-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Looking to implement IndieAuth and have some questions #135
Comments
Yes, we have switched to the AS metadata discovery which makes it easier to delegate to an external provider. While it does require an extra request from the client, I'm not sure I would call it a "significant performance hit" since it's just one request to a static relatively small JSON document. Plus it's really only a concern for mobile clients, since non-mobile clients should have a web server backend and then it's a server-to-server request that doesn't even touch the client.
Yes, this is a potential risk, and is mentioned in the security considerations, which is why there is a recommendation to display the
Yes, which is why that recommendation is to display the Also worth noting if you haven't found it already that there is a discussion of updating the client metadata discovery to a client metadata JSON document as well: #133. I've already implemented that in webmention.io and am using the new |
Thanks @aaronpk!
It's more the round trip latency than how the request itself is handled. There's never a guarantee of network performance between any two endpoints so I try to keep requests to a minimum. That said, I understand the decision. I just want to voice my opinion that leaving the rel links in provides a useful optimization and would love for them to be kept, even if only in the
Displaying the client_id to the user is good (I would argue necessary), but generally if a logo is presented I think people are more likely to make their trust decision based off that than the domain.
This is true, and I think it's bad security practice. There have been real world exploits. Note that Google's review process has gotten pretty rigorous. It was quite a pain for me to get LastLogin approved, and it only requests the most basic login scope values. Also they likely have advanced systems for flagging logos and domains that are trying to pretend to be other orgs. This is all beneficial, but it would be better to only show the domain for any org that hasn't been reviewed by a human IMO.
I did see that. I think it's a great direction if you insist on supported client metadata. Since I only plan on displaying the client domain (and avoiding another round trip), my implementation hopefully won't be impacted. Though I suspect @sebadob would insist on any PRs to Rauthy supporting it. |
LastLogin now has a reasonably functional IndieAuth implementation in a dev branch. |
I'm looking to implement IndieAuth in obligator (which powers LastLogin), with an eye towards contributing a patch to Rauthy as well. This would give people a couple more options for hosting their own IndieAuth server.
I have a couple questions:
It looks like
rel=authorization_endpoint
andrel=token_endpoint
are deprecated. I'm concerned this forces an additional round trip for fetching the AS metadata, which can cause a significant performance hit, especially for users on native clients with slower internet or low-powered devices. Is there a way to avoid this?The spec currently recommends that clients provide client information to the AS, including client name and logo. Does trusting this information not open users up to significant security issues? For example, if gooogle.com hosts client data with name "Google" and the actual Google logo, users will be pretty likely to trust the login. If we're supporting logins without requiring client registration (which is a killer feature of IndieAuth IMO), isn't the only information we can trust enough to present to the user the client domain itself? Not fetching the client metadata also saves another round trip. It looks like this is already possible since most of the wording in this sections is SHOULDs, and that the AS can choose to simply verify the redirect_uri is on the same domain as the client_id and forego fetching the client data, correct?
The text was updated successfully, but these errors were encountered: