#dev 2022-05-16

2022-05-16 UTC
mlncn, nixer and nixer1 joined the channel
#
GWG
I need someone to tell me why this is a bad idea
gRegor joined the channel
#
gRegor
I'm working on IndieAuth token introspection and wondering best way to add authorization, since it's a MUST in the spec. https://www.rfc-editor.org/rfc/rfc7662#section-2.1 gives an example "using a separate OAuth 2 access token" but I'm not sure how clients would get that separate token?
#
gRegor
I could support the Authorization: Bearer header with the same token, but that doesn't prevent token scanning attacks
#
GWG
gRegor: I was contemplating that. You can use basic auth also
#
GWG
We deliberately didn't define how. I believe jamietanna uses basic auth.
#
gRegor
Clients don't have a username and password, how would basic auth work?
#
GWG
gRegor: But Introspection isn't for clients
#
GWG
It's for resource servers
#
gRegor
I don't understand that distinction then, I guess.
#
GWG
gRegor:
#
GWG
gRegor: Think Micropub endpoint vs Micropub client.
#
GWG
The endpoint is the resource server.
#
GWG
The thing that handles authenticated requests with the access token
#
GWG
Introspection is what it uses to get more info on the token
#
gRegor
Thanks, will dig into this more
#
gRegor
I guess I misunderstood, was thinking it was for clients to check if a token is still valid.
#
gRegor
Makes more sense this way though, when endpoints aren't tightly coupled
#
GWG
No, that's expressly what it isn't for. In fact, the auth was added to try to make it clearer that clients aren't supposed to use it
#
gRegor
Still not sure how a resource server would have a username/password though
#
GWG
We tabled that issue
#
GWG
In the sense we decided the spec does not have to explain that
#
gRegor
Well hmm. I'd like this ProcessWire module to theoretically support using different endpoints, but w/o knowing how to do the authz, may have to ship it without that for now
#
GWG
Mine is set to auth=none, for backcompat with the older version of the spec for now
#
gRegor
Does the WP IndieAuth module support it?
#
GWG
It does, but with no auth
#
GWG
So, I set introspection_endpoint_auth_methods_supported to 'none'
#
gRegor
Gotcha. I'll go with that for now.
#
gRegor
Is this on a test site? Didn't see it on your main site
#
GWG
No, on both
#
GWG
Where were you looking?
#
gRegor
david.shanske.com
#
gRegor
Not seeing `indieauth-metadata` in the source
#
gRegor
in a Link header, probably?
#
gRegor
Yep, there it is
#
gRegor
Now I'm wondering if it's a better idea to just not include introspection_endpoint.
#
gRegor
Spec doesn't say it's optional in the metadata, but it seems it's only a MUST if you're interoperating and not tightly coupled
#
gRegor
Seems safer to not have an endpoint out there where tokens can just be scanned
#
gRegor
Ah, it's optional in rfc8414
#
gRegor
Ok, I'm holding off on that for now. Interested to see what Jamie and other implementers think about ^^
cybi joined the channel
#
[snarfed]
gRegor: what's a token scanning attack?
#
[snarfed]
google only finds the scanning that hosting services like GitHub do to find and remove tokens checked into public code repos
#
gRegor
new to me, from https://www.rfc-editor.org/rfc/rfc7662#section-2.1. I think with an unauthorized endpoint, attacker could try brute forcing tokens
#
gRegor
Not defined there, just said "to prevent token scanning attacks"
#
[snarfed]
doesn't seem to make much sense, OAuth tokens generally have something like 32+ bytes of entropy, right?
#
[snarfed]
anyway, not a big deal
#
gRegor
true. good points in that mail archive
#
GWG
I think that's why our discussion was just to emphasize it wasn't for the client
#
gRegor
There's a small text change that could help with that: 6.2 Access Token Verification Response has "Clients SHOULD ignore parameters they don't recognize."
