it isn't for. In fact, the auth was added to try to make it clearer that clients aren't supposed to use it
# 01:46 
gRegor Still not sure how a resource server would have a username/password though
# 01:49 
GWG We tabled that issue
# 01:52 
GWG In the sense we decided the spec does not have to explain that
# 01:52 
gRegor Sure
# 01:53 
gRegor Well hmm. I'd like this ProcessWire module to theoretically support using different endpoints, but w/o knowing how to do the authz, may have to ship it without that for now
# 01:54 
GWG Mine is set to auth=none, for backcompat with the older version of the spec for now
# 01:54 
gRegor Does the WP IndieAuth module support it?
# 01:56 
GWG It does, but with no auth
# 01:57 
GWG So, I set introspection_endpoint_auth_methods_supported to 'none'
# 01:58 
gRegor Gotcha. I'll go with that for now.
# 01:59 
gRegor Is this on a test site? Didn't see it on your main site
# 01:59 
GWG No, on both
# 01:59 
GWG https://david.shanske.com/wp-json/indieauth/1.0/metadata/
# 02:00 
GWG Where were you looking?
# 02:00 
gRegor david.shanske.com
# 02:01 
gRegor Not seeing `indieauth-metadata` in the source
# 02:01 
gRegor in a Link header, probably?
# 02:02 
gRegor Yep, there it is
# 02:09 
gRegor Now I'm wondering if it's a better idea to just not include introspection_endpoint.
# 02:10 
gRegor Spec doesn't say it's optional in the metadata, but it seems it's only a MUST if you're interoperating and not tightly coupled
# 02:10 
gRegor Seems safer to not have an endpoint out there where tokens can just be scanned
# 02:12 
gRegor Ah, it's optional in rfc8414
# 02:13 
gRegor Ok, I'm holding off on that for now. Interested to see what Jamie and other implementers think about ^^
cybi joined the channel
# 03:22 
[snarfed] gRegor: what's a token scanning attack?
# 03:22 
[snarfed] google only finds the scanning that hosting services like GitHub do to find and remove tokens checked into public code repos
# 03:24 
gRegor new to me, from https://www.rfc-editor.org/rfc/rfc7662#section-2.1. I think with an unauthorized endpoint, attacker could try brute forcing tokens
# 03:25 
gRegor Not defined there, just said "to prevent token scanning attacks"
# 03:25 
[snarfed] aha, yeah https://mailarchive.ietf.org/arch/msg/oauth/6En02o_TSsYOHiii2PyZVKF8MiQ/ implies it's a brute force attack too
# 03:26 
[snarfed] doesn't seem to make much sense, OAuth tokens generally have something like 32+ bytes of entropy, right?
# 03:26 
[snarfed] anyway, not a big deal
# 03:27 
gRegor true. good points in that mail archive
# 03:34 
GWG I think that's why our discussion was just to emphasize it wasn't for the client
# 03:38 
gRegor There's a small text change that could help with that: 6.2 Access Token Verification Response has "Clients SHOULD ignore parameters they don't recognize."
# 03:39 
gRegor Think that "Clients" should be "RS"
# 03:39 
GWG Open an issue on the spec...think that's worth discussing
# 03:40 
gRegor (not that that caused my confusion, hah. Mine goes back to earlier specs)
# 03:40 
GWG I'm skeptical of scanning attacks
# 03:41 
gRegor Aha, found https://github.com/indieweb/indieauth/issues/99 too. Nice.
