#dev 2022-05-29
2022-05-29 UTC
[dmitshur] joined the channel
# 
[dmitshur] Hello.
# [dmitshur] (The following started out as a clarification question about IndieAuth, but I pretty much found what I'm now confident is a definitive answer. Sharing anyway, and in case I made a mistake, correcting my understanding would be very helpful.)
# [dmitshur] > `code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))`
# [dmitshur] > The client then creates the code challenge derived from the code verifier by calculating the SHA256 hash of the code verifier and Base64-URL-encoding the result.
# [dmitshur] The IndieWeb spec describes the how the client creates the code challenge at https://indieauth.spec.indieweb.org/#authorization-request:
# [dmitshur] The "Base64-URL-encoding" link was added in https://github.com/indieweb/indieauth/pull/92 and links to an base64 URL algorithm that omits padding.
# [dmitshur] I ran into a website with an IndieAuth implementation where I couldn't login with my site because it was sending me a code_challenge of unexpected length (44 bytes instead of 43). The extra character turned out to be a '=' from base64 URL encoding with padding. At first I thought I wasn't sure if maybe I should be allowing both, but looking into it more I realized both sides must agree exactly on whether padding is used or not when
# [dmitshur] By now I see that https://www.rfc-editor.org/rfc/rfc7636#section-3 is very clear about what the "Base64url Encoding" term refers to: base64 URL encoding *without* padding:
# [dmitshur] generating the code_challenge, otherwise during the "Server Verifies code_verifier before Returning the Tokens" PKCE step the "code_verifier == code_challenge" equality can never hold.
# [dmitshur] > with all trailing '=' characters omitted
# [dmitshur] (Notably no "optionally" there! Yay for not having to support more than one thing!)
# [dmitshur] So if I got all this right, my code requiring the incoming code_challenge to be exactly 43 (not 44) bytes is sound and matches what the IndieAuth spec requires (indirectly, via RFC7636), and I should report the bug to the other side sending me a 44-byte code_challenge with a '=' at the end.
# [dmitshur] Thanks for confirming. đ Will do. The website is open source and I'll be able to send them a PR as well.
# [dmitshur] Hmm, I used slack to send my original multi-line message. I was curious how it shows up in non-slack clients (e.g. IRC), so looked at https://chat.indieweb.org/dev/2022-05-29#bottom. I see it split it up (that makes sense). But it also re-ordered the lines? That's unfortunate lol. (FWIW this was the original order: https://user-images.githubusercontent.com/1924134/170848231-0d4ff79e-bb30-4259-8dbc-f093e62afcd4.png.)
# [dmitshur] Good for me to keep in mind for the future. đ
GWG and cybi joined the channel
# 
@terinjokes âŠī¸ I've restored minimal microformats2 support. I'm currently looking at if I should implement WebMentions. (twitter.com/_/status/1530756300002381825)
gRegor, alex11, lanodan, tetov-irc, cybi, cjw6k, [Murray], gxt and jacky joined the channel
# [dmitshur] > [...] I'll be able to send them a PR as well.
# [dmitshur] (Filed the bug at https://github.com/hacdias/indieauth/issues/8 and sent https://github.com/hacdias/indieauth/pull/10 to fix it.)
[chrisaldrich], chenghiz_ and jacky joined the channel
# 
[Chris_Lott]1 @seirdy I agree it would be much better, but it feels like a long way to get from here to there. I'll check your stuff out and see!
jacky, lanodan, tbbrown and cybi joined the channel
tbbrown, tlark, tetov-irc, cybi, jacky and [Scott_Jack] joined the channel