Posts by fentiger@zotum.net
(DIR) Post #AkSaAKnVZVHuvO9qVM by fentiger@zotum.net
2024-07-30T15:12:15Z
2 likes, 0 repeats
Anyone interested in single sign-on / #SSO? Want a new toy to play with? I've been experimenting with it recently, and now I've got something to share: an experimental demo of how a "Sign in with the Fediverse" mechanism might work.If you have a Mastodon or Hubzilla account, or an IndieAuth-style self-hosted identity, I'd like to invite you to try and sign in to my test site at login.mythik.co.uk.Headline features: User authentication/authorization based on the Ory tools. Supports signing in using an existing Fediverse (or other) account - or one you host yourself Open source - well, not yet, but it could be, if people are interested in it Written by a non-expert! Woefully insecure! All manner of attacks, just waiting to be found! Invite your security expert friends to the party, and laugh together at the n00b! Fun for all the family!Supported identity providers include: Mastodon (must be a recent version that includes this pull request). mastodon.social is known to work. Hubzilla (any version). zotum.net is known to work. #IndieAuth / #FedCM Another instance of itself, using OpenID Connect(There's a chance Streams might work, too.)Protocols supported: #OIDC Discovery Client ID Metadata Document FedCM for IndieAuth #OpenWebAuth A method using the Mastodon API Classic (non-FedCM) IndieAuth (if you're lucky; I found this very hard to test, and had various problems with it) My original experiments used Dynamic Client Registration but I've moved away from this.If you can get it to work - share a screenshot and let me know what you think!(I'll try to keep this running for a while, but I can't guarantee it - partly because I haven't finished trying to attack it yet. If I have to take it down for some reason, I'll edit this post to say so.)
(DIR) Post #AkrctSNHIx52JcWxw8 by fentiger@zotum.net
2024-08-11T16:09:33Z
0 likes, 0 repeats
@silverpill Yes. It lets you log in using an existing account rather than having to register a new one - but in a "Fediverse compatible" way, without any of the technical and social problems which come with using a Big Tech provider. It can also (in some, admittedly limited, circumstances) recognise your login session automatically, without having to actually enter your ID every time you click from one site to another.
(DIR) Post #AkusYcnRXfuLIYjmts by fentiger@zotum.net
2024-08-12T12:49:17Z
0 likes, 0 repeats
@silverpill Good question. Quick, shallow answer: this is just a login system, not an #ActivityPub instance. It could certainly be used in front of an ActivityPub instance, though, and in that context, it's definitely worth thinking about. I don't have any concrete answers, but off the top of my head:The simplest option would be to create a new local actor, and use this purely for login. Sometimes this is the only option - IndieAuth and the native OIDC mode can both work without the existence of an AP actor at the IdP end.Another option would be to pair it with AP C2S. The OAuth2/OIDC based modes can provide an access token as well as an identity; this could be used to authorise the RP to connect back to the IdP and post using C2S. This would take a bit of standardisation work, but not a lot; my impression is this would be fairly easy to build.What if the user has a FEP-ef61 nomadic actor? Sending the private key from the IdP to the RP is probably not a very good idea, but perhaps the IdP could expose an access-controlled endpoint to generate a signature on the user's behalf. With this method the RP would construct an object with attributedTo set to the user's nomadic actor ID, request a signature from the IdP, and then distribute the object however it chooses. (In this case, perhaps the IdP should get to choose the new object's ID too, at which point this starts to look a lot like a variant of C2S.)
