2019-11-01 UTC
[qubyte], [KevinMarks], maxwell, gRegorLove, [jgmac1106], [Lewis_Cowles], [fluffy], [jeremycherfas], IWSlackGateway, [rem], [LewisCowles] and [frank] joined the channel
# 14:36 [frank] My buddy Remkus de Vries is Manager of Partnerships at Yoast and WCEU organizer. He's there as well. If you find the time, it's good to connect with him. He's pro-indieweb and a friendly giant π [KevinMarks], [xavierroy], [Michael_Beckwit, [tantek] and [snarfed] joined the channel
gRegorLove and [LewisCowles] joined the channel
# 18:07 GWG I found David Wolfpaw, the individual who keeps giving Indieweb talks at WordCamps [chrisbergr], [tantek], [Michael_Beckwit, [KevinMarks] and [dougbeal] joined the channel
# 20:13 GWG About to sit in on rest API and authentication # 20:13 GWG Hopefully it reveals things I don't know. I read a lot about it when doing IndieAuth [jgmac1106] and McLovinDiscord[m joined the channel
# 20:57 GWG I considered asking about IndieAuth # 21:02 [Michael_Beckwit WP core loves their js # 21:07 GWG Well, we'll see if I can chat more with the rest API guys on Sunday [snarfed], Oclair and [KevinMarks] joined the channel
# 22:28 aaronpk IndieAuth is a way for apps to *get* tokens which might be JWTs [tantek] joined the channel
# 23:23 GWG aaronpk: He was advocating against oauth2 in any form [Michael_Beckwit joined the channel
# 23:24 [Michael_Beckwit he who, in this case? # 23:25 [Michael_Beckwit Brian Richards? # 23:26 [Michael_Beckwit or Jonny Harris? # 23:31 aaronpk GWG: any links to public stuff he's written about this? # 23:31 aaronpk This sounds like a terrible path to go down and I would like to shoot it down # 23:32 GWG He's popped up on my radar before, but I also saw many rest api team members # 23:32 GWG I may try to do something with them on Sunday # 23:34 [Michael_Beckwit iβve actually enjoyed working with oauth2 # 23:34 aaronpk Ooh he posted slides from his talk Jonny Harris @ WCUS πΊπΈ (@thespacedmonkey) Tweeted: # 23:40 aaronpk his "does not require SSL" feature seems to be used in places that do require SSL unless he is explaining things in person that are not on the slides # 23:40 aaronpk also his conclusion "lets use JWTs instead of OAuth" is facepalm # 23:40 [Michael_Beckwit my guess is everything from `slide 1` to `count( $slides )` # 23:40 aaronpk what if I told you that you can use JWTs *and* OAuth # 23:40 [Michael_Beckwit i have a feeling Aaron is thinking a counter blog post # 23:41 aaronpk There's lots of randos on the internet that propose terrible authentication solutions and there isn't enough time to respond to them all # 23:41 [Michael_Beckwit i dunno # 23:42 aaronpk the question is whether this guy has any actual leverage in the project and also whether he is willing to accept other ideas and possibly change his mind # 23:49 GWG aaronpk: I read your book and know you use jwt and oauth # 23:49 [Michael_Beckwit what book? i wanna read a book # 23:49 GWG [jgmac1106]: He had the rest team in the front row asking leading questions [grantcodes] joined the channel
# 23:51 [grantcodes] I think it's also from a user flow side of things with the WordPress api, (although I'm no expert) if you use WordPress oauth you have to send the user to the WordPress login page - which looks pretty strange if you don't know you're using WordPress. # 23:51 GWG Yes, but why should you not know that # 23:51 aaronpk [grantcodes]: One of the things missing in his slides and in his conclusion is a description of how tokens get sent to apps # 23:51 aaronpk like sure use JWTs but what is your plan to get those into apps? # 23:51 [grantcodes] As well as not needing to provide auth for different services ala oauth. # 23:52 aaronpk That application password plugin is basically OAuth but manual copy pasting tokens lol # 23:52 [Michael_Beckwit be back later π # 23:54 [grantcodes] GWG: You wouldn't know if you're using a mobile app that uses the api + many more fairly common use cases # 23:54 GWG aaronpk: I learned a lot from watching you in this case # 23:58 aaronpk [grantcodes]: How are gonna get their magic JWT token into the app? He kind of forgot to describe any actual workflow and is just like ooh shiny
[Michael_Beckwit WP core loves their js
aaronpk Here are the slides from my talk #wceu about the REST API and authentication. Find the slides here https://t.co/jx0ZSBIEgp
[jgmac1106] based on his bio he doesn't maintain that part of core....
[grantcodes] I think it's also from a user flow side of things with the WordPress api, (although I'm no expert) if you use WordPress oauth you have to send the user to the WordPress login page - which looks pretty strange if you don't know you're using WordPress.