#social 2018-04-02

2018-04-02 UTC
eprodrom_, eprodro18, eprodrom, fr33domlover, timbl, JanKusanagi, xmpp-social, Guest84 and KjetilK joined the channel
# 14:33 
@rektide ↩️ There's Linked Data Notifications (https://www.w3.org/TR/ldn/) which would be really great too, better imo. Still doable. But things go really off the map if you want to support my favorite, Generic Event Delivery via HTTP2 aka Web Push Protocol (https://tools.ietf.org/html/rfc8030). (twitter.com/_/status/980815369714708485)
# 15:02 
cwebber2 eprodrom: someone named Joshua Branson might contact you... they're working on implementing an ActivityPub dating system :)
# 15:07 
ajordan !!!!!!!
# 15:29 
eprodrom good for them
# 16:19 
cwebber2 eprodrom: I pointed them to your slides
# 16:29 
eprodrom cool
fr33domlover, eprodrom_, eprodrom and joshuaBPMan joined the channel
# 17:13 
joshuaBPMan waves hello
eprodrom joined the channel
# 17:38 
@downey ↩️ I'm sure @dustyweb would appreciate your help (or that of anyone else) in working on standards, e.g. https://www.w3.org/TR/activitypub/ (twitter.com/_/status/980862053312118784)
eprodrom_, eprodrom, eprodro67, rektide and downey joined the channel
# 18:43 
@im_dario ↩️ Tras leerme la especificación de ActivityPub [0], que ha salido su versión 1.0 hace poco, pero lleva tres años construyéndose por grandes de los estándares web, debo decir que ya tenemos la base. No hay necesidad de reinventar la rueda.

0: https://www.w3.org/TR/activitypub/ (twitter.com/_/status/980878493042003968)
eprodrom_, eprodrom and evanp joined the channel
# 20:12 
evanp aaronpk: are you around?
# 20:12 
aaronpk yes hi
# 20:12 
evanp Cool!
# 20:13 
evanp So, I want to put an issue for discussion on the next cg meeting
# 20:13 
evanp Which is about OAuth 2.0 scopes for ActivityPub
# 20:13 
aaronpk sweet
# 20:13 
evanp Yeah
# 20:13 
evanp but also scary
# 20:13 
evanp Do you have a couple of minutes to chat about it?
# 20:13 
aaronpk sure
# 20:14 
evanp For pump.io, we don't use scopes
# 20:14 
evanp So it's all-or-nothing
# 20:14 
evanp Which is pretty scary for people
# 20:14 
evanp We have ~3-4 profiles of applications for pump.io
# 20:15 
evanp 1) Mobile or Web client. Read all your feeds, post new stuff, change the social graph, all that jazz. Pretty much your main client.
# 20:15 
evanp 2) Bridges. Typically they push your content from pump.io into another network.
# 20:16 
evanp 3) pump.io peers. These are other sites running pump.io. You can log in with your account from *your* pump.io site, and then interact with the other pump.io site like it was your own. Like things, comment on things, share them, follow people, etc.
# 20:17 
evanp 4) Rando apps. There are a couple of games, browser utilities to like or share stuff on the web, etc.
# 20:18 
evanp A typical thing that people say, when they're talking about using OAuth on pump.io, is that they might be OK with letting, say, a peer site post comments in reply to stuff on that server, but not on ANYTHING
# 20:19 
evanp Which I think is the whole point of scopes
# 20:20 
evanp I think a coarse scope division -- read vs. write, say -- might be too wide-ranging for this kind of app
# 20:20 
evanp So I see two ways we could do scopes
# 20:20 
aaronpk i'm a little confused about #3 there
# 20:20 
evanp OK
eprodrom joined the channel
# 20:20 
aaronpk if you're logging in to someone else's site, that doesn't really involve granting that site permissions on your site right?
# 20:21 
evanp Well
# 20:21 
evanp It does, because you're doing things like "liking" things on that site
# 20:21 
evanp So those likes go back to your own site
# 20:21 
aaronpk ah, how do they get back to your site?
# 20:21 
evanp Hmm
eprodrom_ joined the channel
# 20:21 
evanp Pronoun problem there
# 20:22 
evanp Could you be more specific with "they" and "your"
# 20:22 
aaronpk okay I am site A, and I log in to site B to like a post somewhere on B.
# 20:22 
aaronpk when I take that action on B, how does my site A find out about the like?
# 20:23 
evanp The server on site B uses the API on site A to create a "like" action
# 20:23 
aaronpk aha okay
# 20:23 
aaronpk so it's acting as a client in that sense
# 20:23 
evanp Yes exactly
# 20:23 
aaronpk gotcha
# 20:23 
evanp A user on Site A could go to the profile page of someone on Site B and click the "Follow" button, and the right thing will happen
# 20:24 
aaronpk yeah i wouldn't want to grant that site permissions to do arbitrary things on my site
# 20:24 
evanp Yeah, unfortunately that's the way it works now
# 20:24 
aaronpk yikes
# 20:24 
evanp I know right
# 20:25 
fr33domlover evanp, what if site B didn't send the Like, and instead using browser JS, your browser sends it directly to site A?
