HTTPAPI - Tuesday, November 8, 2022

HTTPAPI

httpapi@jabber.ietf.org

Tuesday, November 8, 2022< ^ >

alexamirante has set the subject to: HTTPAPI at IETF 112 - https://notes.ietf.org/notes-ietf-112-httpapi

Room Configuration

Room Occupants

GMT+0
[09:23:56] <zulipbot> (Roberto Polli) Hi folks!
[09:26:56] <zulipbot> (Darrel Miller) Hey Roberto!
[09:26:56] <zulipbot> (Darrel Miller) Welcome to all.
[09:41:08] <zulipbot> (Julian Reschke) value for location would need to be quoted
[09:43:11] <zulipbot> (Julian Reschke) and here a comma is missing :-
[09:43:24] <zulipbot> (Aaron Parecki) i said tbd ;-)
[09:49:47] <zulipbot> (Darrel Miller) @aaron If the url in the challenge was to an OpenID configuration document, would that work without directly enabling popups?
[09:51:18] <zulipbot> (Jonathan Hoyland) Is this something potentially for GNAP?
[09:53:11] <zulipbot> (George Fletcher) There is precedent for returning the URL location of the Authorization Server in the WWW-Authenticate header as this is a feature of User Managed Access 2.0.
[09:54:23] <zulipbot> (Martin Thomson) How much time do we have on this topic?
[09:56:38] <zulipbot> (Darrel Miller) We only have one other presentation and then status updates.  But I will close the queue
[09:57:17] <zulipbot> (Aaron Parecki) @**Darrel Miller** I think calling it "popup" is a bit misleading tbh, really what we're talking about is launching a browser from a non-browser context
[09:57:57] <zulipbot> (Roberto Polli) @darrel I think I'll be quick: it's only YAML
[09:58:17] <zulipbot> (Darrel Miller) There is a good example of this for something like Excel importing data from authenticated sources.
[09:58:51] <zulipbot> (Darrel Miller) And specifically imported sources it knows nothing about before hand.
[10:02:07] <zulipbot> (Graham Klyne) Doesn't oauth require some kind of (private) client id to be provided?
[10:02:46] <zulipbot> (Graham Klyne) (Re discussion about unknown apps requesting auth...)
[10:03:06] <zulipbot> (George Fletcher) client_id's aren't (private) but yes that is a key requirement of Oauth. As Aaron referenced, there is a way to dynamically register an application to obtain a client_id.
[10:06:57] <zulipbot> (Graham Klyne) OT: I'm wondering how widely implemented the Oauth dynamic registration option is?  (I first heard about this several years ago, but since nothing about actual deployment.)
[10:08:08] <zulipbot> (George Fletcher) At this point I would agree that it's not widely implemented. There are a number of important security considerations when enabling it; especially in an open environment.
[10:08:55] <zulipbot> (George Fletcher) On the other hand, there are a lot of benefits as well :)
[10:09:21] <zulipbot> (Aaron Parecki) I've seen implementations of Dynamic Client Registration where the registration endpoint requires authentication, so it's a sort of hybrid
[10:09:35] <zulipbot> (George Fletcher) +1
[10:09:48] <zulipbot> (Graham Klyne) Yes.  I have a service implementation that would benefit :)
[10:10:27] <zulipbot> (Aaron Parecki) But yes, someone like Google is not going to implement an unauthenticated dynamic client registration endpoint. But even though their system doesn't want to enable that, there are still plenty of other scenarios it's useful in. The calendar app example is one, and the wordpress example I mentioned.
[10:10:40] <zulipbot> (Graham Klyne) ... software that installs to a "local" server, and uses OAuth for user authn
[10:13:03] <zulipbot> (Roberto Polli) Thank you very much!
[10:13:04] <zulipbot> (Graham Klyne) Currently setting up the identification  service is a per-provider manual process for the person who is installing the software - it would be nice to automate that.  Not expecting the registration flow to be unautheticated.
[10:15:12] <zulipbot> (Julian Reschke) Popups :-)
[10:17:41] <zulipbot> (Roberto Polli) without Erik it's hard ;)
[10:19:50] <zulipbot> (Julian Reschke) ha!
[10:20:22] <zulipbot> (Jonathan Hoyland) I was convinced Mark was going to say he likes human readability because he is human, but I guess not.
[10:21:05] <zulipbot> (Julian Reschke) you can always use a string .-)
[10:30:01] <zulipbot> (Graham Klyne) Re link template - in a past life, this is something that I wanted to use.  I forget the exact context, but I recall some uncertainty about the context from which variable values might be obtained.  (Mumble.)
[10:33:01] <zulipbot> (Graham Klyne) (It would have been something to do with exposing a REST API for an application.)
[10:36:08] <zulipbot> (Liam Crilly) If intermediaries can handle cookies, they can handle rate-limit values in a single header
[10:38:17] <zulipbot> (Martin Thomson) Now we need the stars to turn on
[10:42:01] <zulipbot> (Martin Thomson) Nothing stopping the policy endpoint from doing `headers["rate-limit"] += "policy=" + policy_value;`
[10:43:18] <zulipbot> (Martin Thomson) VOTE!
[10:43:48] <zulipbot> (Roberto Polli) 3 headers
[10:44:01] <zulipbot> (Francesca Palombini) remote folks you can write in chat
[10:44:14] <zulipbot> (Julian Reschke) please use sf
[10:46:38] <zulipbot> (Graham Klyne) Re rate limit headers: I agree with MNot's comments about following the semantics, just don't know enough about the semantics.
[10:46:52] <zulipbot> (Roberto Polli) Ok, thanks :)
[10:47:05] <zulipbot> (Liam Crilly) I represent NGINX. I'll get some eyeballs on this
[10:47:06] <zulipbot> (Roberto Polli) Thanks Liam!
[10:47:46] <zulipbot> (Francesca Palombini) really cool
[10:48:12] <zulipbot> (Graham Klyne) https://ietf-wg-httpapi.github.io/  (in case it helps)
[10:48:31] <zulipbot> (Roberto Polli) :clap
[10:48:54] <zulipbot> (Hans-Jörg Happel) nice visualization!
[10:49:07] <zulipbot> (Hans-Jörg Happel) very helpful
[10:49:20] <zulipbot> (Francesca Palombini) thank you!
[10:49:20] <zulipbot> (Julian Reschke) clap