# 03:41 
Loqi [dshanske] #99 Issuing Access Tokens for Introspection
# 04:34 
[snarfed] I've never even heard it called a "scanning" attack. generally brute force. regardless, agreed, very rarely never a meaningful vector in any threat model
# 04:35 
GWG That's why I just set it to none... but that's a choice
cybi, voxpelli, vilhalmer, bneil, jbove and mro joined the channel
# 06:20 
@triptych Webmention https://www.w3.org/TR/webmention/ (twitter.com/_/status/1526084573796282368)
cybi, [chrisaldrich], mro and jamietanna joined the channel
# 08:59 
jamietanna GWG gRegor, currently token introspection isn't auth'd, but I'll be moving to something like private_key_jwt instead of longer-lived credentials like basic auth, but basic auth with a per-client credential works too :)
# 09:00 
jamietanna ^ my token introspection
# 09:02 
jamietanna The reason we'd want it is to be able to let your Micropub server verify tokens - in an out-of-the-box OAuth2 client - instead of using the old IndieAuth token endpoint (with a GET) which was being seen as used by Micropub Clients and Micropub Servers, which wasn't correct
nixer, cybi, tetov-irc and mro_ joined the channel
# 11:07 
[KevinMarks] This sounds promising https://christine.website/blog/fly.io-heroku-replacement
mro joined the channel
# 11:26 
GWG jamietanna: Someone said they used basic auth...if I'm misremembering and it wasn't you, wonder who it was.
# 11:28 
GWG I was hoping someone might have some thoughts on that idea I wrote up last night.
cybi, mro, mlncn, [tantek] and jacky joined the channel
# 14:19 
jacky interesting repo about AP
# 14:22 
jacky ActivityPub << [https://codeberg.org/fediverse/delightful-activitypub-development/ a repository of libraries and projects]
# 14:22 
Loqi ok, I added "[https://codeberg.org/fediverse/delightful-activitypub-development/ a repository of libraries and projects]" to the "See Also" section of /ActivityPub https://indieweb.org/wiki/index.php?diff=81462&oldid=81189 
jacky, cybi, astralbijection[ and benji joined the channel
# 17:15 
@wikipediachain ↩️ Parma > Chiesi Farmaceutici > Preterm birth > Cerebral palsy > General movements assessment > White matter > Hypothalamus > Periventricular nucleus > ISSN (identifier) > ISO 20121 > Whirlpool (hash function) > PDF/UA > Web Content Accessibility Guidelines > IndieAuth > XPath 3 (twitter.com/_/status/1526248702184148992)
jacky, cybi, mlncn, gRegor, mro and petermolnar joined the channel
# 21:08 
GWG [tantek]: Can I prevail on you? If anyone could tell me how wrong things might go...
# 21:11 
GWG You are good at dissection
# 21:11 
[tantek] GWG, while a bit more than a presence-query, could you consider instead going ahead and asking the community "how wrong things might go", and if you want my input in particular, feel free to @-name me afterwards as a "^" or "cc"
# 21:11 
GWG [tantek]: I did... yesterday...
# 21:12 
[tantek] there are plenty of folks here who are good at analyzing various things 🙂
# 21:12 
GWG I did...this thing.... https://david.shanske.com/2022/05/15/thinking-about-planets-and-challenges/
# 21:13 
GWG A few times in the last day
# 21:13 
GWG Thought I'd ask specifically
# 21:13 
GWG I'd also hoped to get thoughts from people who implemented webmention syndication as well...
# 21:14 
[tantek] Hmm, I read that and I don't see a clear problem statement of what problem you’re trying to solve, so I'd suggest doing that first (writing up specifically what problem you're trying to solve, and if you're not sure, describing maybe an "ideal" in terms of user-actions and expected results — purely in terms of user actions, with zero mention of protocols)
# 21:14 
[tantek] describing the problem properly is often a big part of figuring it out, and I can't really help you with that, you have to pick apart and keep asking yourself why to understand what that is
# 21:15 
GWG [tantek]: Example is that person X, let's say me...wants to do a photo challenge or something similar. So, I want people to post on their own sites... but I want someone following to be able to subscribe to their posts as a feed...so I need to generate one....
# 21:16 
GWG So the idea is when they post for my challenge, they tell me so I can have the links to their submissions and someone can look in one place to find said list.
# 21:17 
GWG It's a reply, but it is different in the way a reply to an event is an RSVP, so I want it to behave differently
# 21:19 
[snarfed] tantek++, always starting with the problem is great advice
# 21:19 
Loqi tantek has 25 karma in this channel over the last year (78 in all channels)
# 21:20 
GWG I thought I described the problem
jacky, cybi, tetov-irc and [aciccarello] joined the channel