#social 2018-03-18

2018-03-18 UTC
xmpp-social, cwebber, timbl, bwn and fr33domlover joined the channel
# 22:33 
fr33domlover Hello
# 22:33 
fr33domlover I'm writing a decentralized web application
# 22:34 
fr33domlover And I want to pick an authentication protocol(s)
# 22:34 
fr33domlover I'm looking for any advice :)
# 22:35 
fr33domlover It seems GNU Social and Pump.io use Oauth 1
# 22:35 
aaronpk welcome
# 22:35 
fr33domlover And ActivityPub wiki says Oauth 2
# 22:35 
fr33domlover Thanks aaronpk
# 22:35 
aaronpk first, OAuth is not an authentication protocol :)
# 22:35 
aaronpk or rather, OAuth by itself is not an authentication protocol
# 22:36 
fr33domlover Ok sorry Idk the protocol details yet ^_^
# 22:36 
aaronpk https://oauth.net/articles/authentication/
# 22:36 
fr33domlover Thanks
# 22:36 
aaronpk OpenID Connect as well as IndieAuth are two authentication protocols built on top of OAuth 2.0
# 22:37 
aaronpk https://www.w3.org/TR/indieauth/ and https://openid.net/connect/
# 22:37 
Loqi [Aaron Parecki] IndieAuth
# 22:37 
fr33domlover aaronpk, basically what I'm looking for is: If user a@x wants to comment on a post made by user b@y how does server y know that the person who made the comment is really the owner of user a
# 22:38 
fr33domlover It shouldn't ask for the user's password
# 22:38 
fr33domlover Instead, it gets come token via server x
# 22:38 
aaronpk the approach activitypub/mastodon are taking is to use signatures to authenticate that content
# 22:39 
fr33domlover Are these details part of the spec though?
# 22:39 
aaronpk if you assume every comment has a URL then you can skip signatures and go fetch the comment from the URL itself
timbl joined the channel
# 22:41 
fr33domlover aaronpk, should I look into Oauth 1 or 2?
# 22:41 
fr33domlover I'm unsure which one would be best
# 22:41 
fr33domlover I read in Wikipedia and other places and saw tons of issues about Oauth2
# 22:42 
aaronpk OAuth might not actually be what you need for this, but if you do want to investigate that you should skip OAuth 1 since it has multiple problems that made everyone abandon it and create OAuth 2
# 22:42 
fr33domlover the people who wrote it quitting the team etc.
# 22:42 
aaronpk yeah that was some old drama, there's enough extensions on top of OAuth 2 that it's at least if not more secure than oauth 1 ever was now
# 22:43 
fr33domlover Hmmmmm ok then
# 22:43 
fr33domlover I'll look at both and aim at 2
# 22:44 
aaronpk but again, it is likely that you don't need OAuth at all for this use case, so keep that in mind
# 22:44 
fr33domlover Yeah sure
# 22:44 
fr33domlover I just mean, GNU Social and Pump.io seem to need it
# 22:44 
aaronpk for authorizing apps to post to your account, absolutely
# 22:44 
fr33domlover And since my web app is similarly decentralized (well, hypotheicaly lol) I'm just guessing I'll need it too
# 22:44 
puckipedia I think I get what you want to do
# 22:45 
puckipedia you want user b@y to log in on server x to comment on a post by a@x?
# 22:45 
fr33domlover puckipedia, idk, I'm asking how it's done for activitypub/pump.io/etc.
# 22:45 
fr33domlover I mean theoretically there are many ways
# 22:46 
puckipedia so the way it's done in activitypub, user b only logs in on server y, and looks up the post by a@x on b's server
# 22:46 
fr33domlover yeah that's the way I want that
# 22:46 
puckipedia then, the fact that the reply was made, is sent authenticated by b@y's public key to @x
# 22:47 
puckipedia if you e.g. look at https://mastodon.social/users/Gargron.json you can see the `publicKey` property
# 22:49 
fr33domlover puckipedia, can you describe that process again please? If user a@x wants to make a comment on a post by user b@y, which requests are made exactly?
