#dev 2024-12-31

2024-12-31 UTC
# 01:44 
havenmatt gRegor: Thank you!!  I'll look into the JSON syntax
grufwub, jimw, [KevinMarks], bitauger and Guest6_ joined the channel
# 15:34 
havenmatt Another question about MicroPub as I'm finally getting a bit of time to unpack everything that is happening.  The spec for media endpoints (https://micropub.spec.indieweb.org/#response-2) indicates that uploading an object should return a URL.  It looks like Quill is then trying to fetch the object at that URL without any authentication.  Since mine is a _private_ blogging platform, I don't want it to serve the object without a
# 15:34 
havenmatt [edit] Another question about MicroPub as I'm finally getting a bit of time to unpack everything that is happening.  The spec for media endpoints (https://micropub.spec.indieweb.org/#response-2) indicates that uploading an object should return a URL.  It looks like Quill is then trying to fetch the object at that URL without any authentication.  Since mine is a _private_ blogging platform, I don't want it to serve the object wi
# 15:36 
aaronpk quill is only trying to fetch it to show you a preview, nothing will break if it can't actually fetch it
# 15:37 
aaronpk the other way to approach it is like how many websites handle it, and use a sufficiently random URL for the image such that it is effectively unguessable (known as a "capability URL")
# 15:38 
aaronpk and the URL is only expected to be accessible until it is used in a micropub request and then it can be deleted from that URL
# 15:47 
[tantek] capjamesg[d] re the passkey support in your reader, curious how you avoided the problems described in this article: https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/
# 15:52 
havenmatt aaronpk: Great to know, thanks!  The follow `create` request seems to be specifying a data URL, which is why I assumed Quill was treating the upload as a failure.  Do you know why it isn't using the returned media URL?
# 15:53 
aaronpk @havenmatt is this in the blog post editor in quill?
# 15:55 
havenmatt https://quill.p3k.io/editor
# 15:55 
havenmatt I'm using that editor
# 15:55 
aaronpk ok yea
# 15:55 
aaronpk that means it thinks the media upload request failed, so it's falling back to sending the image data from the browser
# 15:56 
aaronpk something about the media endpoint response isn't indicating that the upload was successful
# 15:56 
aaronpk (most commonly this is because people return http 200 instead of 201)
# 15:56 
aaronpk https://micropub.spec.indieweb.org/#x3-6-4-response
# 15:57 
havenmatt From my server logs: `Completed 201 Created in 466ms`
# 15:58 
aaronpk and is there also a Location header with the URL?
# 15:59 
havenmatt I'm not logging the location header, but the subsequent GET request uses the correct image URL.  But interestingly the GET is from _my_ IP
# 16:00 
aaronpk might be helpful to go through the tests on https://micropub.rocks since that gives you some better debug info
# 16:00 
capjamesg[d] [tantek] I definitely think there is work to do on the UX of the technology.
# 16:00 
capjamesg[d] I wish there was a link to manage passkeys on the iOS prompts.
# 16:01 
capjamesg[d] In testing, I made passkeys for a few different accounts, and now they are all listed in the pop up.
# 16:01 
havenmatt But micropub.rocks doesn't support PKCE!
# 16:01 
capjamesg[d] Of course, that is not representative of a typical experience, but it was a papercut I found frustrating.
# 16:01 
aaronpk ooh crap, true, i haven't touched that in a long time
# 16:01 
capjamesg[d] I intentionally list password authentication at the top of the login options.
# 16:01 
capjamesg[d] This ensures that the experience most users will expect is above all else.
# 16:02 
capjamesg[d] Given the nascent nature of passkeys, I wonder if I should have an explainer page where you set up your passkeys that explain how they work.
# 16:02 
capjamesg[d] I love the idea of passwordless auth, but honestly I want a password to fall back on.
# 16:03 
havenmatt I can experiment with making images public and seeing if that makes a difference, I'll report back eventually aaronpk[d]
# 16:03 
capjamesg[d] I don't like how 1Password tries to hook in as a passkey provider when my passkeys are saved in iCloud, either.
# 16:03 
aaronpk i don't think that will make a difference, but let me know
# 16:03 
capjamesg[d] It's unintuitive to know I need to press X to dismiss the 1Password modal before the OS modal will pop up with my passkeys.
# 16:07 
aaronpk oh @havenmatt micropub.rocks also lets you add a micropub URL and access token manually so you can skip the indieauth step for it
# 16:07 
capjamesg[d] https://cdn.discordapp.com/attachments/866577430886350869/1323683999989628928/Screenshot_2024-12-31_at_16.07.24.png?ex=6775684a&is=677416ca&hm=671654726c8ea2e9dbd65680a8f1f438ebdad510fe5b226c3750b126ef3d3e2a&
# 16:07 
capjamesg[d] aaronpk Did I do the client.json thing right?
# 16:09 
aaronpk i think so!
