2017-07-18 UTC
tantek, [miklb], dougbeal|mb1, dougbeal|mb1`, strugee_, [pfefferle], j12t and sl007 joined the channel
j12t joined the channel
# 13:48 Zegnat /relmeauth and /RelMeAuth link to different things. The first is a PHP library, the second the building block. This part of the IndieWeb documentation is one giant ball of yarn :/# 14:13 aaronpk wow that's a great new version of the IndieAuth page! # 14:18 Loqi zegnat has 13 karma in this channel (118 overall) # 14:20 Zegnat I keep finding pages I did not know about that include yet another small piece of the puzzle # 14:21 sebsel I was confused by the double section of 'Self-Hostable Implementations', maybe change that to something like 'Self-Hostable Token Endpoint Implementations' etc.? # 14:22 Zegnat They are clearly nested, see the ToC sebsel. I don’t really like how minute the difference between h3/h4 is on indieweb.org though. They are quick to run into eachother # 14:23 sebsel I see they are nested, but I needed a few looks for that, because the h3/h4-difference is so small. # 14:24 sebsel Maybe remove 'The Three Parts of', and get them h2/h3? # 14:29 Zegnat I am also not sure if I should say indieweb.org is using IndieAuth. I don’t think it is? We simply use IndieAuth.com as an authentication provider, right? And IndieAuth.com just happens to support both RelMeAuth and IndieAuth… Still kept that in. [shanehudson] joined the channel
# 14:31 aaronpk hm that might be a good reason to update the mediawiki plugin to actually speak the indieauth protocol itself j12t joined the channel
# 14:34 Zegnat sebsel how are these small CSS tweaks on the headers? Better? # 14:44 Zegnat Isn’t that “Supporting Sites and Clients”? Or you mean people who have added the endpoint rels? # 14:44 aaronpk no, i mean specifically "IndieWeb Examples" to match the rest of the wiki, only for personal sites # 14:45 aaronpk that could list both people who have added the rels as well as personal sites you can sign in on # 14:45 aaronpk it's good to call out personal sites separately from services # 14:50 aaronpk what's especially good to see is who is running their own IndieAuth authorization endpoint # 14:52 Zegnat Oh, “Why is the IndieAuth verification response form-encoded instead of JSON” should probably stay too # 14:52 Zegnat Though the form-encoded discussion could potentially go under #Issues too # 14:53 Zegnat The “Who not OpenID Email etc” is a valid question. But really sounds like a [[Web sign-in ]] question more than a question about IndieAuth? # 14:54 Zegnat Especially since the answer is just “see Web-sign in” # 14:54 aaronpk since it's probably there because someone had the question while reading about IndieAuth # 14:54 Zegnat I expect it might have been filed as a question re IndieAuth.com-the-service: e.g. why can’t I use OpenID there? # 14:55 Zegnat I am just not sure if it makes any sense to read the IndieAuth page and then go: “nice protocol, but what about email?” # 14:56 Zegnat goes to do more moving and will ask questions afterwards~ tantek joined the channel
# 15:09 Zegnat Alright, I think #Issues and #To_do are cleaned up now, and I copied them over to my draft page on my user account. # 15:09 Loqi zegnat has 14 karma in this channel (119 overall) # 15:10 Zegnat aaronpk, what to do with those Feature Requests? They aren’t indieauth.com specific, but they aren’t auth related either? They are more akin to e.g. when using Facebook to login somewhere and allowing that place access to certain information. # 15:11 Zegnat Hmm, maybe rewrite them to an issue. Something like “requesting additional user data” # 15:12 Zegnat Yes, but I can see why people bring it up for IndieAuth. Especially when you ask implementors to move away from e.g. login with Facebook. j12t joined the channel
# 15:35 sknebel aaronpk: is Web sign-in now everything that uses your own url or specifically RelMeAuth? if the first, I'd restructure the page to clearly present that it's the concept name behind differnet things # 15:36 Zegnat I would like to edit “web sign-in” to broadly mean signing in with your own URL. But sknebel is right that