your daily dose of json+ld, #fedidev

Reply to your daily dose of json+ld, #fedidev on Mon, 04 May 2026 13:52:24 GMT

profpatsch@mastodon.xyz — Mon, 04 May 2026 13:52:24 GMT

@thisismissem I’m all for that, because splitting things up on GET/POST on endpoints leads to exploits (gap in intent vs mechanism)

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 21:19:58 GMT

thisismissem@activitypub.space — Sun, 03 May 2026 21:19:58 GMT

@profpatsch@mastodon.xyz and as you'll see in that conversation, I'm saying we don't actually need 20-50 permissions, but rather Rich Authorization Requests, which are specifically designed for this type of thing.

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 17:59:53 GMT

profpatsch@mastodon.xyz — Sun, 03 May 2026 17:59:53 GMT

@thisismissem but people discussing whether we need 20 or 50 permission settings really shows that the abstraction itself is fundamentally broken

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 17:59:21 GMT

profpatsch@mastodon.xyz — Sun, 03 May 2026 17:59:21 GMT

@thisismissem yeah, exactly.

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 17:05:11 GMT

thisismissem@activitypub.space — Sun, 03 May 2026 17:05:11 GMT

@profpatsch@mastodon.xyz OAuth 2.1, which is what I've been steering people towards is much safer and easier to implement than OAuth 2.0 as a lot of the security footguns have been solved or very well documented. We will end up with an OAuth profile for ActivityPub, but it'll probably just be mostly identical to the OAuth profile from AT Protocol.

Though, at the same time I'll often ask "do we really need OAuth for this, or would ... be a better solution?"

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 12:58:54 GMT

profpatsch@mastodon.xyz — Sun, 03 May 2026 12:58:54 GMT

@phnt corollary: if you need people to include libraries with the footprint of multiple garbage trucks just to interface with your thing, your thing is GARBAGE, sorry I don’t make the rules …

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 12:58:10 GMT

profpatsch@mastodon.xyz — Sun, 03 May 2026 12:58:10 GMT

@phnt If you depend on specialized “profiles” for a “standard” with multiple RFCs of thousands of branching MAYs and MIGHTs, your just sidelined any non-professional developers into never being able to interact with your protocol

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 12:53:41 GMT

profpatsch@mastodon.xyz — Sun, 03 May 2026 12:53:41 GMT

@phnt OAuth is another “standard” that we should develop some workaround for

Reply to your daily dose of json+ld, #fedidev on Sun, 03 May 2026 12:52:30 GMT

phnt@fluffytail.org — Sun, 03 May 2026 12:52:30 GMT

@Profpatsch@mastodon.xyz enjoy: https://github.com/swicg/activitypub-api/issues/1#issuecomment-3708524521