#GWG[pfefferle]: When you put in notiz.blog, it searches the user table of pfefferle.org and tries to find a user account with the user_url of notiz.blog.
#GWGI have a discover_endpoint function. I just have to call it.
#[pfefferle]hmmm, but the service might be configured so that the redirect URL does not have the headers…
#GWG[pfefferle]: I'm just going to pass it into the function.
#aaronpkheh gotta switch back to non-safe get and sslverify=false :(
#GWGI basically am going to pass through an array. I figure if I have more than 3 arguments, I should pass an array.
#[pfefferle]but then it’s hareder to verify the params…
#aaronpkwhoops now I just get "Fatal error: Uncaught ArgumentCountError: Too few arguments to function add_action(), 1 passed" on the sign-in screen before doing anything
#[pfefferle]the fastest way is to make a deiscovery on the redirect URL
#[pfefferle]the best way is to store it in the session, as [aaronpk] mentioned
#GWGThere is no redirect URL. When you have an OAuth Bearer Token, and you send it to pfefferle.org, how is pfefferle.org supposed to know by the token which endpoint to verify it against?
#aaronpkthe only thing that should be verifying access tokens is the thing that issues them
#GWGSo, we're back to a confusion on my part here.
#aaronpkso if the micropub endpoint is configured to use tokens.indieauth.com to issue tokens, then that is the only place it will send them to verify them
#GWGIt is only the authorization endpoint I have to fix, not the token endpoint verification
#aaronpkalso i'm still confused about why pfefferle's two sites are talking to each other in a version of this flow that involves tokens
#[pfefferle]I am not sure if I use the correct wordings
#aaronpkthat situation is very confusing for me to follow, it's easier for me to think about if i'm using my wordpress site tiny.xyz.dev and my not-wordpress-site and primary identity aaronparecki.com
#aaronpkso if I want to log in to quill to post to tiny.xyz.dev, it's tiny.xyz.dev that will issue the token to quill
#aaronpkhow I authenticate at tiny.xyz.dev has nothing to do with quill and doesn't involve access tokens.
#GWGaaronpk: If you are confused, then I am confused.
#GWGaaronpk: He wants to use one site to authorize the other.
#[pfefferle]ok… but why does “verify_access_token” verify against a local endpoint
#aaronpkyeah looks like the cookie is not being set
#aaronpkalso i'm gonna have to double check whether it's considered safe to store the authorization endpoint in a cookie. my inclination is that should be stored server-side or in a signed cookie so the client can't tamper with it.
#[pfefferle]should I add a quick and dirty way to the merge request?
#[pfefferle]GWG might beautify it when he finished eating