Discovery: Why not Webfinger ?

[grifdail]

Hi ! Pretty new to the indieweb.

I've been looking at way too many standard] for the past few days.

One of those is webfinger, a protocol "that allows for discovery of information about people and things identified by a URI." The protocol is already used by OpenId Connect. It is also used by plateform like mastodon for federation purpose.

The idea would be to replace fetching the user page and parsing it looking for <link> element with a rel value of authorization_endpoint by looking that up on the server webfinger. This mean we could also change the need for a URL as profile we could simplify it to "username@domainename.tld"

This would also solve the issue with having a manifest file as the meta data relative to the indieauth implementation because those data could be included in the webfinger result. https://github.com/indieweb/indieauth/issues/43

Is there already a reason why webfinger might not be best suited for indieauth ?

[pfefferle]

The IndieWeb community prefers URLs over other Identifiers and HTML over side files...

DRY (Don't repeat yourself):

• https://indieweb.org/WebFinger#DRY_Violation
• https://indieweb.org/DRY

[strugee]

See https://indieweb.org/WebFinger#Problems.

In particular I'll note that the W3C SocialWG while working on specs like IndieAuth (and ActivityPub) decided to use a "follow your nose" model rather than something relying on well-known URLs. Webfinger in Mastodon is mostly for historical reasons since Mastodon originally was based on OStatus - Mastodon moved to ActivityPub which does not involve Webfinger at all, but Mastodon kept the Webfinger bits for compatibility reasons. I can't remember if Webfinger has become a de facto part of ActivityPub implementation stacks since it's been a while since I have been seriously involved in social web protocols.

[strugee]

@pfefferle heh, saw your reply pop up while I was composing mine. Jinx :P

[grifdail]

It look like the ActivityPub specification doesn't say anything about discovery. Which make sense in a way. ActivityPub only specify the communication protocol between client and server. For that mater, it also doesn't concernt itself with autentification nor verification (other than say "You probably should do that) but and doesn't not provide any specific instruction.

As it stand ActivityPub need to be used as part of a bigger stack that include those. The need for discoverability arise from these plateform specific need. In the case of mastodon, the toot I went to the beach with https:\\example.com\social\user\paul ! is a lot less usable than I went to the beach with paul@example.com

(Just to be clear, ActivityPub still use URL everywhere, the only goal of the webfinger lookup is entirely to find that URL in the first place)

Now, let's assume a servers using IndieAuth for autentification, and ActivityPub for ClientToServer communication. Either we assume the profile page for indieauth is also the profile page for ActivityPub when the Accept header is set to application/ld+json; profile="https://www.w3.org/ns/activitystreams" or we need another way to lookup the activityPub page. (Either webfinger or another protocole. Maybe another link tag.). And then there's probably the need for webfinger anyway if you want to support Mastondon, and pleroma, and all the other site who chose to do the same.

This comment has more to do with the ActivityPub spec lacking details.

I guess nothing is preventing a client to do both ? When given a profile URL, it would do the standard indieauth procedure When given an "Email style address", lookup the html profile url in the webfinger and follow the indieauth procedure from that.

Should we close that issue ?

[aaronpk]

This does sound like a Mastodon issue more than IndieAuth issue. The example you gave though isn't even how Mastodon works. In practice, the server shows text like:

I went to the beach with @paul

and then hyperlinks it to their profile page, e.g.

I went to the beach with <a href="https://mastodon.social/@paul">@paul</a>

Their profile page is where the IndieAuth discovery as currently spec'd could happen. The reality is that even ActivityPub clients mostly work with URLs more than email-like identifiers.