#dev 2023-11-09

2023-11-09 UTC
bterry, geoffo, [nsmsn] and [0x3b0b] joined the channel
#
gRegor
What's the name of the venue API/checkin project that I think [manton] started?
#
GWG
lat.lng or something like that
geoffo joined the channel
#
[jacky]
with indieauth, do we have a way to add a "note" to token verification requests? I'm thinking of something like having a read token but then alerting as to what you're using the token for. what I think works for me is passing along `resource` because https://datatracker.ietf.org/doc/html/rfc7662#section-2.1 isn't saying I can't
#
[jacky]
and this is part of a larger want to tie actions to specific auth requests for an audit log
#
GWG
resource is a word I wouldn't use because it has a usage in OAuth as a proposal.
#
GWG
Or is this re-source?
#
[jacky]
ha: it _is_ `re-source` in this case yeah
#
[jacky]
like the thing I'd want to use this token for
#
[jacky]
but not like a resource server (which IIRC would be what the OAuth2 server implementation would be at)
#
GWG
Can you give me a use case example?
#
gRegor
Kind of sounds like the client_id initially associated with the token?
#
[jacky]
specifically, I'd like to be able to control the use of a scope for specific resources (allowing someone to invoke a scope in relation to it)
#
GWG
I'm just thinking resource indicators might cover this.
#
[jacky]
looks into resource indicators
#
[jacky]
yes it would
#
GWG
There's even a PR we tabled.
#
[jacky]
just from the first paragraph of that linked spec
#
GWG
So, you could be someone implementing that proposal.
#
Loqi
[preview] [dshanske] #82 Adopt Resource Indicators or similar system to limit token access to resources
#
[jacky]
I need to read that whole PR
#
[jacky]
but I think this would allow me to do what I want
#
GWG
The PR was just me integrating the linked spec into IndieAuth
#
GWG
But, to the point of aaronpk and [schmarty] it wasn't needed at this time. Resource is in Ticketing though
#
gRegor
GWG, meant to ask, do you have a ticket endpoint I can try sending one to?
#
GWG
gRegor: I'm upgrading the code at the moment. But yes...at wpdev.gwg.us. It worked as recently as Nuremberg where sknebel sent something to it.
#
gRegor
Cool, I'll try that soon
angelo_ and [KevinMarks] joined the channel
#
Loqi
[preview] [BMO] SVG allows you to embed CSS. CSS can detect dark mode. Make your favicons in SVG!Simple example:<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"> <style> @media (prefers-color-scheme: dark) { .r {fill: white} } </style> ...
geoffo, Renfield, [jacky], AramZS, [jeremycherfas] and CRISPR joined the channel
#
[snarfed]
meanwhile, the latest from the conneg-- files 😠 https://github.com/elk-zone/elk/discussions/2457
#
[snarfed]
maybe someday BF will interop with mozilla.social...maybe...
tbbrown joined the channel
#
sknebel
huh, doesnt even seem obvious where the code for that is
#
sknebel
guess has to be in some dependency, and npm install is not happy with that repo
#
sknebel
[snarfed]: since mozilla is actively asking for feedback, maybe worth poking them about interop issues too
#
[tantek]
[snarfed]++ for filing that bug and expressing more details. Yes Mozilla cares about that interop, and hopefully I can help nudge it further.
#
Loqi
[snarfed] has 90 karma in this channel over the last year (144 in all channels)
jonnybarnes joined the channel
#
[snarfed]
thanks [tantek]!
[Joe_Crawford], [tw2113], [aaronpk], angelo_, [aciccarello], tbbrown, neceve, [chrisaldrich] and kubie joined the channel
#
Loqi
[preview] [dshanske] Proposing this text. `The ticket endpoint makes a GET or HEAD request to discover the metadata endpoint of the issuer property, to discover the token endpoint. The issuer property MUST allow for discovery of the metadata endpoint. If no issuer pro...
#
gRegor
Haven't thought in-depth on it yet. First question is whether `iss` is required. That phrasing implies it's optional.
tbbrown joined the channel
#
gRegor
With it optional, feels like it makes a more complicated set of if/else scenarios to handle.
#
gRegor
Only other thought is the discovery described there should probably link to and reference https://indieauth.spec.indieweb.org/#discovery-by-clients instead of repeating it. That section has all the details about link headers, redirects, relative urls, etc.
#
gRegor
Requiring `iss` and requiring that URL link to indieauth-metadata sounds good, but I'm interested to hear other implementers thoughts/experience.
#
GWG
Well, I think implementers so far would be Zegnat, jamietanna, sknebel and fluffy, other than the two of us, if I remember correctly, of parts of the flow.
#
gRegor
True, though I mean any IndieAuth server implementers. What sounds reasonable, too much, etc.
#
gRegor
That list sounds correct to my recollection
#
GWG
The other issue is the section is 'discovery by clients'
#
GWG
But we also have discovery by Resource Servers, because the introspection endpoint is not meant to be used by clients..maybe the section should be rearranged a bit.
[Al_Abut] joined the channel
#
gRegor
Maybe that could be clarified in the ticketing section when linking to it, or maybe within that the dicovery by clients section if necessary. It seems like ticket_endpoint is behaving like a client in this specific case.
#
GWG
Yes. I'm just saying we could also concurrently clarify the application there to loop in more effectively.
#
GWG
I have a few things I want to do
#
GWG
The issue identifier shouldn't be defined in 4.1.1 under Server Metadata, it should be under 3...with the other identifiers.
[Murray] joined the channel