my use might be wrong. # 15:37 Zegnat We still need cleanups of the endpoint pages, and possibly a proper write-up of the technical spec. But this should at least get people started understanding IndieAuth-the-protocol and get rid of IndieAuth.com-the-service contamination of the page. # 15:37 Zegnat tantek, I would be super grateful if you reviewed the new page too! # 15:37 tantek did you come up with a new name for th service? # 15:38 sknebel Zegnat: I'd add a one sentence explanation to "set up using IndieAuth.com" what indieauth.com is # 15:38 aaronpk no this is just fixing up how the wiki pages refer to the protocol and spec # 15:39 aaronpk right now the microformats wiki is treating "web sign-in" specifically as RelMeAuth # 15:39 Zegnat tantek, no, the mf says you need to be set-up for it using rel="me" # 15:39 sknebel tantek: but the next part of the site clearly only describes RelMeAuth # 15:39 tantek aaronpk it's user feature vs plumbing distinction # 15:39 Zegnat another reason why I was cleaning up the /IndieAuth page: it now no longer mentions rel-me (I think) # 15:39 aaronpk tantek: is the intention that "web sign-in" is the user feature name for RelMeAuth? # 15:40 aaronpk or that it broadly means using your website as your identity # 15:40 tantek no, user-feature first, RelMeAuth was just the plumbing that implemented it # 15:40 tantek the point was to give a user-friendly name to something that is easy to implement # 15:40 aaronpk in other words, if I take away all the rel=me links from my website, but still support the indieauth authorization endpoint, and can sign in to the wiki and telegraph etc, does that mean I still support "web sign-in"? # 15:41 Zegnat in other words: is OpenID another example of “web sign-in”? # 15:42 tantek that's an even better question, and there are advantages to yes and no # 15:42 tantek OpenID has so much baggage (hard to setup, get working etc.) that it's better to *contrast* (say no) with OpenID # 15:43 tantek OTOH, to say, OpenID was an older plumbing technique for implementing Web Sign-in which has better techniques now, does a good job of generalizing beyond OpenID # 15:43 tantek OpenID advocates tried to get the same term used (marketed) for both the user-feature and the plumbing which was a mistake IMO # 15:44 sknebel Zegnat: see last edit to your page for what I meant with my note. feel free to revert if you disagree # 15:46 Zegnat sknebel, I dont really disagree. I was mostly trying to keep the how to’s as short as possible. Because that’s the feedback we have been getting. # 15:46 Zegnat But I don’t mind the extra explanation. I might try to shorten it though :) # 15:47 sknebel understandable, but someone going for the "as short as possible" then thinks IndieAuth is rel=me links # 15:47 Zegnat is also setting up D&D night, this was probably the worst timing to start this rewrite project # 15:47 Zegnat Very good point, sknebel! Didn’t think of that, because *I* know what IndieAuth is... # 15:47 tantek people look for the simplest explanation to get started # 15:50 Zegnat So if we accept the use of web sign-in; any other complaints with replacing the old page? # 15:51 sknebel I can take a shot at making the web-sign in page clearer later # 15:54 tantek so the current answer is no, OpenID is not a form of Web Sign-in because we have drawn a contrast # 15:55 Zegnat Yeah, that’s all fine tantek. The question was is “Web sign-in” was still the correct term, because the mf wiki seemed to describe it only with RelMeAuth. # 15:55 tantek the point of Web Sign-in was to provide a user-facing term for something simpler to use and implement than OpenID for users and developers # 15:56 tantek right, RelMeAuth is the plumbing that makes Web Sign-in easy to setup and implement # 15:56 sknebel if the term is a user-facing pattern, then I'd list RelMeAuth, IndieAuth and (discouraged) OpenID as ways of achieving it # 15:56 tantek OpenID is not because it is also a user-facing term, that's the problem # 15:57 tantek Another way to think of it would be to say IndieAuth is a way to implement RelMeAuth # 15:58 sknebel by