-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update client information discovery method #133
Comments
After some discussion in the #indieweb-dev chat today between aaronpk and myself, some things I'm considering are: Avoiding a new Changing the meaning of
There are also considerations to be made for transition and roll-out. IndieAuth providers that use (aaronpk mentioned there aren't "that many" IndieAuth providers to update, but I posit that we can't easily know, just as one example, how many people are self-hosting selfauth or how long it will take selfauth to support this IndieAuth clients that implement the current spec will lose out on their rich appearance at IndieAuth providers that switch to the new spec. It would be nice to have a migration doc (and maybe a test tool) to help implementers migrate over! Putting this at the end because I cannot tell if it is constructive, but I noticed that this proposal only mentions |
There's also the option of the information just being discoverable via the client_url but that means a second fetch. I think that's what @martymcguire is referring to by the link rel, but confirming. |
Some quick thoughts on the new proposal:
As far as a migration path goes, that's definitely a bit challenging from the AS perspective. I agree that many AS's will show the full Another option for migration is to tie the new
Adding a link rel from the client home page to the client metadata JSON document doesn't really solve the problem of indieauth server implementers wanting to avoid the HTML parsing step, which is another drawback to the existing spec, and something that I have heard a lot of pushback on from anyone not already 100% bought in to microformats. |
Is it microformats if it is a link header and json file? Manifest files do that and do they get complaints? |
I followed the breadcrumbs from that "Login with Weird" above, and found this discussion on Rauthy: That's a good motivator for updating to this JSON document client metadata discovery method. |
The pushback is on parsing HTML. Who are the consumers of manifest files? I suspect that's a very different audience than the consumers of the client metadata we're talking about here. |
I might just switch this over for a few of my indieauth clients right now. Worst case is someone's IndieAuth server shows them a slightly longer URL than normal, and they see a JSON page if they click it. But other than that everything else about the flow will still work fine, it's not actually a breaking change. |
Nice! I would likely follow suit if there were, say, a blog post explaining what you changed and why. :} |
Would this proposal work with clients running on localhost that can't serve the required document? I'm not sure if IndieAuth currently supports that use case anyway.
HTTP content negation could solve this, right? IIRC that's pretty heavily used in the Fediverse to return JSON for machines and HTML for humans. |
FWIW content negotiation is also often a source of great pain when it comes to development and interop. https://snarfed.org/2023-03-24_49619-2 |
For clients that are running on localhost (e.g. a mobile app), the assumption is that the mobile app also has a web page about the app which is where the metadata is discovered from. |
These are valid concerns. You have to decide if the tradeoffs are worth it. Note that in practice I think a lot of the drawbacks of content negotiation tend to be specific to the data API case (see here). It might not cause as many problems in this situation. |
That would limit the app to running it's OAuth2 client on a specific port, which might be taken by another app, right? |
No, there is an exception for exact redirect URI matching for localhost URLs, see:
Alternatively, a mobile app on iOS/Android can use app-claimed HTTPS URLs as the redirect URI, so the localhost issue goes away entirely. |
I wasn't aware of that; nice! |
I just implemented this in webmention.io and indielogin.com. Here's the PR that adds support to indielogin.com as a client: |
I updated my IndieAuth server on aaronparecki.com to look for the JSON data as well. It's not open source so I can't link to the changes, but it was super easy. Since I want to support both for a while, I first try to parse the page as JSON to extract the values. If that fails, I fall back to the existing behavior of parsing the page for Microformats. So it's really not a huge deal to add this new behavior to an IndieAuth server asap. |
I also started working on a spec that describes this discovery method as an OAuth extension: https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document Since this isn't actually anything unique to IndieAuth, other flavors of OAuth might also want to take advantage of this mechanism. |
I implemented this on https://indiebookclub.biz. Git commit: gRegorLove/indiebookclub@4b68574 |
This has been updated in the latest published version of the spec! Thanks for the input everyone! https://indieauth.spec.indieweb.org/#client-information-discovery If you have an implementation of this, whether that's publishing the metadata or consuming it, please comment below! I am collecting examples to include in the presentation of the OAuth draft at the IETF meeting on July 25th! |
I've been taking a break from IndieWeb stuff (and software development in general) but was just referred to this thread by Aaron's post in mastodon#4800. Has there ever been an implementor's migration guide created as suggested earlier in this thread? I'd like to continue to support IndieAuth as much as I'm able to, within reason, but poring over specifications to see what's changed since the last time I'd touched them years ago isn't my idea of a good time. |
So far no migration guide, tho I do still want to write that up. There is the change log in the spec which at least calls out the changes. |
How many years ago? |
The last time I made any significant changes to Authl's IndieAuth client was around three and a half years ago. |
Working through supporting this on my own IndieAuth server today. I think I found an inconsistency.
But a couple of sentences later:
I read that first MUST to mean that a mismatch is a fatal error, and the IndieAuth server should 400 and fail the request. But that second sentence states that a mismatch should be displayed as a warning, implying the user may be offered a chance to continue the flow. |
Thanks all for the discussion and aaronpk and gRegor for the examples. I've got a first-pass PR to support this in the Taproot/indieauth server that drives my personal site(s), as linked above. I also added it to the IndieWeb Webring 🕸️ 💍 and my active Micropub clients at https://bayside.pub/ Commits:
|
Good catch. I think I would lean toward the MUST interpretation, with the AS returning a 400. I think that's in line with the similar requirement for |
Indiekit now supports this method of getting information about a client (as of |
The current method of client information discovery (fetching the client_id and parsing the HTML page for microformats) has received a lot of pushback from various people otherwise interested in implementing IndieAuth. This method is also somewhat limited in that it requires defining a Microformats vocabulary for client information, rather than using the existing vocabulary of client information that's defined by RFC 7591 Dynamic Client Registration.
An alternative proposal for client information discovery was proposed in draft-looker-oauth-client-id-scheme, where the AS uses the client ID URL as the base URL and appends a
.well-known
string in order to find a JSON document with the client metadata. While this approach gets around the HTML/Microformats challenges, it is also not ideal because of the requirement of the.well-known
path.A middle ground (and interestingly, what Solid-OIDC has done), is to instead make the client ID URL be the URL to the metadata document.
So an IndieAuth client such as https://webmention.io would choose a URL to host its client metadata document, for example
https://webmention.io/indieauth/client.json
. This is the value it would use as theclient_id
in the OAuth flow.The AS would see the
client_id
URL in the authorize request and fetch the URL directly in order to find the client metadata. The metadata values would be the values defined by Dynamic Client Registration, such asredirect_urls
,client_name
, etc.The text was updated successfully, but these errors were encountered: