@julian diving into the hard problems of building for the Fediverse at #Fedicon, starting with hilariously talking about how those hard problems look like to average users š
-
@benpate @evan @thisismissem @julian @naturzukunft It's certainly helpful to have a way to know if you should show that button on the UI or not!
fentiger@mastodon.social benpate@mastodon.social exactly, we need some guarantee that the activity we POST to the outbox isnāt just unceremoniously dropped and an HTTP 200 returned.
NodeBB doesnāt support POSTing the outbox at the moment, but do you return a HTTP code for ānot implementedā, currently.
-
@benpate @julian I'm not sure OWA is the way forward here; mainly it's a lightweight authentication-only alternative to OAuth, and for FEP-d8c2-style SSO the authorization part - issuing the access_token - is important.
FEP-61cf does describe the "zid" mechanism that can be used to avoid the user having to type their handle in; maybe this will be useful (though it's not without its downsides).
-
-
-
@benpate @evan @thisismissem @julian @naturzukunft all joking aside I think c2s requires emelia and Aaron's rfc on the OAuth side, and some equally complex discovery mechanism based on alternate AuthZ (presumably something based on certificate-ized Object Capabilities?) if we wanna stay composable and not-100%-dependent on oauth...
@by_caballero @benpate @thisismissem @julian @naturzukunft that's too hard. We have an API. It already works.
-
This is a good point, though I'm not clear how different servers would handle outbox requests for activities that they don't support. I'm pretty sure mine would just die.
My big concern with OAuth tokens is that they require me to give away write access to my Fediverse identity when I "like" or "reply" to something, which could easily be an attack vector.
We talked about scoping OAuth tokens, but it feels like a lot of moving parts. More details later
-
-
-
-
@by_caballero @benpate @thisismissem @julian @naturzukunft that's too hard. We have an API. It already works.
evan@cosocial.ca Iām not certain whether itās too hard or not. At this point I havenāt looked into it yet.
But if there is a chance that we can use standardized endpoints for this, then itās a point in their favour.
At the same time, I am a proponent of simplicity.
-
This sounds perfectly reasonable, and is probably the right thing to do.
Except I probably implemented ActivityPub wrong - using it as a protocol and not an architecture.
Database tables represent the things I understand, and are written out as āJSON-LDā when needed. So thereās no true āoutboxā, except as links to the tables I care about
Again, this is an āitās me, not youā situation, but Iāll bet others might be in the same boat.
-
This sounds perfectly reasonable, and is probably the right thing to do.
Except I probably implemented ActivityPub wrong - using it as a protocol and not an architecture.
Database tables represent the things I understand, and are written out as āJSON-LDā when needed. So thereās no true āoutboxā, except as links to the tables I care about
Again, this is an āitās me, not youā situation, but Iāll bet others might be in the same boat.
benpate@mastodon.social said:
> Database tables represent the things I understand, and are written out as āJSON-LDā when needed. So thereās no true āoutboxā, except as links to the tables I care aboutI am pretty sure 85-90% of the fediverse developers do this
The remaining 10-15% complain loudly when the āJSON-LDā we send back doesnāt actually validate.
-
I honestly thought it was just me
-
I honestly thought it was just me
-
-
I'm genuinely behind on this. I've skimmed Evan's FEP, but a lot of OAuth complexity is still opaque to me.
It seems like the missing piece with using the C2S API would be *figuring out* what endpoints I can call to initiate an activity.
Does FEP-d8c2 implement discovery in some way that I'm not seeing? Or, is this something *still to be defined* and I'm just jumping the gun, here?
@benpate @thisismissem @julian @naturzukunft I forgot to ask: have you ever implemented an OAuth client before? Or used a library for it?
-
@benpate @thisismissem @julian @naturzukunft I forgot to ask: have you ever implemented an OAuth client before? Or used a library for it?
evan@cosocial.ca yeah, I implemented maybe 20-30 of them for NodeBB. Everything eventually standardized around OIDC and so I have one single plugin in NodeBB that works almost all of the time.
So thatās my client, but Iām afraid of building a server. That one I havenāt done successfully.
-
-
Iām confused, sorry. In this context, Iām assuming you mean the ActivityPub C2S API (which I have not implemented)
But I thought we were talking about a future update to the C2S API, which I think would be amazing, but I also havenāt implemented because.. itās in the future?
I have done tons of OAuth clients and servers, and even have a Mastodon API about 80% complete.
-
Iām confused, sorry. In this context, Iām assuming you mean the ActivityPub C2S API (which I have not implemented)
But I thought we were talking about a future update to the C2S API, which I think would be amazing, but I also havenāt implemented because.. itās in the future?
I have done tons of OAuth clients and servers, and even have a Mastodon API about 80% complete.
benpate@mastodon.social I think the second half of evan@cosocial.caās FEP utilizes the ActivityPub API (C2S) as written.
