#dev 2022-07-10
2022-07-10 UTC
jacky joined the channel
# @murtuza_surti Time to integrate webmentions into my blog syntackle! (twitter.com/_/status/1545973586233417728)
jacky, chee, [tw2113_Slack_], GWG, mro, geoffo and tetov-irc joined the channel
# vikanezrimaya IndieAuth question! The Spec says in the indieauth metadata some values are not optional, like `introspection_endpoint`, yet all examples consistently omit it. Is this an error in the spec or in the example?
# [Jamie_Tanna] Good spot vikanezrimaya that looks like an oversight and we should add it to the examples
# vikanezrimaya [Jamie_Tanna]: yay, I found an error!
# vikanezrimaya It looks like `introspection_endpoint` support is up to the implementation and only if it wishes to interoperate with external clients
# vikanezrimaya or, more likely, external server applications that serve clients and authenticate them using IndieAuth
# vikanezrimaya eh, the exact wording is best left to other people, I'm not good with words when I'm thinking about code
# IWDiscordGateway <AkatsukiLevi> Hiya
# IWDiscordGateway <AkatsukiLevi> Small question about IndieAuth, got interested on it
# IWDiscordGateway <AkatsukiLevi> I'm currently working on the development of a federated social network for roleplaying
# IWDiscordGateway <AkatsukiLevi> And i'm wanting to use IndieAuth for authentication
# IWDiscordGateway <AkatsukiLevi> So far as I understood, the only thing people have to input is their URL, on the case of this net, it could be url to the profile(so for example, `akatsukilevi.covenfox.com`)
# IWDiscordGateway <AkatsukiLevi> let's say i'm not `akatsukilevi`, if i put this URL there would somebody else be able to login as me?
# IWDiscordGateway <AkatsukiLevi> Or is there something that is done to prevent somebody else authenticating as me?
# IWDiscordGateway <AkatsukiLevi> reading the docs now, I quite understood the gist of it
# IWDiscordGateway <AkatsukiLevi> reading the docs now, I quite understood the gist of it(yeah i'm dumb lol)
# vikanezrimaya @AkatsukiLevi (Assuming your federated social network is an identity provider) Since the burden of identity proof is on the identity provider, your federated social network is free to request any proof from whoever tries to authenticate as akatsukilevi.covenfox.com - for example, ask them to authenticate using their password.
# vikanezrimaya My own website, for example, will demand proof in form of WebAuthn authentication (using a security key or Windows Hello PIN to unlock an encrypted credential)
# vikanezrimaya Anyone who tries to authenticate as me will get redirected to my website, which will demand proof by asking me to authenticate with my security key - and if whoever tries to impersonate me cannot present this proof, they're out of luck
# IWDiscordGateway <AkatsukiLevi> So I can, for example, make a simple login form with local accounts
# vikanezrimaya I used a password in the past, so whoever wanted to impersonate me had to learn the password
# IWDiscordGateway <AkatsukiLevi> for example, `auth.covenfox.com` for people to login
# vikanezrimaya @AkatsukiLevi exactly! and on the IndieAuth, check if they're logged in and ask to log in, and then continue authentication with the identity of whoever logged in
# IWDiscordGateway <AkatsukiLevi> and then when they access someone's profile(eg: `akatsuikilevi.covenfox.com`), if the profile is the one of the logged in account, it will have the rel-me
# IWDiscordGateway <AkatsukiLevi> otherwise it wouldn't have and auth wouldn't pass
# IWDiscordGateway <AkatsukiLevi> this is lit
# IWDiscordGateway <AkatsukiLevi> if it is someone accessing as normal, present public profile, if it is a login attempt, check if logged in and if not, redirect to login
# IWDiscordGateway <AkatsukiLevi> ayo this is easier than keycloak XD
# vikanezrimaya And for sites using IndieAuth as identity consumers (which means they allow logging in through IndieAuth), they trust the authorization endpoint to provide correct details, but verify that the authorization endpoint belongs to whoever tries to authenticate by checking if their profile page contains a link to it
# vikanezrimaya So, for example, if I want to log in on our IndieWeb wiki, it asks me for my URL, then redirects me to my authorization endpoint which asks me to present proof of my identity, and then the authorization endpoint gives the wiki the green light to log me in
# vikanezrimaya Depending on if you're an identity provider or an identity consumer, you will go with one of the two sides of this flow
# IWDiscordGateway <AkatsukiLevi> got it!
# vikanezrimaya (and I have to implement both... because I want others to be able to log in to my own website to view private posts)
# IWDiscordGateway <AkatsukiLevi> Same thing XP
# vikanezrimaya @AkatsukiLevi oh, so you want to support both internal identities and external ones
# vikanezrimaya that's not gonna be easy, but it will be extremely useful for your users
# IWDiscordGateway <AkatsukiLevi> I mean, the network is federated
# vikanezrimaya Ah, right... Yes, that makes a lot of sense
# IWDiscordGateway <AkatsukiLevi> Also got interested with the idea of using a website to authenticate
# IWDiscordGateway <AkatsukiLevi> Since my idea is to allow users to make their url profile `akatsukilevi.covenfox.com` into a literal website of their choice