that logic, IndieAuth also is a way to implement OpenID (afaik cweiske does that) # 15:58 tantek the fact that you can do other things does not negate that IndieAuth is a way to implement RelMeAuth # 15:58 aaronpk if you want to be able to say that then we need a new name for the protocol that extends OAuth 2.0 # 16:00 sknebel Zegnat: if "without refering to other specs and stuff" is the goal then LGTM # 16:02 Zegnat This is the “short how to to get people going”, which I would rather not clog up with information about how stuff works. sknebel. Just trying to make sure people don’t start thinking of rel-me as IndieAuth again. # 16:02 tantek don't include any non-required steps like that in the first How to # 16:03 tantek Zegnat - no that makes no sense when step 1 is add rel-me links # 16:03 sknebel then you only can log into sites that use IndieAuth.com # 16:03 tantek I think that distinction is only adding confusion # 16:03 sknebel since sites doing the IndieAuth protocol look for the authorization_endpoint first thing # 16:04 aaronpk adding the rel=me links means you can log in to any sites that implement RelMeAuth # 16:04 sknebel and don't necessarily do anything else if that isn't there # 16:04 Zegnat IndieAuth.com offers an authorization_endpoint based on RelMeAuth. It wraps RelMeAuth to become IndieAuth compatible. # 16:04 tantek so you don't burden every user with an extra step # 16:04 tantek otherwise you're making the same mistake (one of) that OpenID folks made # 16:04 tantek putting extra work on the user just to make the definitions cleaner / purer # 16:04 Zegnat If we don’t let them set the authorization_endpoint they can’t login to IndieAuth supporting websites :/ # 16:04 tantek zegnat: "don't let them" !== "don't force them" # 16:04 Zegnat authorization_endpoint = *must* for IndieAuth sites # 16:05 tantek is kind of weary of the logical flaws in the discussions here # 16:05 sknebel nothing in the existing indieauth documentation says anything about falling back to a central service # 16:05 sknebel and none of the libraries I've looked at implementing it do that # 16:05 aaronpk nothing about IndieAuth the protocol should include falling back to a central service # 16:05 Zegnat Please don’t make IndieAuth centralised by hard-linking a protocol to a website! # 16:05 tantek otherwise, you end up with OpenID purity arguments -> worse experience for setup # 16:06 Zegnat The protocol CANNOT work without an endpoint declared by the user. # 16:06 tantek if you want to write technical protocol docs that's one thing # 16:06 tantek but if you're writing a "How to" on the indieweb.org, you prioritize UX # 16:07 aaronpk i am thinking that we're beyond the point of making "IndieAuth" refer to the protocol, because people think of it in relation to the rel=me links already # 16:07 tantek this is precisely why I rejected all the OpenID thinking / setup crap # 16:07 tantek and documented Web Sign-in and relmeauth as simple as possible # 16:07 tantek no I reject forcing users to do an unnecessary step # 16:07 tantek that's plumbing-centric/first thinking and it's wrong # 16:07 sknebel It is not unnecessary if we want to have an actually "indie" protocol without a central service # 16:08 tantek sknebel that's the kind of "purity" statement I'm talking about # 16:08 tantek aaronpk, the way is to start with user focus, always # 16:08 Zegnat IndieAuth has NOTHING to do with any rel="me". IndieAuth lets people specify an authentication endpoint they want to use. Possibly being their own website. # 16:08 tantek the protocol must support the simplest possible UX, not the other way around # 16:09 Zegnat Two completely different things. 