This is a rather interesting read: https://bengo.is/blogging/2024-10-03-the-challenge-of-activitypub-data-portability/
-
> So I need to fragment my identity and if people want to follow me they need to do so in multiple places.
exactly! well said. imho this is why we need to decouple identity from social, and might as well go to local first identity while we're at it (esp if it also helps with data portability).
-
Removing identity from the content servers does pose some interesting challenges.
If I'm hosting "peertube minus identity" as a service, where accounts are created an managed via a long list of external oauth2-like providers, I suddenly have a lot of moderation concerns.
I would want to make sure I have, at minimum, the same control over which people can upload arbitrary content to my server as I currently do.
-
Emelia πΈπ»replied to chihuamaranian last edited by
@chihuamaranian @bengo yeah, you'd still have account-based moderation, it's just the Actor document that is the identity wouldn't be hosted by your server.
-
@chihuamaranian @thisismissem Good point. Even if people can 'create their account' and start signing local posts without talking to a server. Before they get to use a server, that local-first account still needs to get authorization to use a server. And needs to prove authorization in requests to the server.
-
@bengo @chihuamaranian then there's the matter of: currently every ActivityPub Server needs to be an OAuth 2 authorization server, because the spec mandates OAuth 2 for authentication/authorization.
So for instance, you couldn't present an OAuth Access Token from your Identity Provider with DPoP bound to the activities server, afaik.
-
@thisismissem @chihuamaranian the spec does not mandate OAuth2 for authentication/authorization...
there is zero normative language around oauth2 and no requirements that mandate it
https://www.w3.org/TR/activitypub/One motivation for my writeup was to document
> Linked Data Signatures are best used when authentication is meant to be "long lived"
from the CR https://www.w3.org/TR/2017/CR-activitypub-20170907/#authorization-ldsI don't dislike oauth2. But it definitely isn't (and imho *should never be*) 'mandated'
-
@bengo @chihuamaranian okay, yeah, OAuth is a "may" I guess.
-
@bengo @chihuamaranian primer basically only talks about OAuth though for C2S: https://www.w3.org/wiki/ActivityPub/Primer/Authentication_Authorization
-
@thisismissem @chihuamaranian yeah... note that the original version of that page used 'may' and then the language was changed to imply a more normative stance. https://www.w3.org/wiki/index.php?title=ActivityPub/Primer/Authentication_Authorization&oldid=104824
-
personally I think that the JSON-LD signatures for authenticity should be the baseline of integrity and authenticity, because that's what gets shipped around, exported, etc.
If you then optimistically submit some JSON to an outbox server and it responds with a 401 and WWW-Authenticate header per https://www.rfc-editor.org/rfc/rfc6750#section-3
well, then the server is opting in to some extra authorization requirements in a standard way that clients can then act on.
-
@bengo @chihuamaranian oh, speaking of WWW-Authenticate, https://github.com/mastodon/mastodon/issues/32547
-
@thisismissem @chihuamaranian YAAAAAAAAAY ty em
cc @dmitri -
@bengo @chihuamaranian @dmitri it's just an issue for now, but it's a start!
-
Hi @bengo @thisismissem,
love the idea but AP being a protocol of 1:1 delivery that wants direct contact to each recipient doesn't sound feasible for multiple followers which may be offline.And each delivery must be mutually visible from the internet for the http signature callback.
-
Mike Macgirvin π₯οΈreplied to Marcus Rohrmoser π» last edited byDelivery of signed, portable objects (ala FEP-ef61) don't actually require http signatures. The only reason to still use them is to glean the identity behind fetch requests which have no signed payload and maintain compatibility with legacy ActivityPub applications like Mastodon.Β Β
And in any case, authoring a post and deliveringΒ Β post are completely different functions and there's absolutely no reason they need to take place on the same device.
