#social 2016-06-27

2016-06-27 UTC
shepazu and jasnell joined the channel
# 20:34 
cwebber2 aaronpk: around?
# 20:34 
cwebber2 I'd like to ask you some questions about indieauth
# 20:34 
aaronpk sure
# 20:37 
cwebber2 aaronpk: so indieauth is... a standard or an implementation?
# 20:37 
cwebber2 I thought, at one point, we talked about it like it was a standard
# 20:38 
cwebber2 but now it looks to me like it's an implementation combining oauth 2.0, web sign-in, and rel-me auth?
# 20:38 
cwebber2 is that right?
# 20:38 
aaronpk heh
# 20:39 
ben_thatmust its sort of both
# 20:39 
aaronpk no
# 20:39 
ben_thatmust right?
# 20:39 
aaronpk indieauth.com is a service
# 20:39 
aaronpk IndieAuth is a protocol
# 20:39 
aaronpk i never should have named it indieauth.com but here we are
# 20:39 
cwebber2 aaronpk: heh, ok :)
# 20:39 
aaronpk indieauth.com is also two different services
# 20:39 
ben_thatmustbeme just to confuse things more
# 20:39 
aaronpk one for app developers, one for users
# 20:40 
cwebber2 aaronpk: I'm trying to find the indieauth spec, and not really finding it.  https://indiewebcamp.com/indieauth-for-login that's not it, is it?
# 20:41 
aaronpk there isn't actually a complete spec document really, there are just many tutorials/walkthroughs of the various flows
# 20:41 
aaronpk everything is ultimately linked from here http://indiewebcamp.com/Category:IndieAuth
# 20:41 
cwebber2 aaronpk: ah, I see..
# 20:41 
aaronpk depending on whether you're using IndieAuth for identity or authorization, you'll read https://indiewebcamp.com/indieauth-for-login or http://indiewebcamp.com/obtaining-an-access-token
# 20:42 
aaronpk you probably want the latter
# 20:43 
cwebber2 aaronpk: another question, does this mean that since micropub has indieauth as a SHOULD that it needs it to go through the same process that microformats / etc had as in terms of a "stable" living spec?
# 20:43 
cwebber2 we talked about maybe using the same workflow, and I'm trying to iron out this part of APub/ASub, so I'm looking into what that means
# 20:44 
cwebber2 or is it not required because it's SHOULD rather than MUST?
# 20:44 
aaronpk i can't remember actually... ping sandro?
# 20:44 
cwebber2 it certainly seems like it would be a good idea for it to have a more stable specification if it's going to fill such a large gap of our specs
# 20:45 
aaronpk agreed
# 20:45 
aaronpk it's been on my todo list forever
# 20:47 
cwebber2 aaronpk: thanks for the help
# 20:47 
cwebber2 I'm reading the docs
# 21:21 
cwebber2 aaronpk: these docs seem a bit optimized around assuming that the client is a web application also, right?
# 21:21 
cwebber2 might be worth adding a section for "mobile" applications, etc, where there isn't a redirect uri
# 21:22 
aaronpk at that point it's just oauth2
# 21:22 
aaronpk there can still be a redirect URI with mobile applications
# 21:22 
cwebber2 hm, there can?
# 21:22 
cwebber2 aaronpk: do you have an example?
# 21:23 
aaronpk on ios it's done with a custom scheme (myapp://auth), on android the app can register to be launched by any URL pattern
# 21:23 
cwebber2 ah
# 21:23 
aaronpk https://github.com/aaronpk/ArcGIS-OAuth2-Demo-iOS
# 21:24 
cwebber2 aaronpk: thanks!
# 21:24 
aaronpk there's a new iOS api that lets you open an embedded browser that still shows the address bar and the app doesn't have access to the data, so you can do OAuth without having the user switch apps. i don't have an example of that yet tho.
# 21:25 
aaronpk but ultimately for those kinds of questions, the answers that OAuth2 provide should apply here as well
# 21:28 
cwebber2 aaronpk: yeah unfortunately we also have a lot of gnu/linux distro desktop users, so the fragmented means of handling this on mobile stuff and lack of real standards for this doesn't solve it, so!  guess I'll have to see how oauth2.0 handles it
# 21:29 
cwebber2 aaronpk: I'm still pretty green to diving into the world of oauth 2 (and I only briefly dipped my toe in oauth 1, tsyesika did most of that work) so I'm finding myself overwhelmed
# 21:30 
aaronpk there's also a "device flow" for OAuth 2 which is meant for logging in to devices that don't have a full browser, like TVs or other hardware
# 21:32 
cwebber2 aaronpk: aha, ok, thanks
# 21:32 
aaronpk you've probably seen that if you've logged in to a cable service provider on an apple tv
# 21:32 
aaronpk i would actually look at how other desktop apps do it though
# 21:32 
aaronpk if that's your use case
# 21:33 
cwebber2 aaronpk: yeah, well it's one use case!
# 21:33 
cwebber2 aaronpk: thanks
# 21:34 
aaronpk i've seen some desktop apps do what appears to be the normal oauth flow, but instead of automatically redirecting after the user signs in in a browser, they just say "close the browser and return to the app" and the app has a "continue" button, pressing "continue" is essentially the redirect
# 21:35 
aaronpk so basically the normal web app flow, but a manual click instead of automatic redirect.
# 21:35 
cwebber2 aaronpk: the not super pleasant way that the destop pump.io applications did things was to have the user copy and paste back in the token
# 21:35 
cwebber2 which is clearly not nice.
# 21:36 
aaronpk yeah i've seen that too. definitely not a good flow.
# 21:36 
aaronpk er sorry, s/normal web app flow/device auth flow/
# 21:37 
aaronpk actually i guess that's different. nevermind.
shepazu joined the channel