100% different. If you want to support RelMeAuth and not IndieAuth, that is fine, tantek. But don’t merge them now. # 16:09 tantek Zegnat - the How to on the page you linked merges them # 16:09 Zegnat Yes, because the IndieAuth.com-service uses rel="me" to verify you own the site # 16:10 aaronpk that "how to" section is actually about indieauth.com so should be moved there # 16:10 tantek right, IndieAuth is using RelMeAuth - which is what I've been saying # 16:10 Zegnat No. IndieAuth.com-the-service. IndieAuth-the-protocol-that-the-wiki-page-is-about does not # 16:10 sknebel no, it doesn't. It shows the quickest way to get an IndieAuth endpoint on your site: by using the one provided by IndieAuth.com. which does RelMeAuth # 16:10 tantek sknebel: "quickest way" is how people will understand something # 16:11 tantek you have nearly zero chance of explaining that it's actually not the case # 16:11 sknebel tantek: which is why I just asked to clarify that section so this is clearer # 16:11 tantek as long it says add rel-me links, it will look and sound like RelMeAuth # 16:12 tantek right, that doesn't change the problem noted above # 16:12 sknebel (not that I necessarily agree, but it doesn't help the discussion) # 16:12 sknebel (one of the two should be renamed to make the distinction clearer, but I'm not sure renaming IndieAuth instead of Indieauth.com is better) # 16:13 aaronpk the more i talk to people the more i realize that "indieauth" is already cemented in relation to RelMeAuth # 16:13 tantek and keep IndieAuth as the full suite of what IndieWeb uses for signing in # 16:13 aaronpk so I am not opposed to calling the OAuth 2 extension spec something else # 16:14 tantek aaronpk: are you keeping track of that somewhere discoverable? # 16:14 tantek (i.e. gh issues are not discoverable for this because you have to know where to look) # 16:18 sknebel hm. My impression from HWC was that if you make the distinction clear from the beginning (which really would be helped by renaming one of them) it's not an issue # 16:19 aaronpk too bad webauth .com .net and .org are already taken # 16:19 tantek anything with "Auth" in it should not be user-facing, that should be obvious # 16:19 sknebel if a "less indie" name helps publishing it as a spec, I guess rename the spec, although it'll take ages to update all the documention of all the software using it, rename the libraries and plugins, ... # 16:19 tantek so IndieAuth is a fine name for the protocol, except that in practice people already conflate it with incorporating RelMeAuth # 16:20 tantek (because that's how 99% of people use IndieAuth, via RelMeAuth and IndieAuth.com-the-service) # 16:20 tantek Zegnat, that doesn't really help, that's the point of the discussion above! # 16:21 Zegnat Why would that not help? The entire page details exactly how the OAuth extension protocol works. # 16:21 Zegnat And now the howto of indieauth.com makes more sense, as it is clear we do not talk about indieauth-the-rel-me-thing # 16:22 Zegnat If we want to use the term IndieAuth for something else now, we can write a different page for that # 16:22 sknebel Zegnat: we still have an entire ecosystem bound to the name, so not quite ;) # 16:22 tantek exactly, you don't get to singularly make such a decision # 16:22 tantek you have to look at how existing use has already evolved # 16:24 Zegnat Sure, but that’s a *different* rewrite of /IndieAuth then. This page I wrote today is specifically about the protocol. # 16:26 sknebel I guess the key question from me about a rename of the protocol would be a) how do we transition all the existing references to it and b) how do we prevent getting the same confusion under a new name? Because if we don't do that, and sticking with the name and slowly trying to reduce the confusion is just as good # 16:27 tantek I'm saying you don't get to rename anything related to IndieAuth singularly - you're going to have to document how people interpret what, document some alternatives, and make it a longer discussion that will hopefully resolve over time # 16:27 tantek if there was a quick fix, aaronpk would have done it ages ago # 16:27 tantek sknebel: distilling key questions is good. writing them on the wiki is even better to at least capture current state of understanding # 16:28 tantek unlikely to get resolved today or when people are still keeping this chat in their head # 16:31 Zegnat Either people have been doing it correctly, using IndieAuth as a name for the protocol (almost nobody did that apart from a handfull of implementers), or used