#dev 2025-02-11

2025-02-11 UTC
#
[tantek] maybe - do you know anyone who has done that with 29 years worth of photos?
#
[tantek] what is nextcloud
#
Loqi Nextcloud is an open source software project for self-hosted personal web services including a file manager (an indie version of Dropbox), music, calendar (CalDAV), contacts (CardDAV), and more https://indieweb.org/Nextcloud
#
[tantek] I'd ask the folks listed in https://indieweb.org/Nextcloud#IndieWeb_Examples if they have experience with photos and nextcloud rather than conjecturing tbh
#
aaronpk hm, there was something about nextcloud photos I didn't like, and so I only use it for contacts and calendar now
#
aaronpk although my server has been offline for some reason, i really need to figure out my virtualbox situation
#
[tantek] hugops++
#
Loqi hugops has 4 karma in this channel over the last year (7 in all channels)
#
capjamesg[d] hugops
bterry1 joined the channel
#
carrvo snarfed, gRegor, have either of you seen some yellow text the last time you tried my site and couldn't log in?
#
carrvo I'm looking to ensure this change works before I merge: https://github.com/carrvo/mindie-client/pull/19
#
carrvo [edit] I'm looking to ensure this change works before I merge: https://github.com/carrvo/mindie-client/pull/19
#
Loqi [preview] [carrvo] #19 IndieAuth error messages
Loqi__ joined the channel
#
gRegor I see a flash of an "Authenticate" page with a yellow box for just a second or two (/shared/login), then get redirected. It's still ending up at a Forbidden, though.
#
carrvo Sorry, I mean with your domain, not the anonymous.
#
carrvo I'll have to see why it is forbidden...that is strange.
#
GWG Trying to decide what I'd put into sub if I were to consider https://github.com/indieweb/wordpress-indieauth/issues/286
#
Loqi [preview] [carrvo] #286 Introspection could use SUB claim for Pure OAuth client Compatibility
#
aaronpk some stable unique user identifier
#
GWG aaronpk: Stable as in? The userid from WordPress maybe?
#
aaronpk usually that's what i would say, but i need to think about this in the indieauth context
#
aaronpk might make sense to use the same URL as `me`
#
GWG aaronpk: That's why I thought I'd ask...because carrvo and the library being used need it, but I don't, so adding it shouldn't be an issue, but I'd like to find some rationale.
#
aaronpk probably the `me` url makes the most sense
#
GWG That works.
#
aaronpk the problematic value is email address, since emails are not good at being stable user identifiers. lots of examples of websites consuming an email address as a user ID from oauth/openid flows and running into edge cases and vulnerabilities as a result
#
carrvo I have been using the same value as `me` -- it becomes the value users have to add to a list (unless anonymous).
#
GWG And what list is this?
#
carrvo The authz layer I have is a custom whitelist per file.
#
GWG Oh
#
carrvo aaronpk, what is the difference between `me` and `sub`? When I read the specs they seemed identical.
#
carrvo GWG, I'm not particular about what value you use. `me` is convenient and makes sense but at the end of the day I can retrieve the value you choose and use it with my authz layer regardless of your choice.
#
GWG Me should be there already.
#
GWG But if the introspection endpoint isn't returning the right information, then I need to fix that, but it should be.
#
aaronpk `sub` is short for "subject" which is the user identifier. it is from openid connect and JWTs https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
#
aaronpk interestingly, early versions of openid connect used `user_id` instead. i don't remember how that changed
#
aaronpk anyway the important semantic of the value is that it is a stable value for the user at that server. it's meant to be the value that the consuming site (relying party) will use to know whether the same user returns in future logins
#
aaronpk that does sound like the same semantic we expect from the `me` value, so i believe they are equivalent
grufwub joined the channel
#
aaronpk i had a random thought the other day, which is to propose a lightweight OpenID Connect extension that returns the `sub` value in the token response so you can skip the ID token parsing entirely
#
aaronpk incidentally making it work almost exactly the same as IndieAuth, except for the name of the parameter
#
carrvo GWG, I meant "...same value as `me` is convenient and makes sense..."
#
carrvo aaronpk, I thought so. Redundant semantic but different restrictions on the value.
#
carrvo Kind of makes me wonder why `me` was added...
#
aaronpk because indieauth is not based on openid connect because it's been around at least as long
#
carrvo Fair. Strange that it shows up in OAuth which I expect to predate both.