# 20:25 
evanp fr33domlover: that's a great what if, but I'm not asking about redesigning this system to use the browser
# 20:25 
aaronpk so you're looking for ways to limit what clients can do so it can keep working that way?
# 20:26 
evanp aaronpk: yes, I'm thinking about it like this
# 20:27 
evanp First, let's take read-only access. There are a few things you might want to do at a fine-grained level:
# 20:27 
evanp 
# 20:27 
evanp 1. Know my identity (authentication only)
# 20:27 
evanp 2. Read my profile
# 20:27 
evanp 3. Read my outbox (activities I've done)
# 20:27 
evanp 4. Read my inbox (activities by people I follow)
# 20:27 
evanp 5. Read my social graph (following, followers, lists)
# 20:28 
evanp I think there are probably good arguments to do those fine-grained or coarse-grained (READ_ALL_MY_STUFF)
# 20:28 
evanp For the write-access, it basically comes down to posting activities
# 20:29 
evanp As you might remember, in ActivityPub, AS2 activities have a type ("Like", "Follow") and an object with an ID
# 20:29 
evanp So fine grained scopes might be
# 20:30 
evanp 1. "Like" things with IDs like "https://othersite.example/*"
# 20:30 
evanp 2. "Follow" things with IDs like "https://othersite.example/*"
# 20:31 
evanp 3. "Create" new "Note" objects in reply to things with IDs like "https://othersite.example/*"
# 20:32 
saranix sounds like OCAP/caveats/macaroons
# 20:32 
evanp So, say, if othersite.example is another pump.io site, when I log in there, I can like and follow things and make comments (notes), but only for stuff that's there
# 20:32 
aaronpk that's probably a good limitation
# 20:32 
aaronpk i feel like you could also build in that limitation without using scopes
# 20:32 
aaronpk just as a part of the token that's issued to the site after authorizing
# 20:32 
aaronpk since you already will know what site the token is being issued to
Sveta joined the channel
# 20:33 
evanp OK, but like I said above, we have different kinds of apps
# 20:33 
evanp For example, there's an app for liking *anything* on the web
# 20:33 
evanp So it would want a scope like
# 20:33 
evanp 1. "Like" things with IDs like "*"
# 20:33 
aaronpk right so *some* apps would get permissions to be able to like any post, so maybe that's the only scope defined for that
# 20:34 
aaronpk and by default the tokens are limited to interacting with posts on the server the token is issued to
# 20:34 
evanp Interesting
# 20:35 
evanp So we could do scopes like this:
# 20:35 
evanp 1. Read anything.
# 20:35 
aaronpk this seems like it's going to mainly be a UI problem, letting the user know exactly what permissions the app will have after logging in
# 20:35 
evanp 2. Make new activities, restricted to the client's site.
# 20:35 
evanp 3. Make new activities, unrestricted.
# 20:37 
evanp That's pretty tight, and I think it covers the clients I talked about above
# 20:38 
aaronpk that's not bad
joshuaBPMan left the channel
# 20:40 
evanp I'm trying to think through my feelings as a user
# 20:41 
evanp Like, if I am logging into another site, am I OK with that site posting *any* kind of activity, as long as it's just about stuff on that site?
# 20:41 
evanp I kind of feel that I am
# 20:43 
evanp I think I might want more control for apps that work on any kind of objects across the Web
# 20:43 
evanp I might get queasy with letting them do *anything*, and want to restrict it by verb
# 20:44 
evanp activity type, I mean
# 20:45 
aaronpk i might want to limit the site to only posting likes and follows, and not posting replies
# 20:46 
evanp Right
jankusanagi_ joined the channel
# 20:48 
evanp I probably should go look at some of the scopes available on FB, Google+, Twitter
# 20:49 
aaronpk fair warning, FB is a beast
# 20:49 
aaronpk github went crazy with scopes too
# 20:49 
evanp Oh yeah?
# 20:49 
evanp Right, I remember that
# 20:49 
aaronpk twitter is read/write/dms
# 20:50 
evanp I find the scopes on GH really intimidating
# 20:50 
aaronpk yeah and super confusing with all the org permissions
# 20:50 
evanp Like, does this app need to set webhooks on my projects that I'm working on with W3C? Probably not.
# 20:51 
evanp I think there's also an anti-pattern in apps that over-ask for permissions because they *might* want to do that thing, and then they barf if you don't give them all the permissions they ask for
# 20:51 
evanp But anywho
# 20:52 
evanp Maybe we start with read, write-restricted-to-site, write-unrestricted
# 20:52 
evanp It covers a lot of territory pretty well
# 20:55 
evanp All right, this has been helpful
# 20:55 
aaronpk 👍
# 20:55 
evanp I'm going to write this up and put it on the agenda for the CG meeting next week
# 20:59 
evanp aaronpk: thanks for your help!
# 20:59 
aaronpk np!
cwebber2 and bwn joined the channel; evanp left the channel