bwn joined the channel
# 22:49 
fr33domlover (if ActivityPub specifies these details, I'll just see them there and not bother you people with these questions ^_^)
# 22:50 
puckipedia it does, but I'll explain a bit:
# 22:50 
puckipedia fr33domlover: when a@x looks up the post, that post is requested by server x. Then, when the user places a comment, they create a object like this:
# 22:51 
puckipedia {"type": "Create", "id": "https://x.example.com/activity/123", "actor": "https://x.example.com/user/a", "object": {"type": "Note", "content": "this is now a reply", "id": "https://x.example.com/note/123", "to": "https://y.example.com/user/y", ..}, ...}
# 22:51 
puckipedia based on to/cc/etc (which I mostly omitted), the server of x looks up all the inboxes of everyone that should receive a notification about the message (like email)
# 22:51 
fr33domlover puckipedia, what does "look up the post" mean?
# 22:52 
puckipedia fr33domlover: just GET the id, in case the server doesn't know it exists yet
# 22:52 
fr33domlover what if it's a public post they see while browsing server y
# 22:52 
puckipedia you can e.g. copy the URL of the post and put it in, like, a search field
# 22:52 
puckipedia at the end, for each inbox, the server sends out a POST request (signed using HTTP signatures and the keypair of the user) containing that Create
# 22:54 
fr33domlover puckipedia, and does the reply get a canonical URL on server y after that?
# 22:54 
puckipedia it does not. the only official URL that the post is available at is on server x
# 22:55 
puckipedia of course, the server y might use an internal numbering scheme (mastodon has its own ID numbers for its client API)
# 22:55 
fr33domlover Hmmmm I'm confused
# 22:55 
fr33domlover Suppose user b@y made that post and I assume it's store on server y
# 22:55 
fr33domlover And it has a public URL on server y
# 22:55 
puckipedia yes
# 22:56 
fr33domlover If you browse to server y,
# 22:56 
fr33domlover You can see the comments too I assume?
# 22:56 
fr33domlover Including the one made by user a@x
# 22:56 
puckipedia yes. The server y will store a local 'cache' of replies and posts by other servers, also to build a timeline for logged in users
# 22:58 
fr33domlover And does each such reply have a canonical URI? And is it on server y (because it's a reply on a post made by b@y) or server x (because it's made by a@x)?
# 22:58 
puckipedia the canonical URI for replies is on the server of the user it's made on
# 22:59 
fr33domlover Hmmm I see
# 23:00 
fr33domlover puckipedia, so basically all the content you make is kept on the server where your account is, even is semantically some of your content is a "reply" to other content from elsewhere or someone posted "to" some user or page or whatever on another server?
# 23:01 
fr33domlover *even if
# 23:01 
puckipedia yes
# 23:01 
puckipedia you can navigate mastodon for a bit to see this
# 23:03 
fr33domlover Ah yes I can see that
# 23:04 
fr33domlover puckipedia, aaronpk, I'm also wondering about Mastodon vs Pump.io vs ActivityPub - I've really really like, if possible, for my web app to be able to federate with these apps
# 23:04 
fr33domlover What are the differences in their protocols?
# 23:05 
puckipedia activitypub is the protocol that mastodon uses, activitypub has been inspired by pump.io and there's work to add ActivityPub support into pump.io
# 23:11 
fr33domlover Thanks puckipedia
# 23:11 
fr33domlover I'll start reading :)
# 23:17 
fr33domlover puckipedia, if user a@x makes a post on the user page of b@y and then server x goes offline, can people still make replies on that post?
# 23:18 
fr33domlover I mean is the URL of the post enough to make replies, even if the domain in that URL doesn't exist anymore
dustyweb_ joined the channel
# 23:33 
puckipedia fr33domlover: answer is, usually? as long as the server the user replies from is aware the post exists
# 23:35 
fr33domlover puckipedia, hmmm how likely is it that the server is aware?
# 23:35 
puckipedia usually? quite
sknebel_ joined the channel
# 23:42 
fr33domlover puckipedia, nice!