#
aaronpk it's technically very new in oauth, it's only in the JWT access token spec which was published in 2021
#
aaronpk the rest of oauth does not deal with user identifiers at all, because it's a delegation protocol, not an authentication protocol
#
aaronpk oh actually it is in the token exchange spec too (RFC8693, 2020), although that uses an email address as an example smh
#
GWG This is why I wanted to talk it out
#
aaronpk if you want to get technical, it's actually defined in the JWT spec, RFC7519 from 2015, which was done in the OAuth working group, although there is barely a mention of oauth in the spec at all
#
gRegor carrvo, I can't sign in with my domain, my token introspection doesn't include `sub` yet
#
gRegor I mean, I guess it is doing the authn flow successfully, but after that it fails at token introspection
#
gRegor Ah, this is coming back to me a bit. Realized I never fully finished the introspection endpoint because I wasn't sure about the authentication.
#
gRegor I did some experiments with https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/ for an app and did get introspection set up for that, since there's a client_id and client_secret I could use for auth of the introspection
bret_ joined the channel
#
GWG gRegor: Same... I just made it work without authorization
#
GWG Which the old version did.
#
gRegor yeah
#
gRegor Does seem bad without some rate limiting. Token fishing.
#
gRegor carrvo, do you know what your Apache module is trying to use for authenticating the introspection request?
[Sophia_wood] joined the channel
#
carrvo Yes! https://github.com/carrvo/mindie-client/blob/3133e3f42094729c2100a312e7366433af6a0707/indieauth-client-php/redirect.php#L67
#
carrvo [edit] Yes! https://github.com/carrvo/mindie-client/blob/3133e3f42094729c2100a312e7366433af6a0707/indieauth-client-php/redirect.php#L67
#
carrvo I want it without registration restrictions so I decided for it to "log in as itself". This can probably be done better but it meets the spec. It seems like the wild left off the authn (or introspection altogether) for most IndieAuth implementations.
#
carrvo If we talk long term it would be cool to authenticate the server-to-server introspection request using the certificates they already have for their domain. Something like mTLS.
#
carrvo But short term I am considering breaking away from the spec and not requiring any authn on my introspection endpoint. It is just awkward right now.
#
carrvo Sorry for the rant...
#
carrvo aaronpk, my apologies then. I never bothered to look at the history and assumed that certain parts had been around for longer.
#
carrvo I am quite shocked at how much OAuth, OpenID Connect, and IndieAuth/IndieWeb stuff has only been since I graduated (2020). Especially since it seemed like OAuth + OpenID Connect is being treated like it so normative.
#
carrvo Almost as though if I were 10 years earlier I would have been trying to invent this stuff. IndieWeb++
#
Loqi IndieWeb has 3 karma over the last year
#
carrvo gRegor, when it fails to sign in with your domain (due to the missing `sub`) does it return to the sign-in with an added message? I'm hoping it will give clarity to users trying to login.
#
carrvo I haven't had a chance to test it locally.
#
carrvo GWG++ I appreciate you considering adding the `sub`! I've gotten the vibes that IndieLogin.com, WordPress, and SelfAuth comprises >50% of the community.
#
Loqi GWG has 6 karma in this channel over the last year (62 in all channels)
jak2k, btrem, nemonical, RapidRotator, [Murray], bterry1, laker, rob32, srushe, suki, hedy, capjamesg, nnrx, roxwize, vikanezrimaya, okCiel, ancarda, athenaeryma, [Jo]1, [aciccarello]1, Loqi, eb and Guest6_ joined the channel
#
jeremycherfas D/me is discovering the difficulty of leaving the cargo cult that is his Tailwind theme in
#
jeremycherfas Grav. So much to undo and then build up again.
ttybitnik, claudinec, JadedBlueEyes, GuestZero__, GuestZero and gRegor joined the channel
#
gRegor carrvo, yeah, I get the login prompt again with the message above it. The message is yellow on white background, though, so hard to read without highlighting it.
#
gRegor Am I reading it correctly that this means Basic authentication with the client_id and an empty client_secret? https://github.com/carrvo/mindie-client/blob/3133e3f42094729c2100a312e7366433af6a0707/indieauth-client-php/redirect.php#L67
#
gRegor I'm not familiar with that `introspect.auth` syntax
lockywolf, nemonical, [qubyte], Becbec and doesnm joined the channel
#
carrvo Basic auth, with client_id as the URI and client_secret as an underscore `_` (it wouldn't let it be empty). Just enough to identify who is asking.
#
carrvo I will fix the styling! Thanks for the check gRegor++
#
Loqi gRegor has 32 karma in this channel over the last year (116 in all channels)
#
gRegor I don't know how any introspection endpoints would know to handle that authn
nanoflite joined the channel
#
carrvo My current understanding of current implementations is that there is either registeration or no authn (ignored).
