#Loqi[preview] [samuelgoto] > I'll put instructions on how to use this
Ok, here is one way anyone with a domain can be an Indie FedCM IdP that https://webmention.io would accept as an IdP.
You have three options:
1) You can implement https://indieweb.org/FedCM_for_Indi...
geoffo joined the channel
#aaronpkYou have no idea how excited I am about this!
hacdias_, oenone_, Zegnet, geoffo and [tw2113] joined the channel
ancarda_, eb_, Guest1350_, lanodan_, sebbu2, oodani_, rjomara583, chenghiz__, revi_, chimo_, _standingdesk[d], gerben_, RapidRotator_, revi, bacardi55[m], herbi, Pegazusuo`_, eitilt and GuestZero joined the channel
#copheejust started using webc components in 11ty =]
#copheebuilding the site for indieweb.guide now (based off max boeck's starter)
[jeremycherfas], randulo and [Joel_Auterson] joined the channel
#[Joel_Auterson]Got EXIF extraction working for photos :) I realised I was including location data in all my photos so now Hugo extracts it selectively and then my build strips it from the images https://www.joelotter.com/notes/2024/04/19-japan-19/
#Loqi[preview] [Joel Auterson] Spent Wednesday evening in Kabukicho - def worth a visit, especially if you’ve played the Like A Dragon games as it’s the inspiration for Kamurocho. Had drinks in the Golden Gai, met some lovely people, had far too much shochu. https://www.joelotter.com/img/2024/04/japan-19-1.jpeg
#Loqi[preview] [Evan Prodromou] @jesseplusplus I had a much more pessimistic feeling about federation by the early 2010s, when that ecosystem had collapsed into a few dominant players. It wasn't until we started the Social Web Working Group at the W3C in 2014 that I started feelin...
#aaronpkwell now that i stopped processing pingbacks in webmention.io, i just noticed actual webmention spam
#aaronpkspam as in a webmention request from a clearly spam URL that doesn't even have a link to the target site in the webmention
pcarrier and [Joe_Crawford] joined the channel
#[Joe_Crawford]one prerequisite for a webmention is the link to the target be included in the originating url so that seems like the result should be failure, flagging or the like
#aaronpkRight, which is why I'm surprised to see this request
#aaronpkcause it's not like someone set up a Wordpress site with the webmention plugin and is sending webmentions from actual pages on the site where it's only spam because of the content of the page
[snarfed] joined the channel
#[snarfed]maybe someone's site has a "send me a webmention" form pointing to http://wm.io, and this is the usual indiscriminate "find forms with text boxes, plug in our URL" spam
#pcarrierI haven't seen how idps register themselves in browsers, presumably it takes more than visiting a page or the list could get polluted quickly?
#aaronpkbut the indieauth version adds one step to it so maybe there's a way to do it that isn't entirely duplicative
#pcarrierHmmm really wish things like generating the list of users could happen through agent-side code instead of being limited to server logic
#aaronpkhow so? it's server-side logic by definition, since it relies on being logged in at the IdP
#pcarrierThe client could generate everything based on local storage, that the server merely confirms at the end by verifying the unsigned assertion and signing it
#aaronpkit does do a fair bit of client-side caching of the logged-in state on the server in practice
#pcarrierDoes it though? I could imagine keeping a list of user, private key in local storage, and the server resigning the assertion that's been signed by the client to prove it has the private key after verifying the user ID -> public key association, for example
#pcarrierThat could allow for login/logout without involving the server, which could be better for privacy
#pcarrierMaybe I misunderstand what problem is being solved, but some of the design feels overly constraining to me. I don't like first party cookies either, in my ideal world every FP/IdP request could be signed by my passkey rather introducing a stateful session with cookies
#pcarrieraaronpk: thanks. so if Mozilla and Apple come along… :)
geoffo and [jgarber] joined the channel
#[jgarber]Aaron’s recent posts about FedCM reminded me of a question y’all might have some thoughts on.
