-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standard mechanism for requesting a ticket auth ticket grant? #87
Comments
For the record, I currently implement the following: POST /tokens HTTP/1.1
action=ticket&me=https://alice.example.com/ I think it might be wrong to use It feels much closer to what IndieAuth uses I do think it makes a lot more sense to request for a specific |
Ah, yeah, those verbs make a lot more sense. I like |
Shouldn't the request include the |
Ah, good catch. |
What should be the possible responses to this? Should it just always respond identically, and if you don't get a ticket, it means the endpoint doesn't want to give you one? |
I think that could just be an implementation detail, up to the implementer to decide how much information to give on the ticket grant itself. 202 Accepted is probably the best choice for all responses though; it's accepted the request for a ticket grant, even if that doesn't necessarily mean that a ticket grant will ever be sent. But I'd also think it'd be acceptable for an implementation to give a 4xx with an appropriate error message, for example a 429 for the usual "retry later," or a 403 if they've been outright banned from requesting future tickets or the like. |
Still worth discussing. |
I agree with @fluffy-critter that the response should be whatever is a valid HTTP response as decided by the server. If it must standardise on something, I would propose lifting a lot of what the Webmention spec has and saving us the time writing something new. The cases are similar in that in both cases a party sends a POST request to an endpoint they discovered. Webmention returns a 201 if things are handled synchronously and 202 if asynchronously. Which could be copied here by responding with a 201 if the endpoint knows a token has succesfully been sent and a 202 if it is being handled in the background. Webmention also documents using only 400 and 500 for user request errors and server errors respectively. Which is about as much as we would expect here too, unless features lie the subcodes of 4xx become relevant. |
I have been looking at this again to make a notation on the spec of this as a proposal. There are a few questions.
|
Thinking again about the ticket endpoint vs the token endpoint. The token endpoint is the one granting a token. The job of the ticket endpoint is to receive and redeem tickets. Technically speaking, you don't have to have a ticket endpoint to issue tickets, and you don't need a token endpoint to redeem tickets. So the initial proposal is probably the right one. |
A thing which has come up recently that needs consideration for the actual draft spec, whenever this occurs: Since the actual request/verification flow is precisely backwards from IndieAuth, the usual mechanism for URL redirection no longer applies. This became an issue recently when someone requested a ticket from my token endpoint but used the http:// version of their identity URL instead of https://, which led to them getting a token for http://, which was the wrong identity for authentication on my site. For now what I've decided to do in my implementation is if the request comes from a URL which has a Relevant discussion:
Publ's implementation of |
As an extension to Ticket Auth, it might be nice to optionally support the ability for someone to request a ticket to be sent to them by the provider's token endpoint. For example, if user
https://alice.example.com/
wants a ticket fromhttps://bob.example.com/
, then Alice could make a POST request tohttps://bob.example.com/tokens
with parameters:grant_type=ticket_request&subject=https://alice.example.com/
at which point Bob's token endpoint could (if supported) perform a
ticket_endpoint
discovery on Alice's profile page and then initiate the rest of the TicketAuth flow.Alternately, this could signal Bob that there is a pending ticket request to send to Alice, and Bob can opt to continue the rest of the flow.
In effect, this would be an optional, standard "follow request" procedure, of which many developers are already baking something similar into their
grant_type=ticket
flows on their token endpoints for testing purposes.The text was updated successfully, but these errors were encountered: