Piero Bosio Social Web Site Personale

@smallcircles @steve @mariusor

I think in particular the terms "publisher" and "consumer" from AS2 and "client" and "server" from AP don't always map cleanly, especially with HTTP POST requests.

When a client delivers an activity to the actor's outbox, the client is the publisher of that activity, and the server is the consumer.

Same when a sending server (publisher) delivers an activity to a receiving server (consumer).

@benpate

With all the standard warnings around proxies!

@mariusor @thisismissem @steve @smallcircles

Yeah, this is how I'd expect it to work (with the possible addition of *also* allowing cookie auth on the client side)

But yeah. Locally authenticated user from my client -> my server, then HTTP signature from my server -> your server

@evan @mariusor @thisismissem @steve @smallcircles

Servers

- snac v2.90
- Castopod v1.15.0
- Ktistec v3.3.0
- tootik v0.21.1
- Badgefed v0.1.1
- Gush! v0.0.30
- Wanderer v0.18.5
- PieFed v1.6.6
- Our technical direction (Mastodon)

Clients

- Sengi v1.8.0
- tooi v0.21.2
- Summit v1.77.0
- Aria v1.4.3
- Pixelix v4.3.2

Tools and Plugins

- feed2fedi v3.5.0
- PeerTube Browser: A video discovery project for the federated PeerTube network

Protocol

- FEP-34c1: Collection Filtering using TREE Hypermedia Vocabulary

Articles

- Where Does Community Live?
- Why MAEPs? What should they look like?
- how to not regret c2s
- Reimagining Fediverse Advocacy
- FR#154 – Search and Community

-----

#WeekInFediverse #Fediverse #ActivityPub

Previous edition: https://mitra.social/objects/019c5906-05c0-87bf-8302-8226a8513c00

@mariusor I have implemented it requiring OAuth on one side and using HTTP Signature on the other. I think you need to use the user's authorization for private content or to respect personal blocks. It sucks for caching but ¯\_(ツ)_/¯

@thisismissem @benpate @steve @smallcircles

@smallcircles @steve sure. I am not a fan of the idea that AP is a message-passing system; it's a read-write API.

@thisismissem it's not explicitly saying to forward authorization, but to me that's implied from "require authentication":

proxyUrl: Endpoint URI so this actor's clients may access remote ActivityStreams objects which require authentication to access

https://w3c.github.io/activitypub/#proxyUrl

@evan @benpate @steve @smallcircles

@evan @benpate @steve @mariusor @smallcircles my understanding of proxyUrl is that it's just fetching a remote object, but without forwarding authorization

For many cases you want to forward the request as the authenticated user to the remote server, not doing the request anonymously