(DIR) Post #AlKDqVepmJvyML4ukC by fentiger@zotum.net
2024-08-25T10:07:19Z
1 likes, 2 repeats
Announcing FedIAM 0.1.0 - Sign in with a Fediverse account!Suppose you want to allow people to log in to your web site. How will they identify themselves? With a username and password? We've all got far too many of those already, and they're not even particularly secure. Perhaps with a Google or Facebook account? That's a lot easier, but do we really want to allow these companies even further into our lives?FedIAM is a research project which aims to offer an alternative: using Fediverse and IndieWeb protocols, visitors can log in using any one of thousands of small, independent networks run by ordinary people - or even using a provider that they host themselves, independently of any outside influence.Now available as open source!#^https://codeberg.org/FenTiger/FedIAM
(DIR) Post #Amb62u6xpNibGHjflI by fentiger@zotum.net
2024-10-02T11:56:57Z
0 likes, 0 repeats
Is there an #FEP which covers adding the attributedTo property to collections?#ActivityPub
(DIR) Post #Ambh5Z38Hv5B724jOS by fentiger@zotum.net
2024-10-02T14:44:57Z
0 likes, 0 repeats
@silverpill That'll do - thanks.I'm sure I saw some discussion relating specifically to collections - but maybe it wasn't in an FEP.
(DIR) Post #AoPIkIKHlh4MwPwAzI by fentiger@zotum.net
2024-11-25T09:55:55Z
0 likes, 0 repeats
@silverpillHow does it check that the user is logged in? Does it present a login form?It checks whether the user has a session cookie. Hubzilla doesn't show a login form here; it could, but that wouldn't work so well for eg image fetches.And then, after login, which instance generates activities?FEP-61cf only covers authenticating the user. It doesn't tackle the question of what happens when the now-authenticated user writes a post. How should that post federate outwards, in such a way that other instances can trust it? I don't know how Hubzilla approaches this; maybe @Mario Vavti can comment.
(DIR) Post #AqdnBm1Zqzwh5wX7Tc by fentiger@zotum.net
2025-01-31T12:13:57Z
0 likes, 1 repeats
This was my experience too.It also doesn't play very well in practice with JCS canonicalisation, as used by FEP-8b32 signatures: #^https://zotum.net/channel/fentiger?mid=d9557d63-a9e5-4bba-a39d-e2ee785def42Trying to treat messages as "JSON-LD first" has taken me a very long way down a blind alley, and cost me a lot of time.:(
(DIR) Post #AsDh41RfUqPWFtlrEm by fentiger@zotum.net
2025-03-19T17:21:01Z
0 likes, 0 repeats
I would vote against putting it in endpoints, personally, because endpoints is "typically server/domain wide" and is allowed to be a link rather than a nested object, while gateways should be considered to vary from actor to actor, because two actors might be cloned to different sets of servers.
(DIR) Post #AsDlDOoQO4z39M8qau by fentiger@zotum.net
2025-03-19T18:24:34Z
0 likes, 0 repeats
@silverpill Well, in my (sketch of a) design, things like sharedInbox and proxyUrl point at the specific server that's hosting the clone, rather than being common to all the clones (and the oauthAuthorizationEndpoint and such are best found via different mechanisms entirely).I'll readily admit that there are other possible ways to build it, though.
(DIR) Post #AsLXRbtCEv2Ht69kJs by fentiger@zotum.net
2025-03-23T10:24:37Z
0 likes, 1 repeats
Today I had a quick go at working out how Hubzilla handles permissions for media files.I've been meaning to do this for a while, to work out how it relates to OpenWebAuth authentication (as described in FEP-61cf), but unless I'm missing something (very possible), it's an entirely separate mechanism.Summary: it's based on bearer tokens / capability URLs. Each post gets given a random token, and that token grants access to any media files which are attached to it. If you're allowed to view the post, the URLs that it contains grant you the capability to download the attachments, too.When a post is created: Generate a random token for it. Record that the token grants permission to access any attached media files. Store the token to the DB as part of the post.When a post is encoded to ActivityPub: Find the associated token and append it to any URLs referring to attached media files Also do the same for any attachment objectsPresumably this happens when it's rendered to HTML, too, but I couldn't find that bit.When a media file is requested: Extract the token from the request. Check that the requester has permission to view the file, including checking whether the token grants permission.Pretty simple really, though it took a bit of grepping and guesswork to find all these pieces, and I'm not sure I've found all of it.#ActivityPubDev
(DIR) Post #AtOOwEvtLILFJHz8im by fentiger@zotum.net
2025-04-23T19:20:15Z
0 likes, 0 repeats
+1 for not sending private keys over the wire. I'm no expert, but I feel a lot more comfortable with this design.
