Who did this?

@reiver @julian

@evan @julian

I’m confused, sorry. In this context, I’m assuming you mean the ActivityPub C2S API (which I have not implemented)

But I thought we were talking about a future update to the C2S API, which I think would be amazing, but I also haven’t implemented because.. it’s in the future?

I have done tons of OAuth clients and servers, and even have a Mastodon API about 80% complete.

@julian

I honestly thought it was just me

@evan @FenTiger @julian

This sounds perfectly reasonable, and is probably the right thing to do.

Except I probably implemented ActivityPub wrong - using it as a protocol and not an architecture.

Database tables represent the things I understand, and are written out as “JSON-LD” when needed. So there’s no true “outbox”, except as links to the tables I care about

Again, this is an “it’s me, not you” situation, but I’ll bet others might be in the same boat.

@FenTiger @julian

Yes, this makes sense. OWA was a partial match for my FEP, but doesn't fit this larger use case we're discussing.

Exciting!

But most software doesn't support the C2S API, so that POST would either fail, or the server would lie and say "thanks for submitting this activity" and then just do nothing with it.

I'd like to know that the activity is going to fail BEFORE I hit submit. Otherwise, users will run into a dead end, and the server that originated the request won't have any way to fix it.

Servers should know AHEAD OF TIME if they can post activities or not.

@FenTiger @evan @thisismissem @julian @naturzukunft

@FenTiger @julian

Yes. It seems possible, but would require a lot of complex thought to do well. And that complexity is pushed onto the user, who has to determine if they like the terms that the website is presenting in order to continue putting a "star" on an article.

You and I will implement this ethically. Others will implement it adversarially -- I want to build the protocol to protect against the next Cambridge Analytica.

I'm genuinely behind on this. I've skimmed Evan's FEP, but a lot of OAuth complexity is still opaque to me.

It seems like the missing piece with using the C2S API would be *figuring out* what endpoints I can call to initiate an activity.

Does FEP-d8c2 implement discovery in some way that I'm not seeing? Or, is this something *still to be defined* and I'm just jumping the gun, here?

@evan @thisismissem @julian @naturzukunft

@FenTiger @julian @evan

This is a good point, though I'm not clear how different servers would handle outbox requests for activities that they don't support. I'm pretty sure mine would just die.

My big concern with OAuth tokens is that they require me to give away write access to my Fediverse identity when I "like" or "reply" to something, which could easily be an attack vector.

We talked about scoping OAuth tokens, but it feels like a lot of moving parts. More details later

I'm still catching up on this conversation, but I just want to add that this analysis is spot on. Very well said, Julian. Thank you!

I'm collecting a few thoughts on this that won't fit into a toot, so I'll probably post them elsewhere and link back here once I get it together.

@julian @FenTiger @evan

@julian @FenTiger

Yes, count me in. I've been working on FEP-3b86 "Activity Intents" that is a "lighter weight" process that doesn't trade tokens with my origin server and relies on my home server to do all the work.

Mike, how does all of this relate to FEP-61cf: "The OpenWebAuth Protocol"? Should we keep it in mind as well?

Each process will have unique strengths and weaknesses, so Julian had proposed looking for a way to support multiple connections at the same time.