62°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • First draft of Private Webmention sending

    September 30, 2016

    The thing I was most excited about at IndieWebCamp Brighton was coming up with a Private Webmention extension to Webmention. The version we outlined in Brighton was drastically simplified from previous iterations of potential ways to send private Webmentions.

    Nearly a week after speccing it out, I now have a first draft implementation of sending. My goal this week was to finish implementing sending private Webmentions, to get some real-world feedback on the spec.

    Telegraph

    First, since I use the Telegraph API to send Webmentions, I had to add the ability for it to pass through the new "code" and "realm" values. The neat thing about doing it this way is if you want to use Telegraph to send Webmentions for you, you don't have to give it access to your private posts.

    Private Posts

    I then had to add the concept of private posts to p3k. One of the challenges I've been facing with p3k is adding the concept of user accounts and other people logging in. To do so, I would need some sort of user database (likely treating the person's URL as the unique identifier for their identity in my system), and then would need to associate users with posts to keep track of who can see what. Then the next challenge would be writing the queries to return different items in various feeds people are viewing when logged in. This all sounded terribly complicated, and there were a number of implementation decisions I didn't want to make just yet.

    I decided to scrap that whole idea and do the simplest possible thing instead. I realized that the way the Private Webmention spec is written, I don't actually need "user accounts" to send a private Webmention at all. Instead, all I need to do is to be able to generate and verify tokens that can fetch a specific page. I don't need these tokens associated with users or even domain names.

    This simplified my implementation a lot. It meant a relatively small amount of self-contained code to generate the authorization codes and access tokens. The access tokens are locked to a specific post URL, so each token issued can only be used to view a specific post. This is obviously not useful as a generic login mechanism, but it's absolutely sufficient to have a Webmention receiver verify a private Webmention!

    Also worth noting is that my implementation does not currently take advantage of the "realm" value. This means every private Webmention I send will require the receiver obtain a new access token. Once I add the of concept of user accounts and mapping posts to users, then I'll be able to generate a "realm" value for that particular user so they will be able to reuse access tokens to fetch additional posts. This is a good future optimization, but not necessary for a first draft implementation.

    Future Work

    Next up I need to implement receiving private Webmentions. Since I use webmention.io to handle receiving Webmentions, I'll be adding support for receiving private Webmentions to it.

    I am also looking forward to others implementing receiving private Webmentions so that I can start sending some! If you're interested, take a look at the spec, as well as the implementation guide. Hop in our chat if you're not already there and feel free to ask questions!

    Portland, Oregon
    Fri, Sep 30, 2016 2:31pm -07:00 #webmention #indiewebcamp #indieweb #private #p3k
    8 likes 3 replies 2 mentions
    • codebear
    • Free Kurtis Hanna
    • Shane Becker
    • Matthias Ott
    • Ricardo Mendes
    • Dmitri Shuralyov
    • ChrisAldrich
    • Michael
    • Aaron Parecki aaronparecki.com
      oh funny! I got token_endpoint from OpenID Connect: openid.net/specs/openid-c… I will take a look at the OAuth 2 link rels tho.
      Sat, Oct 1, 2016 2:14pm +00:00 (via brid-gy.appspot.com)
    • Jared Hanson jaredhanson.net
      There's an existing "oauth2-token" link rel which would be nice to use instead of "token_endpoint" tools.ietf.org/html/draft-wmi…
      Sat, Oct 1, 2016 4:42am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Speaking of this... I'd love your feedback on the new Private Webmention extension! I think it'll be an important building block for this. https://aaronparecki.com/2016/09/30/12/private-webmentions https://indieweb.org/Private-Webmention
      Fri, Sep 30, 2016 2:38pm -07:00

    Other Mentions

    • Aaron Parecki aaronparecki.com
      Just wrote about my first draft implementation of Private Webmention, a new extension to @W3C Webmention https://aaronparecki.com/2016/09/30/12/private-webmentions #indieweb
      Fri, Sep 30, 2016 2:48pm -07:00
    • Tom
      Moved from Github Pages to Netlify.
      Sun, Nov 13, 2016 11:59pm -07:00
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv