2018-04-08 UTC
Taleth, tantek, [snarfed], [miklb], j12t, sebsel, [joewillmott], [kevinmarks], [cleverdevil], spaceoyster, kaushalmodi, [kaushal_modi] and [pfefferle] joined the channel
# 19:19 GWG I'm still not 100% sure about this though. # 19:19 GWG But, I still think I may be confused. # 19:19 [pfefferle] you have to verify the tokens always from the other page, but the code tries to verify with the local endpoint # 19:20 GWG [pfefferle]: Let me repeat this so I am sure I understand. # 19:20 GWG You want to log into pfefferle.org with the authorization and token endpoint from notiz.blog? # 19:21 [pfefferle] but pfefferle.org tries to verify the tokens with the endpoint of pfefferle.org and that can’t work # 19:21 GWG Then, on pfefferle.org, you set the configuration to use the authorization and token endpoint from notiz.blog? # 19:22 GWG I think I was wrong about it being an issue, though I still should add an option. # 19:22 GWG [pfefferle]: When you put in notiz.blog, it searches the user table of pfefferle.org and tries to find a user account with the user_url of notiz.blog. # 19:23 [pfefferle] but the code blocks before that, because the verification is not working # 19:23 GWG I'm walking myself through this in the code. # 19:23 GWG So, it reaches out to notiz.blog and discovers the endpoints and tries to use them. # 19:23 GWG But then pfefferle.org uses the configuration option instead of what it discovered. # 19:24 [pfefferle] so it tries to verify the token of notiz.blog with the local endpoint j12t joined the channel
# 19:24 aaronpk I should be able to replicate this by trying to sign in to my wordpress site using aaronparecki.com's auth endpoint # 19:25 aaronpk ah I get "Cannot use object of type WP_OAuth_Response as array" # 19:26 GWG I have a discover_endpoint function. I just have to call it. # 19:27 [pfefferle] hmmm, but the service might be configured so that the redirect URL does not have the headers… # 19:27 GWG [pfefferle]: I'm just going to pass it into the function. # 19:28 aaronpk heh gotta switch back to non-safe get and sslverify=false :( # 19:28 GWG I basically am going to pass through an array. I figure if I have more than 3 arguments, I should pass an array. # 19:30 aaronpk whoops now I just get "Fatal error: Uncaught ArgumentCountError: Too few arguments to function add_action(), 1 passed" on the sign-in screen before doing anything # 19:31 GWG [pfefferle]: I intend to verify them. # 19:33 aaronpk deleted the add_action line and now I am getting the invalid authorization code error # 19:34 aaronpk okay yeah it's trying to verify the auth code itself rather than checking the site of the person logging in # 19:36 [pfefferle] aaaahhhh, and now I see the submit button and the help messages 😄 # 19:46 GWG [pfefferle]: It should now do endpoint discovery. # 19:51 aaronpk I don't see where you actually discover the endpoint again # 19:52 GWG aaronpk: When the token is requested, it discovers the endpoint. L138 of the token-endpoint class # 19:52 aaronpk (also the better solution is to store the endpoint in the session when you start to avoid needing to look it up again) # 19:52 aaronpk there should be no token endpoint involved in this flow # 19:53 GWG This is the authorization or the authentication flow? # 19:53 aaronpk i'm using the "sign in with your domain" form so it's authentication # 19:58 GWG aaronpk: What is the error code for no endpoint found? # 20:02 aaronpk hm I dont think that's part of the error set in the spec # 20:02 GWG When verifying an access token, how does it know what token endpoint to use? # 20:03 [pfefferle] the best way is to store it in the session, as [aaronpk] mentioned # 20:03 GWG There is no redirect URL. When you have an OAuth Bearer Token, and you send it to pfefferle.org, how is pfefferle.org supposed to know by the token which endpoint to verify it against? # 20:03 aaronpk the only thing that should be verifying access tokens is the thing that issues them # 20:03 GWG So, we're back to a confusion on my part here. # 20:04 GWG You send a request to a Micropub endpoint using a token. tantek joined the channel
# 20:04 GWG I never considered this case before # 20:06 GWG The initial Indieauth exchange might have been days ago. # 20:06 GWG I'm definitely missing something here. # 20:07 GWG For verifying the authorization code, you can discover the endpoint. # 20:07 GWG For the access token, I have no idea how. # 20:08 GWG I'm missing something obvious here, I fear. # 20:08 GWG Let's say I used 'Gimme a Token'. # 20:08 GWG So, I'm not in the same session when I make my micropub request. # 20:09 GWG I am just sending a request in with an OAuth Bearer Token # 20:09 sknebel ok, but gimma-a-token gets the token from your wordpress site # 20:09 sknebel then it can just look up the token in the database of valid tokens? # 20:10 aaronpk it is expected that the micropub