#
carrvo Otherwise I can only point to my implementation: https://github.com/carrvo/mindie-idp/blob/7b48896bfe31c6b022b75e26594ce045b7f1e22e/mintoken/endpoint.php#L227
#
carrvo [edit] Otherwise I can only point to my implementation: https://github.com/carrvo/mindie-idp/blob/7b48896bfe31c6b022b75e26594ce045b7f1e22e/mintoken/endpoint.php#L227
#
carrvo The need for mod_oauth2 to perform introspection is largely why I have the anonymous user. One day I might write an IndieAuth specific Apache module...
#
carrvo I wish there was an alternative 😦
ttybitnik joined the channel
#
gRegor Yeah, I had a passing thought that the token response body could include a separate token, like "introspection_authentication", but the OAuth spec I read says that anything other than the expected keys in that JSON should be ignored by the client.
#
gRegor some form of authorization to access this endpoint, such as client
#
gRegor > To prevent token scanning attacks, the endpoint MUST also require
#
gRegor OAuth 2.0 access token such as the bearer token described in OAuth
#
gRegor authentication as described in OAuth 2.0 [RFC6749] or a separate
#
gRegor 2.0 Bearer Token Usage [RFC6750]
#
gRegor hah, that showed up funnin chat logs, lines out of order. oops.
#
gRegor *funny in, sheesh
#
carrvo gRegor, I had a similar discussion with Zegnat here: https://github.com/Zegnat/php-mintoken/pull/15
#
gRegor https://www.rfc-editor.org/rfc/rfc7662#section-2.1
#
carrvo [edit] gRegor, I had a similar discussion with Zegnat here: https://github.com/Zegnat/php-mintoken/pull/15
#
gRegor Ooh thanks, will read
nanoflite joined the channel
#
aaronpk i'm not sure the token scanning attack is the best description of why the endpoint should require authentication, since realistically a resource server can also be used to check if a random string is a valid token. also you should be using values for tokens that are so long/random that they are virtually impossible to guess anyway. the larger issue is that the token introspection response is meant to
#
aaronpk include a lot of detail about the token that the resource server needs to know, and that data should not be visible to other parties who have the token (the user and the client)
btrem joined the channel
#
btrem Has anyone here ever used <iframe>? Any accessibility issues I should be mindful of? I might use it to present an example webpage, but I'm not committed to it.
#
btrem I'd normally use an image/screenshot, but the point is to show that the page that would be in the iframe has multiple photos, and a screenshot won't show them all.
#
gRegor aaronpk, good to know. So that's less of a concern in most of our IndieAuth client-server stuff, right? Not that we should carve out an exception for IA, but IA clients should have all the introspection info from the original token?
#
aaronpk clients don't introspect tokens
#
aaronpk resource servers introspect tokens, and they need to know things like what scopes were issued to the token, or other internal things
#
gRegor Yeah I guess carrvo's is a hybrid client/RS
#
btrem TIL you can take a screenshot of an entire webpage (not just the visible part) with a built in tool in Firefox.
#
gRegor yeah, that's pretty cool!
#
carrvo Mine is a hybrid, indeed.
sebbu2 joined the channel
#
[snarfed] hey aaronpk if OAuth office hours is still in session...I'm getting the error "dpop_jkt parameter does not match the DPoP proof" from my IdP and not sure how to debug, any tips?
#
[snarfed] (Bluesky is the IdP)
#
gRegor haha, very human friendly error XD
#
[snarfed] eh, it's developer facing, not user facing
#
aaronpk that sounds like the authorization code binding part? https://datatracker.ietf.org/doc/html/rfc9449#section-10
#
aaronpk i suspect the hash is wrong, did you double check the base64 URL encoding? that's usually what trips people up with PKCE
#
aaronpk very common mistake to use regular base64 instead of base64 url
#
[snarfed] nm, think I figured it out, I wasn't using the PAR endpoint right
#
[snarfed] (ie at all 😅)
#
[snarfed] (I'm using a lib, not implementing directly)
bterry joined the channel
#
[aciccarello] Haha, I went down a rabbit hole looking at what JS indieauth libraries supported PKCE but I don't think I'll actually try to implement that anytime soon.
#
[aciccarello] I did notice that Omnibear was using a hard coded secret
#
aaronpk it's not that bad, i have a vanilla js version of it you can steal from
#
aaronpk https://github.com/aaronpk/pkce-vanilla-js
#
Loqi [preview] [aaronpk] pkce-vanilla-js: A demonstration of the OAuth PKCE flow in plain JavaScript