Conversation

Notices

1. Embed this notice
   naturzukunft (naturzukunft@mastodon.social)'s status on Thursday, 11-Jan-2024 00:56:42 JST naturzukunft

   • Evan Prodromou
   • context // text

   @evan i'm getting crazy with that blank node stuff ;-)
   if you have an actor like that:
   {
   "@context": ["https://www.w3.org/ns/activitystreams"],
   "type": "Person",
   "id": "https://example.com/1",
   "inbox": "https://example.com/1/inbox.json",
   "outbox": "https://example.com/1/feed.json",
   "endpoints": {
   "oauthAuthorizationEndpoint": "https://example.com/oauth/auth",
   "oauthTokenEndpoint": "https://example.com/oauth/token"
   },
   "name": "John"
   }
   #activitypub

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Thursday, 11-Jan-2024 00:56:40 JST Evan Prodromou

     in reply to

     • context // text

     @naturzukunft @context That doesn't make any sense. It's up to the server to do authentication to protect resources on that server.

   • Embed this notice
     naturzukunft (naturzukunft@mastodon.social)'s status on Thursday, 11-Jan-2024 00:56:41 JST naturzukunft

     in reply to

     • Evan Prodromou
     • context // text

     @evan @context how would the update activity look like to change only 'oauthTokenEndpoint'.

   • Embed this notice
     naturzukunft (naturzukunft@mastodon.social)'s status on Thursday, 11-Jan-2024 00:56:41 JST naturzukunft

     in reply to

     • Evan Prodromou
     • context // text

     @evan @context
     aaaahr, I let myself get confused.
     If an object has properties in an object without an id, then these are transient according to the specification:

     ...unless they are intentionally transient.

     In the case of the actor, this would mean that oauthAuthorizationEndpoint is transient. which is wrong

     In the end, however, this means that https://www.w3.org/ns/activitystreams#endpoints must have an ID and must not be behind a blank node.

     https://www.w3.org/TR/activitypub/#obj-id

     #activitypub

   • Embed this notice
     naturzukunft (naturzukunft@mastodon.social)'s status on Thursday, 11-Jan-2024 00:56:41 JST naturzukunft

     in reply to

     • Evan Prodromou
     • context // text

     @evan @context The reason for the usecase "update oauthAuthorizationEndpoint & oauthTokenEndpoint" is that I want to let the client decide where it authenticates itself
     #activitypub

   • Embed this notice
     naturzukunft (naturzukunft@mastodon.social)'s status on Thursday, 11-Jan-2024 03:40:05 JST naturzukunft

     in reply to

     • Evan Prodromou

     @evan it is the task of the activitypub server to delegate the authentication to an oauth server. In some cases, the activitypub server can also be the oauth server.
     The task of the activitypub server is to trust one or more oauth servers. I think it makes sense for an actor or an activitypub client application to be able to decide whether they want to use Facebook, Github or whatever to authenticate themselves.

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Thursday, 11-Jan-2024 03:40:05 JST Evan Prodromou

     in reply to

     @naturzukunft These properties are about an OAuth flow for granting access to the ActivityPub API, not authenticating using OIDC. GitHub does not know about your ActivityPub API implementation and will not do a good job informing your user about what scope of access the client is asking for.

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Friday, 12-Jan-2024 22:19:56 JST Evan Prodromou

     in reply to

     • Marcus Rohrmoser 🌻
     • context // text

     @mro @naturzukunft @context Mastodon removes them.

   • Embed this notice
     Marcus Rohrmoser 🌻 (mro@digitalcourage.social)'s status on Friday, 12-Jan-2024 22:19:58 JST Marcus Rohrmoser 🌻

     in reply to

     • Evan Prodromou
     • context // text

     @naturzukunft @evan @context maybe unrelated but above urls lack a scheme.