WeChat ID
aaronpk_tv
-
In two weeks, I'm hosting a series of OAuth/OpenID Connect workshops in Chicago, Dallas, and San Francisco with @okta! They're free to attend and there's food/drinks afterwards! Sign up here ➡ http://regionalevents.okta.com/developerworkshoproadshow -
I absolutely ❤️ the idea of the #IndieWeb. Take control of your own content! watch @adactio explain it: https://vimeo.com/265121482 https://indieweb.org
-
I could see extending the limitation of the loopback address to also include the private IP ranges. I assume in that case it is extremely unlikely that the server will have an https certificate, so that's another reason to keep the limitation on the private IP ranges rather than allowing arbitrary IP addresses.
One of the benefits of the client ID being a publicly accessible web page is that the authorization server can fetch the application name and icon from that page.
In the case of using a private IP address, the authorization server won't be able to fetch any information about the client, so the prompt will show just the IP.
The other option is to use
https://www.home-assistant.io/as the client ID, allowing just the redirect URL to be a private IP. This breaks the rule of the client ID and redirect URL hostnames matching, so servers may show a warning like the below, but at least the application info is visible.
-
This evening I’ve been trying to build a minimal http://glitch.com app which supports IndieAuth login. After some head scratching I see it’s a tweaked oauth2 flow, I think.
Goals:
- remixable (Glitch shines there)
- transparent
- well tested -
Here's a post I just wrote explaining IndieAuth and how it solves a number of the challenges with OAuth in this context.
https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web -
Include timezone offset in machine-readable timestamp
Toots are displayed in (someone's) local time, but the machine readable date is always rendered in UTC.continue reading... -
Andy McIlwain
https://andymci.com
•
Jul 7
An independent web doesn't necessarily mean an open web. Thinking about private sites and networks for groups, families, personal use. #indieweb #justathought
Agreed, and an open web doesn't imply a public web. We're experimenting with private content too! https://indieweb.org/private_posts -
IndieAuth: Eliminate registration for OAuth APIs and use URLs for identity & auth: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
-
The IndieAuth extension to OAuth2 is perfect. I will adopt this in @home_assistant to make it easier for people to build apps against local instances.
-
Microsub and the new reader evolution (skippy.net)"The other great thing about Microsub, the technology behind Aperture and Monocle, is the separation of “feed collection” from “feed display”. I don’t have to use only Monocle to read my feeds. On my phone, I use an app called Indigenous. I could also use Monocle from a mobile browser. Or I could use Together. Or I could write my own reader interface, if I so chose."
-
Working on on Indiepaper has been a fun project. It's involved writing Python, Swift, HTML, CSS, and JavaScript, and using @awscloud Lambda, S3, and CloudFront. #polyglot
-
Look for mf2 first, use Mercury as a fallback
If the page has mf2, that is likely to be much better data than what Mercury finds. Indiepaper should first check if it finds an article via mf2, and if it doesn't, then can use Mercury to extract what it can.continue reading... -
I added experimental support for IndieAuth in Indiepaper today. Test it out here – https://www.indiepaper.io/indieauth.html. Once authenticated, you get an automatically generated bookmarklet and a button to click for automatically configuring Indiepaper for macOS.
-
IndieWeb Summit 2018 Recap (boffosocko.com)
-
Unfortunately this won't really work.
Even if you could sign in to Aperture, you still wouldn't be able to use any of the reader apps. The reader apps expect to be able to get an access token in order to make authenticated requests to Aperture. Getting an access token requires having an authorization endpoint and token endpoint.
If I allowed people to log in to Aperture without fully setting up IndieAuth, it would just be confusing because then they'd get an error trying to sign in to any apps. I think it's better to not mislead people at that stage, and require that they set up IndieAuth before being able to sign in to Aperture. -
Yep! https://github.com/indieweb/wordpress-indieauth
That's annoying that wordpress.org doesn't have a link to the GitHub source. -
Alright, I finished my post explaining the details of this! Have a look ➡️ https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