endpoint and token endpoint are tightly coupled # 20:10 GWG So, my original code is correct on that # 20:10 GWG It has to be the one set in options for the token endpoint. # 20:10 aaronpk which means any tokens the micropub endpoint will accept will only be ones that its own token endpoint has issued # 20:10 aaronpk you won't be in a situation where you're expected to send the token elsewhere to verify it # 20:11 aaronpk so if the micropub endpoint is configured to use tokens.indieauth.com to issue tokens, then that is the only place it will send them to verify them # 20:11 GWG So, [pfefferle], you did confuse me # 20:12 GWG It is only the authorization endpoint I have to fix, not the token endpoint verification # 20:12 aaronpk also i'm still confused about why pfefferle's two sites are talking to each other in a version of this flow that involves tokens # 20:13 aaronpk that situation is very confusing for me to follow, it's easier for me to think about if i'm using my wordpress site tiny.xyz.dev and my not-wordpress-site and primary identity aaronparecki.com # 20:13 aaronpk so if I want to log in to quill to post to tiny.xyz.dev, it's tiny.xyz.dev that will issue the token to quill # 20:14 aaronpk how I authenticate at tiny.xyz.dev has nothing to do with quill and doesn't involve access tokens. # 20:14 GWG aaronpk: If you are confused, then I am confused. # 20:14 GWG aaronpk: He wants to use one site to authorize the other. # 20:14 [pfefferle] ok… but why does “verify_access_token” verify against a local endpoint # 20:15 GWG [pfefferle]: Because how could it not? # 20:15 GWG You are letting people into that site? # 20:16 aaronpk ideally it should be looking up the token in the database, but yes it can make an HTTP call to itself as an alternative # 20:17 aaronpk actually GWG now that you've got the new settings screen there's a better option here # 20:17 aaronpk "built-in token endpoint" as a radio button means you can store that information and avoid the http request to verify the token # 20:18 aaronpk since now you know that it is using the built-in token endpoint # 20:18 GWG But I think I may save that for 2.1 # 20:18 GWG I'd like to figure out the current problem first # 20:18 aaronpk so if that option is set, look up the token in the DB to verify it # 20:18 aaronpk okay well the current problem shouldn't have anything to do with access tokens # 20:19 GWG But I think we should figure out [pfefferle]'s problem before pushing this to wordpress.org # 20:19 [pfefferle] sorry, but calling a local API confused me and then I seemed to mix up things # 20:19 aaronpk yes, considering web-sign-in is broken right now :) # 20:19 aaronpk I found another problem, which is related, and might help you figure this out # 20:19 GWG aaronpk: I tested it, but only to sign into itself, which is not a good test. # 20:20 aaronpk it appears it's not verifying the state parameter right now? # 20:20 GWG aaronpk: Yes. I meant, that function. # 20:21 GWG I'm going to go eat something, as I haven't eaten in 6 hours. # 20:21 GWG I think after a full stomach, I may be better equipped to figure this out. sebsel joined the channel
# 20:23 GWG I am going to install it on a second site to recreate the issue. # 20:25 aaronpk hm looks like errors aren't being returned or shown properly # 20:25 aaronpk it redirects back to the login screen but it should be showing me the "indieauth_invalid_url" error # 20:30 aaronpk I take it back, it does verify the state parameter 👍 # 20:32 aaronpk what's the Wordpress Way to store stuff in the session? # 20:34 [pfefferle] [aaronpk] GWG is storing it in the cookie, using the default PHP methods # 20:37 aaronpk ok, I switched that to read from a cookie I set, but somehow it's getting overridden # 20:38 aaronpk is it possible to set a cookie when also sending an HTTP redirect? # 20:42 aaronpk also i'm gonna have to double check whether it's considered safe to store the authorization endpoint in a cookie. my inclination is that should be stored server-side or in a signed cookie so the client can't tamper with it. # 20:47 GWG I haven't even started eating yet # 20:48 GWG But I appreciate us getting this off the ground # 20:49 [pfefferle] set a cookie with the endpoint, the first time the endpoint is discovered… and then use the session value # 20:51 [pfefferle] sorry for the confusion… have to dig deeper into the code at some time… # 20:53 [pfefferle] perhaps we should move the whole token stuff into a separate class (perhaps class-indieauth-authorisation.php)… to lower confusion… # 20:54 [pfefferle] and to remove the local http-calls in favor of db-request… to also lower confusion 😉 # 21:24 GWG I will look after food. Just ordered # 21:35 GWG pfefferle, merge and then refactor? # 22:13 GWG Okay, if you review, I will merge and brainstorm refactoring. tantek joined the channel
[pfefferle] GWG are you here?
