I am publishing a small #ActivityPub / #fediverse project: https://fietkau.software/webfinger_canary and @canary
-
@morph This is pretty deep in the weeds, no worries at all if you're not the target audience!
-
huh, on this instance (mastodon
v4.3.0-beta.2+glitch
) it seems to work fine except for the URL for@canary
in your post is actually shown as https://wrong.webfinger-canary.fietkau.software/canary when hovered (in the browser, not the mastodon profile preview, there it shows correct just fine)minor edge case ig? (unless you actually do have to go to
wrong.
as the URL) -
Marcus Rohrmoser 🌻replied to Julian Fietkau last edited by
Hi @julian @canary,
what problem are you solving? Why should the domains have to match? And bad implementations happen. #Webfingerhttps://dev.seppo.social/2024-03-19/apchk.cgi/webfinger?redirect=self&resource=@[email protected]
-
@5225225 Huh, yeah, that sounds like a bug somewhere. On my upstream Mastodon 4.3.1 the hover card is correct. Might be an oddity with glitch or something that was fixed after the release of 4.3.0.
Dunno how well you know ActivityPub and how much this will mean to you, but the actor ID is indeed hosted on wrong.webfinger-canary..., intentionally so (that's what these split-domain setups are about). But if it appears anywhere in the UI outside of maybe the moderation tools, it's a bug.
-
Julian Fietkaureplied to Marcus Rohrmoser 🌻 last edited by
@mro Could you clarify your question? The idea of a split-domain setup is that the ActivityPub and WebFinger domains do not necessarily need to match, so that custom domains can be more easily used in fediverse handles.
-
Marcus Rohrmoser 🌻replied to Julian Fietkau last edited by
Hi @julian,
if you can't use them, it's because of broken servers. How do you improve 3rd party servers? -
@julian oh the hover card is correct, yes.
i mean the URL preview that the browser goes to. as in, if you hover a link to www.example.com in any site, the browser shows you the link target in the bottom left of the screen.
So presumably the URL actually does have to be
wrong.webfinger-canary...
(which then redirects? to the correct place) -
Julian Fietkaureplied to Marcus Rohrmoser 🌻 last edited by
@mro Ah yes This project was put together to raise awareness about the feature and help platform developers test it. Broken servers will always exist, hopefully I can reduce their number by helping their developers with documentation and advocacy.
-
@julian
Client support is also interesting to look at. With @jon I'm sometimes seeing funny leaps in displaying or addressing the account.Also the split between @ jon @ allmende.io and https://social.allmende.io/@jon isn't really intuitive.
@canary -
Marcus Rohrmoser 🌻replied to Julian Fietkau last edited by
Hi @julian,
I'd like to test @aSeppoToTry, how can I? -
@5225225 Alright, that's not _as_ bad, but still strange.
When I hover over a mention while logged into my server, the link goes to a local domain like this: https://fietkau.social/@canary@correct.webfinger-canary.fietkau.software So if I click on the tag, I get a local view of the profile. I can't think of a situation where a direct link to the "wrong..." hostname should appear anywhere in a post.
(Using the "wrong" URL for the "view on original server" link on the profile is a known Mastodon bug. It links to the ID instead of the URL.)
-
Julian Fietkaureplied to Marcus Rohrmoser 🌻 last edited by
@mro @aSeppoToTry To test the split-domain handle on a remote actor, you can look up @canary in your platform and see what handle it shows you. I just gave it a try, see attachment.
It currently shows the wrong hostname. That means it's using the ActivityPub ID to construct the handle, when the handle domain should be coming from the WebFinger result. See my checklist https://correct.webfinger-canary.fietkau.software/#developers or the SocialCG report https://www.w3.org/community/reports/socialcg/CG-FINAL-apwf-20240608/#reverse-discovery for details on how to fix it.
Btw: very cool project!
-
@yala @jon I'm not surprised some clients would get this wrong somehow.
Also, some platform developers take a stance that custom domains should not be allowed, or that someone's handle domain should not be "too different" from their ActivityPub server's domain. I disagree and think people should be allowed to go wild with custom domains.
-
-
@yala @jon In the current scheme supported by Mastodon and some others, proof of domain ownership happens by serving a specific path (the WebFinger endpoint) on the target domain. This can be done through an HTTP redirect to make it as easy as possible. But yeah, DNS-based validation would do the job as well, it's just less common outside of Bluesky.
-
Marcus Rohrmoser 🌻replied to Julian Fietkau last edited by
Hi @julian @aSeppoToTry @canary,
hm, interesting. I doubt there is a correct answer. Because #Webfinger doesn't care about #ActivityPub and ActivityPub doesn't care about Webfinger neither specifies how to construct the handle from a profile document. It would have to be explicitly mentioned which it isn't. All other is idiosyncratic, proprietary oracles.According to https://www.w3.org/TR/activitypub/ the actor id is the canonical identifier.
With best faith #Seppo combines the preferredUserName and the profile document's domain. What else could you do?
-
Julian Fietkaureplied to Marcus Rohrmoser 🌻 last edited by
@mro The actor ID should be the thing uniquely identifying an account, yes. However, in conversations we use tags/handles and not AP IDs, so we gotta construct these handles somehow. Your approach, using the AP host, is equally as idiosyncratic as using the WebFinger host. Both ways exist in the wild – Pixelfed, Misskey and Friendica do it the way you do; Mastodon, GoToSocial and Iceshrimp do it the way I do. I just prefer this way because it lets people use their domains more easily.
-
Marcus Rohrmoser 🌻replied to Julian Fietkau last edited by
Hi @julian,
but how do you (they)? The actor just doesn't know the handle domain. Strictly spoken not eve the local part but there seems to be consensus to use the preferredUserName. Serious question. -
Julian Fietkaureplied to Marcus Rohrmoser 🌻 last edited by
@mro You do a WebFinger request on the AP host domain, and its response will give you a subject with the correct handle domain. See for example this account: https://toot.kif.rocks/@team and its WebFinger response: https://toot.kif.rocks/.well-known/webfinger?resource=acct:[email protected] This is a Mastodon split-domain setup.
The process is described here: https://www.w3.org/community/reports/socialcg/CG-FINAL-apwf-20240608/#reverse-discovery (step 4 is important for this)
-
Marcus Rohrmoser 🌻replied to Julian Fietkau last edited by
Hi @julian,
the document is a report from @evanprodromou mid 2024, not a standard and not part of #AP. And at step 4 it reads "4. Optionally:". But it proposes a solution - thanks for bearing with me. So the #rfc7033 subject: "acct:[email protected]" would be it.Feels hacky, IMO the profile should be explicit about the handle just like the way round #webfinger is explicit about the actor id.