#
gRegor
Think that "Clients" should be "RS"
#
GWG
Open an issue on the spec...think that's worth discussing
#
gRegor
(not that that caused my confusion, hah. Mine goes back to earlier specs)
#
GWG
I'm skeptical of scanning attacks
#
Loqi
[dshanske] #99 Issuing Access Tokens for Introspection
#
[snarfed]
I've never even heard it called a "scanning" attack. generally brute force. regardless, agreed, very rarely never a meaningful vector in any threat model
#
GWG
That's why I just set it to none... but that's a choice
cybi, voxpelli, vilhalmer, bneil, jbove and mro joined the channel
cybi, [chrisaldrich], mro and jamietanna joined the channel
#
jamietanna
GWG gRegor, currently token introspection isn't auth'd, but I'll be moving to something like private_key_jwt instead of longer-lived credentials like basic auth, but basic auth with a per-client credential works too :)
#
jamietanna
^ my token introspection
#
jamietanna
The reason we'd want it is to be able to let your Micropub server verify tokens - in an out-of-the-box OAuth2 client - instead of using the old IndieAuth token endpoint (with a GET) which was being seen as used by Micropub Clients and Micropub Servers, which wasn't correct
nixer, cybi, tetov-irc and mro_ joined the channel
mro joined the channel
#
GWG
jamietanna: Someone said they used basic auth...if I'm misremembering and it wasn't you, wonder who it was.
#
GWG
I was hoping someone might have some thoughts on that idea I wrote up last night.
cybi, mro, mlncn, [tantek] and jacky joined the channel
#
jacky
interesting repo about AP
#
jacky
ActivityPub << [https://codeberg.org/fediverse/delightful-activitypub-development/ a repository of libraries and projects]
jacky, cybi, astralbijection[ and benji joined the channel
#
@wikipediachain
↩️ Parma > Chiesi Farmaceutici > Preterm birth > Cerebral palsy > General movements assessment > White matter > Hypothalamus > Periventricular nucleus > ISSN (identifier) > ISO 20121 > Whirlpool (hash function) > PDF/UA > Web Content Accessibility Guidelines > IndieAuth > XPath 3
(twitter.com/_/status/1526248702184148992)
jacky, cybi, mlncn, gRegor, mro and petermolnar joined the channel
#
GWG
[tantek]: Can I prevail on you? If anyone could tell me how wrong things might go...
#
GWG
You are good at dissection
#
[tantek]
GWG, while a bit more than a presence-query, could you consider instead going ahead and asking the community "how wrong things might go", and if you want my input in particular, feel free to @-name me afterwards as a "^" or "cc"
#
GWG
[tantek]: I did... yesterday...
#
[tantek]
there are plenty of folks here who are good at analyzing various things 🙂
#
GWG
A few times in the last day
#
GWG
Thought I'd ask specifically
#
GWG
I'd also hoped to get thoughts from people who implemented webmention syndication as well...
#
[tantek]
Hmm, I read that and I don't see a clear problem statement of what problem you’re trying to solve, so I'd suggest doing that first (writing up specifically what problem you're trying to solve, and if you're not sure, describing maybe an "ideal" in terms of user-actions and expected results — purely in terms of user actions, with zero mention of protocols)
#
[tantek]
describing the problem properly is often a big part of figuring it out, and I can't really help you with that, you have to pick apart and keep asking yourself why to understand what that is
#
GWG
[tantek]: Example is that person X, let's say me...wants to do a photo challenge or something similar. So, I want people to post on their own sites... but I want someone following to be able to subscribe to their posts as a feed...so I need to generate one....
#
GWG
So the idea is when they post for my challenge, they tell me so I can have the links to their submissions and someone can look in one place to find said list.
#
GWG
It's a reply, but it is different in the way a reply to an event is an RSVP, so I want it to behave differently
#
[snarfed]
tantek++, always starting with the problem is great advice
#
Loqi
tantek has 25 karma in this channel over the last year (78 in all channels)
#
GWG
I thought I described the problem
jacky, cybi, tetov-irc and [aciccarello] joined the channel