IndieWeb Summit demos were yesterday and I wanted to write up my thoughts while they're still fresh in my mind.
Gregor and I decided to have a go at implementing AutoAuth, after the session on private webmentions and different types of auth on the Saturday. That discussion brought up that AutoAuth was capable of replacing some of the earlier auth flows created to solve individual cases of sharing private data. I think that's a good sign for AutoAuth, because it's flexible enough to solve multiple problems.
That meant we had to pick a test case we would use to implement and demo using AutoAuth, and decided viewing a private post would be the simplest. Gregor already had support for private posts on his site, so we started from there and I would add support to view the post.
Our first challenge was just agreeing on how to read the spec! We had both read it before starting the hack day, but it's not a simple thing to get your head around. One of the best things we did was work through each step, once we had picked our roles. We implemented one step at a time, working on our own side of the flow, and luckily there was about the same amount of work to do each, so this worked well.
The first step was for Gregor to add a token endpoint to discover from his private post, and a WWW-Authenticate header. The process then is that when I fetch the private post I see this header and craft a POST request to his token endpoint. This request contains a bunch of information, with the goal being that I give Gregor's token endpoint enough information to find my authorization endpoint and be able to make a request to it on my behalf. I make sure that this request will be successful by storing the same authorization code that I send to the token endpoint. The thing that I really liked at this point was that I didn't need to change my authorization endpoint at all to make this happen. I could craft an entry in my authorization codes table that would pass when requested based on the AutoAuth spec.
After Gregor makes this request, he's happy that I have been identified and can be issued a token for his private post. I provide a callback url in my request, so that's where he sends the token. I store that on my server and can now fetch the private post again with the token in an Authorization header. This all worked pretty well and our 2 minute demo involving just a couple of page loads was our reward for spending pretty much the whole day trying to work this out. :-)
We observed a few interesting things from this process. First, there's a fair bit of work involved to get a token, but once it's done you get to skip most of it for subsequent requests for the private post. I found the callback process to receive the token interesting, there's not much information in the request about who the token is coming from. There is enough information though, as the callback includes a state parameter which I initially generate. I need to store all the information about the private post I'm accessing when creating the state parameter, so that I know who to associate the token with when it gets returned.
IndieWeb Summit 2019 was great and I don't think we would've been able to get through AutoAuth in a day without having such an awesome group of people to talk to!
IndieWeb Summit hack day
Gregor and I decided to have a go at implementing AutoAuth, after the session on private webmentions and different types of auth on the Saturday. That discussion brought up that AutoAuth was capable of replacing some of the earlier auth flows created to solve individual cases of sharing private data. I think that's a good sign for AutoAuth, because it's flexible enough to solve multiple problems.
That meant we had to pick a test case we would use to implement and demo using AutoAuth, and decided viewing a private post would be the simplest. Gregor already had support for private posts on his site, so we started from there and I would add support to view the post.
Our first challenge was just agreeing on how to read the spec! We had both read it before starting the hack day, but it's not a simple thing to get your head around. One of the best things we did was work through each step, once we had picked our roles. We implemented one step at a time, working on our own side of the flow, and luckily there was about the same amount of work to do each, so this worked well.
The first step was for Gregor to add a token endpoint to discover from his private post, and a WWW-Authenticate header. The process then is that when I fetch the private post I see this header and craft a POST request to his token endpoint. This request contains a bunch of information, with the goal being that I give Gregor's token endpoint enough information to find my authorization endpoint and be able to make a request to it on my behalf. I make sure that this request will be successful by storing the same authorization code that I send to the token endpoint. The thing that I really liked at this point was that I didn't need to change my authorization endpoint at all to make this happen. I could craft an entry in my authorization codes table that would pass when requested based on the AutoAuth spec.
After Gregor makes this request, he's happy that I have been identified and can be issued a token for his private post. I provide a callback url in my request, so that's where he sends the token. I store that on my server and can now fetch the private post again with the token in an Authorization header. This all worked pretty well and our 2 minute demo involving just a couple of page loads was our reward for spending pretty much the whole day trying to work this out. :-)
We observed a few interesting things from this process. First, there's a fair bit of work involved to get a token, but once it's done you get to skip most of it for subsequent requests for the private post. I found the callback process to receive the token interesting, there's not much information in the request about who the token is coming from. There is enough information though, as the callback includes a state parameter which I initially generate. I need to store all the information about the private post I'm accessing when creating the state parameter, so that I know who to associate the token with when it gets returned.
IndieWeb Summit 2019 was great and I don't think we would've been able to get through AutoAuth in a day without having such an awesome group of people to talk to!