# 16:09 
aaronpk (speaking of things that need a test suite)
# 16:13 
capjamesg[d] I wish indieauth.com showed the app name 😄
# 16:14 
aaronpk Me too
# 16:14 
aaronpk IndieLogin.net should tho
# 16:14 
aaronpk Oops IndieLogin.com
# 16:15 
aaronpk omg wrong way around never mind
# 16:15 
aaronpk I haven't had enough coffee yet
# 16:15 
capjamesg[d] coffee++
# 16:15 
Loqi coffee has 1 karma in this channel over the last year (14 in all channels)
# 16:36 
Loqi [snarfed] has 53 karma in this channel over the last year (99 in all channels)
# 16:36 
[Joe_Crawford] [snarfed]++ for answering a very basic bluesky api q in https://github.com/bluesky-social/atproto/discussions/2572
# 16:46 
[tantek] capjamesg[d] a short blog post about even just your few brief frustrations with passkey and your observation about password being the "easy flow" for most users would be great!
# 16:46 
[tantek] Like literally what you wrote above with maybe screenshots in between
Xe and gRegor joined the channel
# 19:09 
havenmatt aaronpk: Oh, good to know! Thanks
# 19:14 
doesnm anyone seen solid+indieauth stack? afaik solid-oidc supports dynamic client registration. But CSS shows 500 error if i just supply error like indieauth
# 19:15 
[mattl] which solid?
# 19:16 
[mattl] what is solid
# 19:16 
Loqi Solid is an abbreviation for Social Linked Data (originally capitalized as SOLID, sometimes as SoLiD), a web-based protocol designed for decentralized social web applications and Linked Data with features such as single sign-on, universal access control, and a universal data API https://indieweb.org/Solid
# 19:17 
doesnm yes
# 19:22 
doesnm homepage and blog can be hosted in pod. Also access to apps controlled by quite modified oidc
# 19:36 
[tantek] what is a passkey
# 19:36 
Loqi It looks like we don't have a page for "passkey" yet. Would you like to create it?_c (Or just say "passkey is ____", a sentence describing the term)
# 19:36 
[tantek] huh
# 19:36 
[tantek] what is Webauthn
# 19:36 
Loqi Web Authentication (WebAuthn) is a W3C Recommendation for an API to access public key credentials, including for a browser, optionally with the use of a hardware key https://indieweb.org/webauthn
# 19:36 
[tantek] close enough. passkeys are only one "implementation" of Webauthn right?
# 19:40 
[tantek] webauthn << Criticism of Passkeys usability in particular: 2024-12-30 Ars Technica: [https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/  Passkey technology is elegant, but it’s most definitely not usable security]
# 19:40 
Loqi ok, I added "Criticism of Passkeys usability in particular: 2024-12-30 Ars Technica: [https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/  Passkey technology is elegant, but it’s most definitely not usable security]" to the "See Also" section of /Web_Authentication https://indieweb.org/wiki/index.php?diff=99366&oldid=90729 
# 19:42 
[tantek] webauthn << more usability criticisms of passkeys etc (turn these into citations with the template) 2024-10-14 [https://systemsapproach.org/2024/10/14/can-passkeys-replace-passwords/ Can Passkeys Replace Passwords] / Timely idea faces deployment challenges; 2024-04-08 [https://proton.me/blog/big-tech-passkey Big Tech passkey implementations are a trap]; 2024-09-09
# 19:42 
[tantek] [https://world.hey.com/dhh/passwords-have-problems-but-passkeys-have-more-95285df9 Passwords have problems, but passkeys have more]; 2024-02-08 [https://joshcgrossman.com/2024/02/08/one-does-not-simply-implement-passkeys/ One does not simply implement passkeys]
# 19:42 
Loqi ok, I added "more usability criticisms of passkeys etc (turn these into citations with the template) 2024-10-14 [https://systemsapproach.org/2024/10/14/can-passkeys-replace-passwords/ Can Passkeys Replace Passwords] / Timely idea faces deployment challenges; 2024-04-08 [https://proton.me/blog/big-tech-passkey Big Tech passkey implementations are a trap]; 2024-09-09" to the "See Also" section of /Web_Authentication https://indieweb.org/wiki/index.php?diff=99367&oldid=99366 
GuestZero, sebbu2 and bterry2 joined the channel
# 20:54 
carrvo[d] [tantek]++ that passkey read was quite interesting!
# 20:54 
Loqi [tantek] has 23 karma in this channel over the last year (138 in all channels)
# 20:58 
carrvo[d] capjamesg Would the following be an appropriate example of consuming the client.json thing? https://github.com/Inklings-io/selfauth/pull/59
# 20:58 
carrvo[d] [edit] capjamesg Would the following be an appropriate example of consuming the client.json thing? https://github.com/Inklings-io/selfauth/pull/59
# 20:58 
Loqi [preview] [carrvo] #59 optionally query client_id endpoint for more display info
# 20:58 
Loqi [preview] [carrvo] #59 optionally query client_id endpoint for more display info
# 20:59 
capjamesg[d] I believe so!
# 20:59 
capjamesg[d] I didn't know about the client_tos property!
# 20:59 
capjamesg[d] Good to know.
# 22:15 
carrvo[d] I included displaying the fields I felt were most consumer palitable. Note that I made sure to still include the raw client ID.