IndieAuth as a catch-all term for logging in through IndieAuth.com (almost everyone did this). The solution seems to me to rename the protocol (as aaronpk came up with) and possible redirect # 16:31 Zegnat But I am off to kill some monsters in D&D now :) # 16:33 tantek sknebel, Zegnat, better to capture the nature of all this confusion somewhere on /IndieAuth#Issues that attempt to fix it all in one chat # 16:33 tantek not going to happen in one day/night. this will take iteration over several days (if not weeks) # 16:36 sknebel I honestly thought after Nuremberg (where aaronpk and sebsel started reworking pages, and aaron talked about renaming IndieAuth.com to lessen this confusion) the goal was clear (otherwise I wouldn't have asked about reworking the pages) # 16:36 sknebel but apparently that's suddenly not the case anymore # 16:37 sknebel (Nuremberg not necessarily being a fixed date, but the place I where I heard about it) # 16:38 sebsel yeah, tantek, we have been doing this rename since Nuremberg. So it's not a one-chat thing. But sure, it needs time. # 16:38 sebsel And aaronpk was thinking about the rename before that even. # 16:38 tantek sebsel, point being, capturing the iterations on the wiki is necessary, otherwise it will appear to be a series of disconnected one-chat things # 16:39 tantek so unless you can point to where that is happening on the wiki (the capturing of the discussion on an ongoing basis), then very little actual progress will be made # 16:48 jjuran But I don’t read that as “log us in”. My brain tries to read “logus” as a blend of “Logan” and “lotus” and gets confused. # 16:49 sebsel That's where the discussion keeps going: someone (myself included) who suggests a new name based on what domains are free. # 16:49 sebsel But I agree with tantek that that does not bring us much further. # 16:50 sebsel 'How it works' was added by me in the IndieWebWeek train :o # 16:50 sebsel That's already an attempt to steer to IndieAuth-the-protocol for that page. # 16:52 jjuran IIUC, consensus is that protocol and service require separate names. Tantek says users shouldn’t see “auth” in the name, so IndieAuth can be the protocol name and the service needs a new name, and hence a new domain name. # 17:08 Zegnat aaronpk how much are you leaning towards renaming the protocol/oauth-extension? Maybe worth adding a note about that? # 17:09 Zegnat That would make clear wether we want to steer the IndieAuth name towards the protocol or not. # 17:09 sebsel Do we need a separate discussion page for this matter? [miklb] joined the channel
# 17:12 aaronpk if the spec isn't called IndieAuth, and indieauth.com gets renamed, then what exactly is IndieAuth? # 17:13 jjuran Anyway, I see “web sign-in” is already being used. It might be a good idea to grab the domain names. # 17:14 sebsel Where he says: I don't want to be Aaron Parecki on Facebook and Aaron Parecki on Twitter, I just want to be Aaron Parecki # 17:14 Zegnat IndieAuth could become either a generic term, e.g. synonymous for web sign-in, or we “deprecate” it? # 17:15 sebsel And it describes the flow you can have with IndieAuth.com # 17:15 jjuran aaronpk: Yeah, I did a Show Changes and saw your new edits in the “before” side, and had to redo mine. :-/ # 17:17 aaronpk the description of that looks like it's about just indieauth.com the relmeauth wrapper # 17:17 aaronpk sebsel: did you find my slides from that? I found the original ppt file # 17:18 Loqi From OAuth to IndieAuth: Own your online identity # 17:20 aaronpk nice, i updated the opensourcebridge page to link to that # 17:20 Zegnat aaronpk, I didn’t check the talks yet :/ The articles section I moved to … RelMeAuth I think, as they seemed to all be about that # 17:20 Zegnat IndieAuth might even (almost) be treated as a synonym not for web sign-in but for RelMeAuth :/ # 17:21 aaronpk whee and updated my post to include the description and audio file # 17:22 sebsel if you define IndieAuth as 'the thing that IndieAuth.com does', than IndieAuth is both the OAuth extention and RelMeAuth, and it's a great idea and service, but very hard to