@julian diving into the hard problems of building for the Fediverse at #Fedicon, starting with hilariously talking about how those hard problems look like to average users 😅
-
This is a good point, though I'm not clear how different servers would handle outbox requests for activities that they don't support. I'm pretty sure mine would just die.
My big concern with OAuth tokens is that they require me to give away write access to my Fediverse identity when I "like" or "reply" to something, which could easily be an attack vector.
We talked about scoping OAuth tokens, but it feels like a lot of moving parts. More details later
-
@risottobias @julian @naturzukunft anyone paying me to write it? No? Then there's probably not gonna be s document appear whilst I struggle to pay my rent
-
I'm genuinely behind on this. I've skimmed Evan's FEP, but a lot of OAuth complexity is still opaque to me.
It seems like the missing piece with using the C2S API would be *figuring out* what endpoints I can call to initiate an activity.
Does FEP-d8c2 implement discovery in some way that I'm not seeing? Or, is this something *still to be defined* and I'm just jumping the gun, here?
-
-
@benpate @evan @thisismissem @julian @naturzukunft I think the idea is that you get an access_token which you can use to post to the outbox - which you can discover from the Actor object.
-
Yes. It seems possible, but would require a lot of complex thought to do well. And that complexity is pushed onto the user, who has to determine if they like the terms that the website is presenting in order to continue putting a "star" on an article.
You and I will implement this ethically. Others will implement it adversarially -- I want to build the protocol to protect against the next Cambridge Analytica.
-
But most software doesn't support the C2S API, so that POST would either fail, or the server would lie and say "thanks for submitting this activity" and then just do nothing with it.
I'd like to know that the activity is going to fail BEFORE I hit submit. Otherwise, users will run into a dead end, and the server that originated the request won't have any way to fix it.
Servers should know AHEAD OF TIME if they can post activities or not.
-
@benpate @evan @thisismissem @julian @naturzukunft SWICG c2s task force wen (or will the payments task force just naturally become the c2s tf over time)
-
@benpate @evan @thisismissem @julian @naturzukunft all joking aside I think c2s requires emelia and Aaron's rfc on the OAuth side, and some equally complex discovery mechanism based on alternate AuthZ (presumably something based on certificate-ized Object Capabilities?) if we wanna stay composable and not-100%-dependent on oauth...
-
@benpate @evan @thisismissem @julian @naturzukunft It's certainly helpful to have a way to know if you should show that button on the UI or not!
-
fentiger@mastodon.social benpate@mastodon.social exactly, we need some guarantee that the activity we POST to the outbox isn't just unceremoniously dropped and an HTTP 200 returned.
NodeBB doesn't support POSTing the outbox at the moment, but do you return a HTTP code for "not implemented", currently.
-
-
-
-
@by_caballero @benpate @thisismissem @julian @naturzukunft that's too hard. We have an API. It already works.
-
-
@benpate @FenTiger @julian the plan there is to have finer grained scopes for particular activities. And also limiting them by domain: "let this server Like and Reply to objects on its own domain"
Add more granular scopes specific to ActivityPub
fep - Fediverse Enhancement Proposals
Codeberg.org (codeberg.org)
-
@benpate @FenTiger @julian there's a whole chapter about the API in my book:
ActivityPub book
In September 2023, I started work on a book about ActivityPub for O'Reilly Media. As of September 2024, the book is now available! Ebook The book is available from several different ebook vendors in different formats. O'Reilly Learning Platform Amazon Apple Books ebooks.com Kobo Print The book is not yet available in print format. O'Reilly…
Evan Prodromou's Blog (evanp.me)
-
-
evan@cosocial.ca I'm not certain whether it's too hard or not. At this point I haven't looked into it yet.
But if there is a chance that we can use standardized endpoints for this, then it's a point in their favour.
At the same time, I am a proponent of simplicity.
