@julian diving into the hard problems of building for the Fediverse at #Fedicon, starting with hilariously talking about how those hard problems look like to average users 😅
-
@benpate @evan @thisismissem @julian @naturzukunft I think the idea is that you get an access_token which you can use to post to the outbox - which you can discover from the Actor object.
But most software doesn't support the C2S API, so that POST would either fail, or the server would lie and say "thanks for submitting this activity" and then just do nothing with it.
I'd like to know that the activity is going to fail BEFORE I hit submit. Otherwise, users will run into a dead end, and the server that originated the request won't have any way to fix it.
Servers should know AHEAD OF TIME if they can post activities or not.
-
I'm genuinely behind on this. I've skimmed Evan's FEP, but a lot of OAuth complexity is still opaque to me.
It seems like the missing piece with using the C2S API would be *figuring out* what endpoints I can call to initiate an activity.
Does FEP-d8c2 implement discovery in some way that I'm not seeing? Or, is this something *still to be defined* and I'm just jumping the gun, here?
@benpate @evan @thisismissem @julian @naturzukunft SWICG c2s task force wen (or will the payments task force just naturally become the c2s tf over time)
-
@benpate @evan @thisismissem @julian @naturzukunft SWICG c2s task force wen (or will the payments task force just naturally become the c2s tf over time)
@benpate @evan @thisismissem @julian @naturzukunft all joking aside I think c2s requires emelia and Aaron's rfc on the OAuth side, and some equally complex discovery mechanism based on alternate AuthZ (presumably something based on certificate-ized Object Capabilities?) if we wanna stay composable and not-100%-dependent on oauth...
-
But most software doesn't support the C2S API, so that POST would either fail, or the server would lie and say "thanks for submitting this activity" and then just do nothing with it.
I'd like to know that the activity is going to fail BEFORE I hit submit. Otherwise, users will run into a dead end, and the server that originated the request won't have any way to fix it.
Servers should know AHEAD OF TIME if they can post activities or not.
@benpate @evan @thisismissem @julian @naturzukunft It's certainly helpful to have a way to know if you should show that button on the UI or not!
-
@benpate @evan @thisismissem @julian @naturzukunft It's certainly helpful to have a way to know if you should show that button on the UI or not!
fentiger@mastodon.social benpate@mastodon.social exactly, we need some guarantee that the activity we POST to the outbox isn't just unceremoniously dropped and an HTTP 200 returned.
NodeBB doesn't support POSTing the outbox at the moment, but we do return an HTTP response for "not implemented", currently.
-
@benpate @julian I'm not sure OWA is the way forward here; mainly it's a lightweight authentication-only alternative to OAuth, and for FEP-d8c2-style SSO the authorization part - issuing the access_token - is important.
FEP-61cf does describe the "zid" mechanism that can be used to avoid the user having to type their handle in; maybe this will be useful (though it's not without its downsides).
-
-
-
@benpate @evan @thisismissem @julian @naturzukunft all joking aside I think c2s requires emelia and Aaron's rfc on the OAuth side, and some equally complex discovery mechanism based on alternate AuthZ (presumably something based on certificate-ized Object Capabilities?) if we wanna stay composable and not-100%-dependent on oauth...
@by_caballero @benpate @thisismissem @julian @naturzukunft that's too hard. We have an API. It already works.
-
This is a good point, though I'm not clear how different servers would handle outbox requests for activities that they don't support. I'm pretty sure mine would just die.
My big concern with OAuth tokens is that they require me to give away write access to my Fediverse identity when I "like" or "reply" to something, which could easily be an attack vector.
We talked about scoping OAuth tokens, but it feels like a lot of moving parts. More details later
-
-
-
-
@by_caballero @benpate @thisismissem @julian @naturzukunft that's too hard. We have an API. It already works.
evan@cosocial.ca I'm not certain whether it's too hard or not. At this point I haven't looked into it yet.
But if there is a chance that we can use standardized endpoints for this, then it's a point in their favour.
At the same time, I am a proponent of simplicity.
-
This sounds perfectly reasonable, and is probably the right thing to do.
Except I probably implemented ActivityPub wrong - using it as a protocol and not an architecture.
Database tables represent the things I understand, and are written out as “JSON-LD” when needed. So there’s no true “outbox”, except as links to the tables I care about
Again, this is an “it’s me, not you” situation, but I’ll bet others might be in the same boat.
-
This sounds perfectly reasonable, and is probably the right thing to do.
Except I probably implemented ActivityPub wrong - using it as a protocol and not an architecture.
Database tables represent the things I understand, and are written out as “JSON-LD” when needed. So there’s no true “outbox”, except as links to the tables I care about
Again, this is an “it’s me, not you” situation, but I’ll bet others might be in the same boat.
benpate@mastodon.social said:
> Database tables represent the things I understand, and are written out as “JSON-LD” when needed. So there’s no true “outbox”, except as links to the tables I care aboutI am pretty sure 85-90% of the fediverse developers do this
The remaining 10-15% complain loudly when the "JSON-LD" we send back doesn't actually validate.
-
I honestly thought it was just me
-
I honestly thought it was just me
-
-
I'm genuinely behind on this. I've skimmed Evan's FEP, but a lot of OAuth complexity is still opaque to me.
It seems like the missing piece with using the C2S API would be *figuring out* what endpoints I can call to initiate an activity.
Does FEP-d8c2 implement discovery in some way that I'm not seeing? Or, is this something *still to be defined* and I'm just jumping the gun, here?
@benpate @thisismissem @julian @naturzukunft I forgot to ask: have you ever implemented an OAuth client before? Or used a library for it?
