#dev 2023-07-07

2023-07-07 UTC
tei_ and tei_1 joined the channel
#
vladimyr gRegor: Terence Eden wrote about it on their blog https://shkspr.mobi/blog/2022/06/create-a-share-to-mastodon-button-for-wordpress/ but I'd actually advise you against using it because it is not very privacy friendly
#
vladimyr Thing with toot is that it reads params serverside which is bad because now you have IP address of actor and thing they want to share
#
vladimyr Better alternative is something that works like matrix.to and reads params from fragment portion of an URL never sending them back to server
#
vladimyr Here is such alternative https://github.com/Juerd/tootpick
#
Loqi [preview] [Juerd] tootpick: Link target for Mastodon "share buttons"
#
vladimyr Here is great guide how to add it to Hugo powdered blog: https://www.ii.com/hugo-mastodon-share-tootpick/
#
vladimyr ^ share url for that particular post: https://tootpick.org/#plustospace=yes&text=%22Create+a+%E2%80%9CShare%C2%A0on%C2%A0Mastodon%E2%80%9D+link+with+Hugo+and%C2%A0Tootpick%E2%81%A0%F0%9F%90%98%22%0Ahttps%3A%2F%2Fwww.ii.com%2Fhugo-mastodon-share-tootpick%2F%0A%23InfiniteInk+%23GoHugo+%23Hugo+%23Mastodon+%23Messaging+%23WebDev+%23By%E2%84%B5+%23ByNM
#
vladimyr Note the use of fragment
#
vladimyr There is even a comment from Tootpick author bellow that Terenece's article explaining rationale behind it -> https://shkspr.mobi/blog/2022/06/create-a-share-to-mastodon-button-for-wordpress/#comment-260358
#
Loqi [preview] Juerd
btrem, tei_, nicknickname, jjuran, Loqi__, eitilt and eitilt1 joined the channel
#
voxpelli Worrying to see eg Pixelfed seemingly adopting sign-in to the Mastodon API, won’t that lock people into specific instances and be distinctly worse from IndieAuth? https://mastodon.social/@voxpelli/110672074432225188
#
Loqi [preview] [Pelle Wessman] @dansup @pixelfed Is this using the non-standard #MastodonAPI or a standard like #IndieAuth or #OpenIDConnect? https://www.w3.org/TR/indieauth/
#
voxpelli Anyone tried to get IndieAuth added to Mastodon?
#
[KevinMarks] it's been suggested a few times https://github.com/search?q=repo%3Amastodon%2Fmastodon+indieauth&type=issues
tei_, tei_1, eitilt, [jeremycherfas] and nertzy joined the channel
#
aaronpk Ugh
[manton] joined the channel
#
[manton] Not clear to me what Pixelfed is building there… Is it a sign-in convenience or does it actually let you use Pixel features with a Mastodon instance?
#
[manton] Either sounds good. IndieAuth would be better, of course.
AramZS and geoffo joined the channel
#
voxpelli Have we discussed in IndieWeb how to use a personal account to do stuff on a third party site and have it be PESO:ed back?
#
voxpelli If I go to a Lemmy or Pixelfed account I want to still use my personal identity, not just for login but ffully, and I then want to post all my actions back to my central place
#
aaronpk i mean, ideally those sites could be micropub clients to your website
#
voxpelli That assumes that my site can be canonical store for those entities and in the case of eg Pixelfed/Lemmy vs Mastodon both of those go beyond what Mastodon itself supports
#
voxpelli PESSO can be lossy on my end, POSSE can only be lossy on their end
#
voxpelli Oh, I misread you, yeah, Micropub for the PESSO
#
voxpelli Would be nice to have that flow documented – the one where you act on a silo but with your IndieWeb identity rather than a separate identity – and gets the actions PESSO:ed back
#
[snarfed] is https://indiebookclub.biz/ an example?
#
[snarfed] [gRegorLove] does it post to both itself and then your own site? or just one or the other
#
[snarfed] unrelated, it still amuses me to no end that twitter-atom is still happily working, reading tweets from the old free Twitter API. no clue what's going on there
#
[snarfed] ownyourgram and ownyourswarm are similar, except that they're not the end silo themselves
joshproehl, tei_, [jamietanna], tei_1, geoffo, gRegor, [mattl] and [Nabil_Maynard] joined the channel
#
[tantek] capjamesg++ for filing https://github.com/mastodon/mastodon/issues/24066 — I had not seen that before
#
Loqi capjamesg has 39 karma in this channel over the last year (116 in all channels)
#
[tantek] really we need two distinct issues however
#
Loqi [preview] [capjamesg] #24066 Add support for IndieAuth authentication
#
capjamesg I forgot about that!
#
[tantek] 1 Mastodon should support being an IndieAuth provider for anyone with a Mastodon account (I think that's what https://github.com/mastodon/mastodon/issues/24066 is)
#
Loqi [preview] [capjamesg] #24066 Add support for IndieAuth authentication
#
[tantek] 2 Mastodon should allow signing-in using IndieAuth and one of your (rel=me) verified URLs on your profile
#
[tantek] because they are very different implementation tasks
#
capjamesg Is 2. RelMeAuth?