#[jgarber]Assume this is about an authorization endpoint service akin to http://indielogin.com. I’m 99% sure I’ve used the right terminology, but apologies if the wording is slightly off:
#[jgarber]In an IndieAuth flow, what are some authorization endpoint strategies (besides RelMeAuth) for attesting that a person "owns" the domain they're authenticating with?
#[jgarber]Some ideas in decreasing order of complexity: TXT DNS record, an HTTP header, a `<link>` element of some kind…
#aaronpkbesides relmeauth? yeah those sound reasonable
#pcarrier[jgarber]: sorry for the nit, but granted that complexity ≠ difficulty, I'd argue TXT is the least complex of those options
#[jgarber]Any thoughts on the “shape” (name, content, etc.) of any of those three options? Is there any prior art or something similar out there?
#pcarrierI'd love a provider-agnostic spec to suggest DNS changes
#pcarriercloudflare has a one-click option that Google uses to install their domain ownership verification record
#[jgarber]Google’s site verification comes to mind.
#aaronpklots of prior art for domain verification with lots of tools like email services or hosting companies
#pcarrierwouldn't be comfortable with any member of the web team changing a key corporate security policy whenever they feel like it, whereas changes to the main DNS zone is likely to go through sysops
#pcarrier(or 2 members of the web team assuming 4 eyes)
barnaby and rrix joined the channel; pcarrier left the channel
#aaronpkhuh i can't figure out how to get this passkeys UX to work the way i want
#aaronpki don't want to ask the user for an email address or username first, which theoretically seems to be supported using "discoverable credentials"
#aaronpkbut then it seems like i'm forced to provide two buttons: log in and register
#aaronpkbut there isn't really a difference in the UX depending on which they click, because neither case asks for any user input before triggering the passkey prompt
rrix and [KevinMarks] joined the channel
#aaronpki guess i have to have two buttons for now? i'm going to ask tim cappalli about this on monday
amyiscoolz_ joined the channel
#pcarrieraaronpk[d] yeah pretty sure you need 2 buttons.
#pcarrieraaronpk[d] lemme know if I turn out wrong though, would love to simplify https://xmit.co 😄
#pcarrier[edit] aaronpk[d] lemme know if I turn out wrong though, would love to simplify https://xmit.co 😄
#aaronpkit looks like you're going for the same ux i am
#aaronpkhave you thought about what happens if someone registers a new account accidentally and then wants to move that passkey onto their existing account?
sarajaksa joined the channel
#pcarrierno. everything belongs to teams, so you'd invite the other account onto the same team, then one of the accounts would leave the team and could be kept around empty
#pcarrierif you have workflow improvement ideas I'm 100% all ears
#aaronpkone thought was to detect a first-time account and ask if they meant to log in to a different account, then go through some sort of recovery flow like if they have an email address
geoffo joined the channel
#[jgarber]I’m probably missing some context here, but this presumes the person realizes after the fact that they created a second account (both using passkeys)?
#pcarrierYou log into account A, hit "merge another account" which makes you log into account B, account B disappears and account A has all the things
#aaronpkit might be less of a problem with separate log in / register buttons
#[jgarber]Copy that. That’s what I thought. Maybe this is naive:
#[jgarber]User realizes they messed up, they initiate an account merge flow that prompts for two passkeys in sequence (the current account’s then the “other” accounts which I suppose they’d have on device or have access to), and then the application is responsible for handling the data merge.
#aaronpkif they managed to create a second passkey, it's probably (probably) because they used a different device that isn't syncing their passkeys
#[jgarber]Figured it had to be naïveté on my part. 😅
#aaronpkwhich means they wouldn't be able to log in using the two passkeys on the same device
#[jgarber]That seems more likely, yeah. Then that falls into the account recovery field of pain.
#pcarrieraaronpk[d] I have a UX to enroll another passkey, you can use your second device then
#pcarrierOr take your phone and enroll it into both accounts
#aaronpkit's definitely an edge case and not as much of a problem with separate buttons, but i was trying to make just one button for both actions where it would be more likely to happen
#pcarrier(One account has 0..N passkeys managed though the admin page in my model)
#aaronpkright but if you assume they got into the situation because they weren't able to use the two different passkeys on the same device, they're stuck
#aaronpkand if they were able to use the two passkeys on the same device, a regular login flow would have worked
#aaronpkit's actually: created account on computer A, created second account on phone B, now you want to move the passkey on the phone to the account created from computer A
#pcarrierwell does it matter which way you do the transform?