# IWDiscordGateway <AkatsukiLevi> kinda like geocities/neocities
# IWDiscordGateway <AkatsukiLevi> i made a smol login page
# IWDiscordGateway <AkatsukiLevi> wait does images works correctly with the bridges?
# IWDiscordGateway <jacky> It might
# IWDiscordGateway <jacky> https://chat.indieweb.org/dev is the fastest way to check
# IWDiscordGateway <jacky> Yeah it did!
# IWDiscordGateway <AkatsukiLevi> It shows up as a link, nice
# IWDiscordGateway <AkatsukiLevi> This is cool af
# Xe is it normal for microformats json to be a pain in the ass to parse in Rust?
# vikanezrimaya Xe: I'm using the microformats crate, but it has a bug with implied properties which is tracked here: https://gitlab.com/maxburon/microformats-parser/-/issues/7
# vikanezrimaya For working with MF2-JSON in general, I just use serde_json and query fields manually
# vikanezrimaya It's easier in async code, because all of the `microformats` types are !Send + !Sync
jacky and mro joined the channel
# @gholk5566 感覺可以把 webmention 和 mastodon 單方面結合,讓嘟文中提及的連結,如果支援 webmention 的話可以收到被提及的通知。
寫個 crontab 定期檢查新嘟文有沒有超連結就可以了,但對方沒辦法提及回來。 (twitter.com/_/status/1546165471187087367)
rounin1 and jacky joined the channel
# vikanezrimaya IndieAuth spec question: why does the introspection endpoint require authentication? This seems restrictive if one wants to connect an external service to authenticate users using tokens, say, an external Microsub implementation like Aperture (side question for aaronpk: is Aperture updated to handle the new spec?)
jeremycherfas and jacky joined the channel
# jacky this might also have more info https://datatracker.ietf.org/doc/html/rfc7662#section-2.1
# vikanezrimaya If I was implementing a rogue client and wanted to mess around, I personally would try to send Micropub requests or attempt destructive actions and see how quickly my token gets revoked
# vikanezrimaya In any case, while reading related specs and registries I found that the introspection endpoint allows to use Bearer tokens as a method of auth
# vikanezrimaya GWG: Specifying "none" would go against section 6.1, quote: "The endpoint MUST also require some form of authorization to access this endpoint..."
# vikanezrimaya "none" is not some form of authorization in the sense that it implies there is no form of authorization required
# vikanezrimaya which is against section 6.1
# vikanezrimaya well that's technically a spec violation then 🤔
# vikanezrimaya more like "it's not a spec if nothing violates it"... though it's more of a bad spec than not a spec then
# vikanezrimaya Anyway I transcribed the whole IndieAuth protocol in Rust structs with strong typing: https://git.sr.ht/~vikanezrimaya/kittybox/commit/9ca0e358dc95e7358815886b061288f04a7d29af#kittybox-rs/indieauth
# vikanezrimaya I think that's a good first step for in-house IndieAuth
# vikanezrimaya It's also usable by clients! At least it should be and I probably will reuse it for a client
# vikanezrimaya now I will need to write the first user of that library, Kittybox's identity provider...
jacky joined the channel
# jacky ooh I see this note about using serde https://git.sr.ht/~vikanezrimaya/kittybox/commit/9ca0e358dc95e7358815886b061288f04a7d29af#kittybox-rs/indieauth/src/scopes.rs-1-43, you could cheat a bit I think with `#[serde(from="String")]` wherever you need to use it - to reduce the use of a derive ;)
# vikanezrimaya jacky: the Scopes type is probably the most complex type of this library, because Vec<T> is ordered, and I needed an unordered set that serializes to a string (because oauth2 is weird and requires scope to be a space-separated string)
# vikanezrimaya I basically implemented an unordered list on top of an ordered list and then manually implemented Serialize and Deserialize for it
# vikanezrimaya if it was Python i'd use a set but I kinda forgot how to do sets in Rust... probably could replace it with HashMap<Scope, ()>?
# vikanezrimaya Anyway, the fact that it uses Vec is an implementation detail and can be changed later
# vikanezrimaya checking a scope is O(n) and checking for multiple scopes is O(n^2)
# vikanezrimaya using HashMap<Scope, ()> could cut one `n` out of the complexity, turning it into O(1) and O(n) respectively
# vikanezrimaya serializing and deserializing a list to a string is such a pain that I even deemed it worthy of a unit-test
# vikanezrimaya It is in fact impelemented in terms of HashMap<T, ()> so it's exactly what I was talking about above
# vikanezrimaya jacky: oh, prefixed scopes!
# vikanezrimaya nice
# vikanezrimaya I haven't seen the need for prefixed scopes for myself, but it's a nice addition to the system
# vikanezrimaya In any case, if a desired comparison is not provided, I have an escape hatch that allows me to get &[Scope] and inspect it myself
# vikanezrimaya Prefixed scopes could be implemented on top of that
[snarfed] joined the channel
# vikanezrimaya Honestly yeah, I don't see it as a big point for optimization
# vikanezrimaya Oops, I already found my first bug
# vikanezrimaya And it's already worthy to be called security issue!
# vikanezrimaya And that's why one should always write unit tests even if the code seems obvious
# vikanezrimaya I use a lot of unit tests on my storage backends to ensure they will never fail to read the data they wrote
[KevinMarks] joined the channel
jacky, [chrisaldrich] and [schmarty] joined the channel
# IWDiscordGateway <AkatsukiLevi> Aand guess what?
# IWDiscordGateway <AkatsukiLevi> It works
tetov-irc joined the channel