Miraz
https://micro.blog/Miraz
•
Nov 20
@aaronpk Your unbelievably cute kitties?
WeChat ID
aaronpk_tv
-
Yes! They settled right in to their new home as if they owned the place -
jeremycherfas
https://micro.blog/jeremycherfas
•
Nov 13
@aaronpk Super glad to hear this, although I think I will wait for the release.
No worries! I'm running it on a test phone until I'm confident that it's working as expected too. -
Shauna GM
https://social.coop/@shauna
•
Oct 31
@JMMaok @dajb I am looking for:
- ability to create recurring events (or at the very least, easily duplicate and edit events)
- automated confirmation and reminder emails that can be customized with ie a zoom link
- custom sign up formsIdeally also:
- has a calendar integration or provides an .ics feed, so events automatically populate our public calendar
- has a zoom or other videochat integration so I don't need to separately set that up
This is a great list of features! Meetable https://github.com/aaronpk/Meetable supports some of these:
- quickly clone an event
- ics feed for the site as well as tags
- schedule a zoom meeting when creating an event
It's missing any actual signup or email stuff though, it's meant more as a discovery tool to push viewers to the actual ticketing website. I've been hesitant to expand it to include ticketing, but might be able to be talked into it. -
That's very cute!
-
The Webmention spec doesn't make any assumptions about the content of the page, and that was intentional. Interpreting the content of the page to decide what to do with the Webmention is typically done by parsing the Microformats on the page. There's more info here: https://indieweb.org/comments
-
Aaron Ogle
https://fosstodon.org/@geekgonecrazy
•
Oct 26
@aaronpk is pkce used very often? When I was initially implementing pkce in a few cli tools I didn’t see a lot of people talking about it. Most people I talk to are familiar with oauth but you mention pkce and they don’t know it
CLI tools are a bit of a special case, but if you're using the auth code flow with a CLI client, then you should also definitely use PKCE. -
Aaron Ogle
https://fosstodon.org/@geekgonecrazy
•
Oct 26
@aaronpk is pkce used very often? When I was initially implementing pkce in a few cli tools I didn’t see a lot of people talking about it. Most people I talk to are familiar with oauth but you mention pkce and they don’t know it
It's used pretty often, but apparently not as often as it should. There's no excuse for not using it these days, that's why it's not called PKCE in OAuth 2.1, it's just built in to the authorization code flow. -
Aaron Parecki
https://aaronparecki.com/
•
Oct 26
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)
PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post -
These are really great! I like what you've done here!
-
ocdtrekkie
https://mastodon.social/@ocdtrekkie
•
Oct 23
@aaronpk I mean, you never know when you'll need to be wired for ceiling mics.
Easy to do now, almost impossible to do later, so why not! -
rmdes
https://micro.blog/rmdes
•
Oct 8
@aaronpk my English isn't so good, and not my primary language.. so I always thought that it meant literally for the email to arrive in the inbox well (not in spam) , and not about the state, well-being of the receiving end 😅
That's fantastic, from now on I am going to interpret this as such -
thanks a lot, that song has been stuck in my head all afternoon now
-
Emelia 👸🏻
https://hachyderm.io/@thisismissem
•
Sep 19
@aaronpk I've seen that, but haven't yet fully looked at it.. it always looked so... financial related?
Yeah that is an artifact of its origins, but they took "Financial" out of the name and now it's just "FAPI". Think of it as just a high-security profile, one which would likely be useful for financial related industries and others with similar concerns. -
Emelia 👸🏻
https://hachyderm.io/@thisismissem
•
Sep 19
@aaronpk that's perhaps fair, though I think OIDC smooths out a lot of OAuth 2.0's rough edges
If you want to see a profile that *really* smoothes out the rough edges, check out the OpenID FAPI profile. The whole goal of that is high security and interoperability. OpenID core is still pretty loose. -
Evan Prodromou
https://cosocial.ca/@evan
•
Sep 17
I started a FEP to define an #OAuth 2.0 profile for the #ActivityPub API (“c2s”):
https://codeberg.org/fediverse/fep/pulls/162
I’d appreciate any feedback or support. I’ve begun implementing this profile, and I think it’s testing out pretty well.
I see the proposal has just been merged and now links out to a socialhub link? Where is the best place to continue discussing this? I have ... a lot of feedback as you might imagine.
https://socialhub.activitypub.rocks/t/fep-d8c2-oauth-2-0-profile-for-the-activitypub-api/3575 -
Emelia 👸🏻
https://hachyderm.io/@thisismissem
•
Sep 17
@evan no, I mean, I don't see why it'd make sense to define a custom profile of OAuth 2.0 when OIDC exists and we could just use it?
What does defining a custom profile really give us? Our authentication needs can't be that unique, can they?
there is no "just use" OIDC, it would still require defining a profile. Plus I don't think most ActivityPub implementations benefit from most of the features OIDC brings. -
Emelia 👸🏻
https://hachyderm.io/@thisismissem
•
Sep 17
@evan so currently all the different fediverse services that implement OAuth implement different bits of specs & don't support discovery of authorization server metadata; additionally, they rarely support PKCE. Dynamic Client Registration is supported, but OIDC Federation would likely be better.
The scopes you define look like they could conflict with existing implementations, and are also not discoverable by the client.
so, a few things. Despite "federation" in the name, OIDC Federation is really not the right thing for this. It's more for a closed ecosystem of independent servers, but is explicitly not made to be open for anyone to join a federation. That's why there are trust anchors and things.
If current implementations don't support PKCE, they really should, because it's only a matter of time before someone takes advantage of the hole that not doing PKCE leaves open for public clients. -
Michael Slade
https://mastodon.cloud/@michaelslade
•
Sep 13
@aaronpk So you don’t need Spacial Video? How else will you justify a Vision Pro purchase?
Oh gosh. I think I'm going to sit out this first generation of the goggles. I definitely don't *need* them, and I like to let things shake out a bit before jumping in -
Mike
https://mastodon.social/@mharleydev
•
Sep 9
@aaronpk sounds expensive 😬
Do the new ones do any sort of energy reporting? What home automation platform have you landed on!
yes, quite expensive. I don't think they have energy monitoring on them, but I'm installing a monitoring system at the circuit breaker panel so I will get usage on each circuit individually!
I've been all in on Home Assistant for the last 5 years or so! -
Mike
https://mastodon.social/@mharleydev
•
Sep 9
@aaronpk do you have a plan for light/wall switches yet? If I were building a house I think something like a Shelly relay would be my default go to to connect my lights. Could be a few switches where I’d use a special switch but I really like our Shelly’s. Cost effective too, especially multigang switches.
That's cool, I hadn't heard of that before, I'll have to try it out.
Pretty sure I'm going with Lutron switches everywhere tho!