decentralize. [chrisaldrich] joined the channel
# 17:30 aaronpk that looks like it's describing the indieauth.com API # 17:31 Zegnat indieauth.com/auth is still an IndieAuth-the-protocol authorization-endpoint. So that slide seems right. j12t joined the channel
# 17:58 sl007 Zegnat : The IndieAuth Poster is ready. How about a short url "ia" for now, similar to the other posters, so we can redirect ... # 17:59 Zegnat I am not sure linking to the wiki page helps people a lot, sl007. Read back today’s chat. Not sure what to do. # 18:01 sl007 This is why I asked allthough gave up in the middle ;) Same here. # 18:02 Zegnat You might want to focus on “Web sign-in” instead. As that isn’t changing any time soon: logging in by simply entering your URL # 18:08 Zegnat Oh, yeah, RelMeAuth is definitely well established # 18:11 sknebel still true that it sounds fairly generic, and there didn't really seem to be consensus what exactly falls under the term # 18:14 Zegnat RelMeAuth then, as a building block, would be good. # 18:15 sebsel Nice thing about taking RelMeAuth is that, if you describe what IndieAuth.com does, the poster itself doesn't need to change much ;) # 18:21 aaronpk definitely those two pages should be consolidated hehe # 18:25 tantek wait what there are two capitalizations on the wiki?!? # 18:27 sknebel what to move the second one to? themattharris-relmeauth? # 18:27 Zegnat Ran into that today when reading up on all the auth stuff we have # 18:27 tantek yes the library should include the lang like that # 18:30 aaronpk Oh I didn't realize one was about the library lol sl007 joined the channel
# 19:06 tantek aaronpk, looks like a running theme for you ;) # 19:09 aaronpk i don't think people are confused about whether the webmention spec is tied to webmention.io # 19:12 tantek fewer people use webmention.io than use indieauth to sign into the indieweb wiki # 19:12 aaronpk also if you use it it's because you've found it and signed up # 19:12 aaronpk which is different from indieauth.com which you might use when you're signing in to a site you stumble across # 19:13 tantek both of those are worth mentioning on that issue 78! strugee, [miklb], tantek and tbbrown joined the channel
# 20:40 tantek yeah I think we need to bring back !block at least for admins/leaders # 20:40 tantek for telling Loqi to stop showing things from certain accounts # 20:40 tantek and to unlink any old @-references to those accounts # 20:40 aaronpk unfortunately those two things are in totally different places # 20:42 tantek is kinda relieved Loqi is not monolithic and unified. yet. tbbrown, tantek, dougbeal|mb1 and [miklb] joined the channel
# 23:33 tantek IndieWebCamp kit is a small minimum set of supplies that help to run an [[IndieWebCamp ]] such as large sticky notes and Hello My Name Is name badges.
Zegnat https://indieweb.org/User:Vanderven.se_martijn/IndieAuth - could I get some eyes on this? aaronpk, sknebel? Would be really sweet to get /IndieAuth cleaned up as our focus on /building_blocks is growing throughout our events.
Loqi sebsel: sl007 left you a message 5 days, 4 hours ago: - if you want, https://indieweb.org/2017/Dortmund/Guest_List - let's add the tent emojis then …
aaronpk Zegnat: there's also https://indieweb.org/Category:IndieAuth
tantek Zegnat, I'm confused by "would like to edit “web sign-in” to broadly mean signing in with your own URL" - http://microformats.org/wiki/web_sign-in already does that
sknebel I guess the key question from me about a rename of the protocol would be a) how do we transition all the existing references to it and b) how do we prevent getting the same confusion under a new name? Because if we don't do that, and sticking with the name and slowly trying to reduce the confusion is just as good
sebsel listens to one of aaronpk's talks on /IndieAuth http://opensourcebridge.org/sessions/856
sl007 Zegnat : That is a very generic name that nobody is used to (?). The term is used by many commercial services. E. g. https://wob.deutsche-bank.de/trxm/help/pu_help_log_websign.html - there are good proposals in https://github.com/aaronpk/IndieAuth.com/issues/138