#
[tantek] voxpelli, which of those did you mean by "get IndieAuth added to Mastodon"? because it could mean either, and they are very different kinds of authentication
#
capjamesg So you could authenticate with your domain name?
#
capjamesg (I am happy to write up this issue.)
#
[tantek] capjamesg, not quite. RelMeAuth relies on (typically custom) OAuth at the destination URL
#
[tantek] capjamesg, since "authenticate" is a bit abstract, I would suggest a very specific use-case e.g. "sign into Mastodon using a verified link on your profile, via the IndieAuth protocol"
#
[tantek] actually wait, I was confused enough by 24066 that I think it is (2) not (1)
#
[tantek] ok, we need to not just say "add IndieAuth" because it's too ambiguous and does not present a clear forward path for implementation
#
[tantek] we either need to ask:
#
[tantek] please allow signing-into your service using IndieAuth identities
#
[tantek] or, please support being an IndieAuth provider, so people can you use their identity on your service to sign-into other services
#
[tantek] capjamesg, which of those two did you mean by "Add support for IndieAuth authentication"?
#
[tantek] in auth terms: "allow signing-into your service" is "support being a relying party (RP)"
#
[tantek] and "support being an IndieAuth provider" is "support being an identity provider (IP)"
#
[tantek] aaronpk can verify all that ^
#
[tantek] capjamesg, either you should turn https://github.com/mastodon/mastodon/issues/24066 into a meta issue (i.e. leave it named the same) and create two NEW issues for each of the use-cases (RP, IP) and then link to them as dependent issues
#
Loqi [preview] [capjamesg] #24066 Add support for IndieAuth authentication
#
[tantek] OR you should pick one (RP or IP) and turn 24066 into that request, and then file another issue for the other
#
aaronpk +1 on being much more specific in the ask
#
voxpelli [tantek]: I meant 1, in the context of the Fediverse my Mastodon identity should be able to be my one and true identity everywhere
#
voxpelli Was in response to https://mastodon.social/@dansup/110673157746401438
#
Loqi [preview] [Daniel Supernault] Sign-in with Mastodon will be shipping later today!"oh dan, what if someone uses this on every pixelfed instance"I got that coveredAdmins will be able to take advantage of an optional feature that checks against a central list of webfinger accounts w... https://files.mastodon.social/media_attachments/files/110/673/137/314/636/694/original/29ecae44bf2a8d35.png
#
[tantek] voxpelli, and in that context you could want either or both!
#
[tantek] that's my point
#
[tantek] Pixelfed should support (RP) signing into it using your IndieAuth identity (whether that's from Masto or your personal site or whatever)
#
[tantek] Then second it makes sense for Masto to support (IP) becoming an identity provider of IndieAuth identities
#
[tantek] that sounds like at least two issues to file on those projects to get that going
#
voxpelli Right, I meant both essentially, “Sign in with Mastodon” is a proprietary mechanism and should be replaced with a standard one that enables proper reuse of identity
#
voxpelli [tantek]: I’m actually more interesting in the usage scenario of “IndieAuth identity used and verified to post in silo”
#
voxpelli And the follow up PESOS
#
voxpelli As the Fediverse is currently battling an identity duplication that Mastodon doesn’t have a solution to
#
voxpelli Lemmy, Pixelfed, Mastodon needs to be possible to use through a single identity (we can interact with it as a single identity from the IndieWeb already)
#
voxpelli IndieAuth seems like the proper solution for that and should be able to give not just MicroPub access but probably also proprietary API access
#
aaronpk yeah, no reason an IndieAuth access token can't work at a proprietary API
#
voxpelli (Sorry for using “proper” so much, I should say “viable”)
#
voxpelli An ordinary OAuth API often returns an ID of some sort to represent the user, and that means that anyone who repoints their webfinger ID to a new instance will see their “sign in with mastodon” break?
#
aaronpk cringe
#
aaronpk the "ID of some sort" is the part that OAuth left out (because OAuth by itself is only supposed to be about granting apps access to data, not identifying users), which was only later filled in by OpenID Connect
#
[tantek] half-filled in at best by OpenID Connect. It's still so much more of a framework than a protocol that it allows completely non-interoperable RPs/IPs. That's not a standard IMO
#
[tantek] not an *identity* standard at least
tei_ joined the channel
#
gRegor Re: https://chat.indieweb.org/dev/2023-07-07#t1688739738595700, yeah, it always posts to a local profile on IBC. If your site supports micropub, it will also send those to your site and link to that as the canonical version.
#
Loqi [preview] [[snarfed]] [gRegorLove] does it post to both itself and then your own site? or just one or the other
#
gRegor Examples: https://indiebookclub.biz/users/gregorlove.com the published time links to the posts on my site (several of them are messed up currently, but that's an issue on my site not ibc)
#
gRegor [schmarty] has more working links :) https://indiebookclub.biz/users/martymcgui.re
tei_1 joined the channel
#
[schmarty] 😊
geoffo, Nuve, tei_, tei_1, lanodan and bterry joined the channel