Notices by FenTiger (fentiger@zotum.net)

FenTiger (fentiger@zotum.net)'s status on Thursday, 03-Oct-2024 05:31:56 JST FenTiger
in reply to
- silverpill
@silverpill That'll do - thanks.

I'm sure I saw some discussion relating specifically to collections - but maybe it wasn't in an FEP.

In conversation about 2 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Wednesday, 02-Oct-2024 22:36:43 JST FenTiger

Is there an #FEP which covers adding the attributedTo property to collections?

#ActivityPub

In conversation about 2 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Sunday, 25-Aug-2024 21:22:29 JST FenTiger

Announcing FedIAM 0.1.0 - Sign in with a Fediverse account!

Suppose you want to allow people to log in to your web site. How will they identify themselves? With a username and password? We've all got far too many of those already, and they're not even particularly secure. Perhaps with a Google or Facebook account? That's a lot easier, but do we really want to allow these companies even further into our lives?

FedIAM is a research project which aims to offer an alternative: using Fediverse and IndieWeb protocols, visitors can log in using any one of thousands of small, independent networks run by ordinary people - or even using a provider that they host themselves, independently of any outside influence.

Now available as open source!

#^https://codeberg.org/FenTiger/FedIAM

In conversation about 3 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Tuesday, 13-Aug-2024 15:56:35 JST FenTiger
in reply to

@silverpill Good question. Quick, shallow answer: this is just a login system, not an #ActivityPub instance. It could certainly be used in front of an ActivityPub instance, though, and in that context, it's definitely worth thinking about. I don't have any concrete answers, but off the top of my head:

The simplest option would be to create a new local actor, and use this purely for login. Sometimes this is the only option - IndieAuth and the native OIDC mode can both work without the existence of an AP actor at the IdP end.

Another option would be to pair it with AP C2S. The OAuth2/OIDC based modes can provide an access token as well as an identity; this could be used to authorise the RP to connect back to the IdP and post using C2S. This would take a bit of standardisation work, but not a lot; my impression is this would be fairly easy to build.

What if the user has a FEP-ef61 nomadic actor? Sending the private key from the IdP to the RP is probably not a very good idea, but perhaps the IdP could expose an access-controlled endpoint to generate a signature on the user's behalf. With this method the RP would construct an object with attributedTo set to the user's nomadic actor ID, request a signature from the IdP, and then distribute the object however it chooses. (In this case, perhaps the IdP should get to choose the new object's ID too, at which point this starts to look a lot like a variant of C2S.)

In conversation about 3 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Monday, 12-Aug-2024 02:17:27 JST FenTiger
in reply to
- silverpill
@silverpill Yes. It lets you log in using an existing account rather than having to register a new one - but in a "Fediverse compatible" way, without any of the technical and social problems which come with using a Big Tech provider.

It can also (in some, admittedly limited, circumstances) recognise your login session automatically, without having to actually enter your ID every time you click from one site to another.

In conversation about 4 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Sunday, 11-Aug-2024 19:06:01 JST FenTiger
Anyone interested in single sign-on / #SSO? Want a new toy to play with? I've been experimenting with it recently, and now I've got something to share: an experimental demo of how a "Sign in with the Fediverse" mechanism might work.

If you have a Mastodon or Hubzilla account, or an IndieAuth-style self-hosted identity, I'd like to invite you to try and sign in to my test site at login.mythik.co.uk.

Headline features:
- User authentication/authorization based on the Ory tools.
- Supports signing in using an existing Fediverse (or other) account - or one you host yourself
- Open source - well, not yet, but it could be, if people are interested in it
- Written by a non-expert! Woefully insecure! All manner of attacks, just waiting to be found! Invite your security expert friends to the party, and laugh together at the n00b! Fun for all the family!
Supported identity providers include:
- Mastodon (must be a recent version that includes this pull request). mastodon.social is known to work.
- Hubzilla (any version). zotum.net is known to work.
- #IndieAuth / #FedCM
- Another instance of itself, using OpenID Connect
(There's a chance Streams might work, too.)

Protocols supported:
- #OIDC Discovery
- Client ID Metadata Document
- FedCM for IndieAuth
- #OpenWebAuth
- A method using the Mastodon API
- Classic (non-FedCM) IndieAuth (if you're lucky; I found this very hard to test, and had various problems with it)
- My original experiments used Dynamic Client Registration but I've moved away from this.
If you can get it to work - share a screenshot and let me know what you think!

(I'll try to keep this running for a while, but I can't guarantee it - partly because I haven't finished trying to attack it yet. If I have to take it down for some reason, I'll edit this post to say so.)
In conversation about 4 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Friday, 12-Apr-2024 10:52:27 JST FenTiger
in reply to
- silverpill
@silverpill What's the purpose of the did: and key: prefixes at this point? Can they be removed?

It might be a good idea to have something there that can differentiate newer versions of the scheme - but if did: in particular can go, people might be less likely to associate this with all the dodgy bl*ckch*ain stuff.

In conversation about 8 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Saturday, 16-Mar-2024 20:29:37 JST FenTiger

@Helge Your suggestion of did://key:1234567/path would have the upside of being compatible with Go's url.String() function, which also turns out to be unable to process did: URLs with paths.

My #BangHeadHere sign is taking a bit of a battering today...

In conversation about 8 months ago from zotum.net permalink
FenTiger (fentiger@zotum.net)'s status on Saturday, 09-Mar-2024 20:08:09 JST FenTiger

Oh, joy: it turns out that Go's net/url package doesn't understand that DID URLs can have paths.

Parsing "https://example.social/path/to/object" gives me a useful result:

&url.URL{
    Scheme:"https",
    Opaque:"",
    Host:"example.social",
    Path:"/path/to/object",
    [...]
}But parsing "did:ap: key:z6abcdef/path/to/object" gives me this:

&url.URL{
    Scheme:"did",
    Opaque:"ap:key:z6abcdef/path/to/object",
    Host:"",
    Path:"",
    [...]
}So I need some kind of wrapper to detect DID URLs and parse the paths out of them. That's easy enough, I suppose, but then I need to actually use that wrapper, in all the relevant places...

#ActivityPub #FediDev #BangHeadHere
In conversation about 9 months ago from zotum.net permalink
Attachments
1. Untitled attachment
FenTiger (fentiger@zotum.net)'s status on Monday, 26-Feb-2024 20:58:10 JST FenTiger
in reply to

Is the apresolver endpoint expected to work?

I tried https://mitra.social/.well-known/apresolver/did:ap: key:z6MkuXdkTDa1iAZraZCRT9N5BpXKZxvBYpR4T7EG4tTxYuda/actor, and got a 200, but it's a HTML page, not the actor object. I don't see a Link header, either.

(Space inserted so Hubzilla doesn't convert "key" into a :key: emoji!)
In conversation about 9 months ago from zotum.net permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  Mitra | Federated social network
  
  Federated social network

Public

Notices by FenTiger (fentiger@zotum.net)

User actions

Following 0

Followers 0

Groups 0

Statistics

Feeds