your daily dose of json+ld, #fedidev

profpatsch@mastodon.xyz

your daily dose of json+ld, #fedidev

phnt@fluffytail.org

@Profpatsch@mastodon.xyz enjoy: https://github.com/swicg/activitypub-api/issues/1#issuecomment-3708524521

profpatsch@mastodon.xyz

@phnt OAuth is another “standard” that we should develop some workaround for

profpatsch@mastodon.xyz

@phnt If you depend on specialized “profiles” for a “standard” with multiple RFCs of thousands of branching MAYs and MIGHTs, your just sidelined any non-professional developers into never being able to interact with your protocol

profpatsch@mastodon.xyz

@phnt corollary: if you need people to include libraries with the footprint of multiple garbage trucks just to interface with your thing, your thing is GARBAGE, sorry I don’t make the rules …

thisismissem@activitypub.space

@profpatsch@mastodon.xyz OAuth 2.1, which is what I've been steering people towards is much safer and easier to implement than OAuth 2.0 as a lot of the security footguns have been solved or very well documented. We will end up with an OAuth profile for ActivityPub, but it'll probably just be mostly identical to the OAuth profile from AT Protocol.

Though, at the same time I'll often ask "do we really need OAuth for this, or would ... be a better solution?"

profpatsch@mastodon.xyz

@thisismissem yeah, exactly.

profpatsch@mastodon.xyz

@thisismissem but people discussing whether we need 20 or 50 permission settings really shows that the abstraction itself is fundamentally broken

thisismissem@activitypub.space

@profpatsch@mastodon.xyz and as you'll see in that conversation, I'm saying we don't actually need 20-50 permissions, but rather Rich Authorization Requests, which are specifically designed for this type of thing.

profpatsch@mastodon.xyz

@thisismissem I’m all for that, because splitting things up on GET/POST on endpoints leads to exploits (gap in intent vs mechanism)