#[jgarber]Requires Bluetooth or being on the same wifi in a quick local test.
#pcarrierbut I mean, sure, let's do that. You log onto your computer, you click enroll, you use your phone. Now phone has A and B. You log into A from phone, click merge, log onto B, done
#aaronpki didn't follow that, need to use more specific terms referring to accounts and passkeys
#pcarrieraccount A has passkey A that's on computer A. account B has passkey B that's on phone B.
#pcarrieryou want account A to have passkeys A and B
ttybitnik joined the channel
#pcarrieryou log onto account A from computer A. you click enroll, pick mobile, scan the QR code shown by computer A on phone B. now phone B has passkeys A, B, and C where passkey C belongs to account A
#pcarrieryou log onto account A on phone B using passkey C, then hit merge, then select passkey B. now account A has passkeys A, B, C and you can delete passkey C.
#aaronpktwo problems with that: you are forcing the user to switch devices to go through this flow (they were on their phone when they made the second account accidentally), and you are forcing them to delete the extra passkey, which is not good UX right now
#pcarrieryou click sign up instead of sign in by mistake. you see an empty account. you log out and never use that account again.
#aaronpkas long as you know how to delete the passkey that was created when you signed up for that account that's fine
#pcarrierhowever, you want to use an account you've lost access to. you reach out to me. I find a way to validate your identity (E-mail address on the account, domain you own where you can change DNS, etc.) and send you a one-time link to log into a fresh session for your account without a passkey.
#pcarrieroh yeah, getting rid of a passkey is a must-have. it's not too bad on iPhones, it's nigh impossible on a yubikey.
#aaronpki can't seem to get rid of them from chrome
#aaronpkit's so that the password managers have some account identifier to show i guess
#aaronpki don't _need_ to have any identifying information for an account to be functional, and in fact i would like to only collect any identifying information after the account is created so that i can do it incrementally and when it makes sense
#[jgarber]Kidding. All of mine have username/email but I may have added those myself. 🤔
#aaronpkwhat i'm trying to do is make it so you can click "register" and make an account where there is no information yet, then go add a domain to your account (which will require that i do domain verification). but then you should be able to add a second domain too. and there's no reason to ask the user to create a separate username for this either
#[jgarber]Okay, so it is super easy on that Yubico demo site to rack up passkeys. I was expecting an iOS/macOS prompt asking if I wanted to use an existing one but that highlights my ignorance of the underlying implementation code.
#aaronpkright, that's what i was trying to do at the start
#aaronpki also assumed that would be the default UX, then tried to find a way to do it with just one button, but it looks like that's just not possible
#pcarrierdeleting the right one(s) is nerve-wracking
#aaronpkkinda wish i had been paying attention better at the beginning of passkeys to give this feedback while it was in progress
#pcarrierno, it's `navigator.credentials.create` vs `navigator.credentials.get`
#aaronpkbut this is the exact kind of thing i'm trying to make sure doesn't happen with FedCM, by actually getting in early(ish)
#pcarrieraaronpk[d] I guess it's not too late to bring `navigator.credentials.get({orCreate:true})` or some such
#pcarrierwho wants a w3.org link in their exception message 😛
#aaronpkask the user for their email, check if you have an account with that email, if so ask for navigator.credentials.get, if not do navigator.credentials.create
#aaronpki just don't want to make the user type anything first
[johnstonphilip] joined the channel
#aaronpkwell i was hoping to be a lot farther along by now
#[jgarber]The “ask for email get or create” flow _could_ be used nefariously to determine the existence of an account for a given email similar to how 401’s can leak the same (vs. a generic 404).
#[jgarber]It’s a stretch (and probably wildly tedious) but theoretically possible.
#aaronpkyeah, doesn't have to be an email address, it can just be a username
#[jgarber]same same vulnerability but with arguably less consequence. 🤷♂️