(DIR) Post #AtxwCoFMQeiQhsODT6 by fentiger@zotum.net
2025-05-10T21:58:42Z
0 likes, 0 repeats
"Servers SHOULD implement NodeInfo..." seems a bit strong, especially considering that some people are quite strongly opposed to it. Is this really a SHOULD? Or would it be better to write a paragraph or two about the pros and cons, and let implementers decide for themselves? Would it be worth recommending that implementers provide a config option to allow NodeInfo to be switched on and off by the instance admin?Should there be a recommendation that "Consumers SHOULD NOT assume that any given Fediverse site will implement NodeInfo"?I've seen code out there that uses a NodeInfo hit to decide which auth protocol to use for cross-instance login. I personally don't like this approach and would prefer not to encourage people to use designs like this.
(DIR) Post #AulC9Nd2f2AI1wXJeC by fentiger@zotum.net
2025-06-03T16:37:06Z
0 likes, 0 repeats
@silverpill Do you have to double-knock every time? Can't you cache the result when a POST succeeds, so you know which signature method to use next time you deliver to that instance?
(DIR) Post #Avawrgk3UuTuCDNyWu by fentiger@zotum.net
2025-06-28T16:28:34Z
1 likes, 0 repeats
@OpenWebAuth I've updated FEP-61cf in response to recent discussions: Added a summary to make it clearer that OWA is used in connection with other protocols, rather than being an alternative to ActivityPub etc. Expanded the "Security Considerations" section. In particular, be more explicit about the potential for impersonation attacks.As always - any comments and feedback are very welcome!
(DIR) Post #AxjZKhZcskdy01lAa8 by fentiger@zotum.net
2025-08-31T10:58:03Z
0 likes, 0 repeats
Is there any information anywhere on how the Flag activity is used in practice?As ever, the spec only tells me that it exists; it doesn't say anything about what it contains, where it gets delivered to, how the recipient processes it, etc.Maybe I could find out more by setting up some test instances and experimenting with it, or by trying to trawl through various repositories to find the relevant source code - but it seems a lot quicker to just ask.#ActivityPub #ActivityPubDev #FediDev #FediDevs
(DIR) Post #Axs8lUqFNVo1zVj3BY by fentiger@zotum.net
2025-09-04T10:05:16Z
0 likes, 1 repeats
@silverpill ActivityStreams allows @context to be missing, too:When a JSON-LD enabled Activity Streams 2.0 implementation encounters a JSON document identified using the "application/activity+json" MIME media type, and that document does not contain a @context property whose value includes a reference to the normative Activity Streams 2.0 JSON-LD @context definition, the implementation MUST assume that the normative @context definition still applies.
(DIR) Post #Az07JcBqujOLQjeFg8 by fentiger@zotum.net
2025-10-08T12:31:33Z
1 likes, 0 repeats
@silverpill I propose the toot:harassable profile flag, to indicate whether the user consents to being harassed on the Internet. Anyone who doesn't want to be harassed can just set it to false.
(DIR) Post #AzTJUhRkXpFJx5yRsm by fentiger@zotum.net
2025-10-22T15:44:16Z
1 likes, 0 repeats
@Mario Vavti Somebody should come up with a mechanism for reassembling a message that has been broken up into small fragments.It would need to put the fragments into the correct order, discard any duplicates, and ask for any missing pieces to be retransmitted.We could call it the "Toot Concatenation Protocol".
(DIR) Post #B2RnPZRoRSVgY4UMVM by fentiger@zotum.net
2026-01-18T21:44:08Z
0 likes, 0 repeats
@Jupiter Rowland Mitra supports OpenWebAuth? I didn't realise this.Perhaps I should be testing my own implementation against it.