Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 11 2021 20:52
    @RubenVerborgh banned @mikeadams1
  • Jan 04 2021 20:23
    @RubenVerborgh banned @WebCivics_twitter
  • Jan 04 2021 20:18
    @RubenVerborgh banned @SailingDigital_twitter
  • May 27 2019 06:08
    User @Mitzi-Laszlo unbanned @in1t3r
  • May 23 2019 06:49
    @Mitzi-Laszlo banned @in1t3r
  • May 16 2019 09:49
    @Mitzi-Laszlo banned @mediaprophet
  • Feb 01 2019 22:04
    User @melvincarvalho unbanned @namedgraph_twitter
  • Feb 01 2019 21:49
    @melvincarvalho banned @namedgraph_twitter
Emilio Cortina Labra
@emiliocortina
@james-martin-jd It is the popup, should I use the redirect login?
James Martin
@james-martin-jd
it may be worth a shot, you will need to pass in a redirect uri in the query string, you can see some examples in the solid react sdk
we use the redirect one
Emilio Cortina Labra
@emiliocortina
I will try that thank you
Kingsley Idehen
@kidehen

@theWebalyst ,
:point_up: April 16, 2019 5:26 AM:

Fixing the state of our repo == something.
Said item has now been resolved i.e., the code properly merged at: https://github.com/OpenLinkSoftware/solid-plume

Sina Bahram
@sinabahram
@Mitzi-Laszlo sure, sina@sinabahram.com works great. Thanks
Mark Hughes (happybeing/theWebalyst)
@happybeing
@kidehen I'm aware I was asking you for 'something', just not for you to fix anything. I don't think it was much to hope for a response even if, 'sorry, not sure of the status', and you did spend time writing two long posts so it feels like you aren't happy to work with me. That's fine, clarity is still helpful though as I've wasted time trying to establish how to proceed. I have already fixed the login issue thanks, with help from @RubenVerborgh. So I'll be pushing this and other fixes together. If I'm wrong and you do wish to collaborate I'll be very happy to hear and work out how we can best do that, but my fork is now advancing on its own. It would be a shame not combine forces on Plume though, and I confess it doesn't make sense that you wouldn't, but I like to be honest and share my perspective, but mean no disrespect.
Noel De Martin
@NoelDeMartin
@Mitzi-Laszlo I don't have any videos, but I don't think they'd be too useful because my app at the moment doesn't look too different from a simple TODO application. But I'll keep it in mind when I start adding more features :D
Kingsley Idehen
@kidehen

@theWebalyst ,
Re :point_up: April 16, 2019 1:18 PM:

You continue to make strange remarks like "so it feels like you aren't happy to work with me." .
What's that supposed to mean?

Jeff Zucker
@jeff-zucker
@emiliocortina solid-auth-client's popupLogin method allows you to pass in the address of the popup.html to be used, why not just create your own?
Jeff Zucker
@jeff-zucker
@AJunque9 binary files like images or music should work fine with solid-file-client's updateFile(). Here's a complete working example of uploading a file, just put in the address of a folder in your pod, select a file or files, click upload.
<script 
    src="https://cdn.jsdelivr.net/npm/solid-file-client/dist/browser/solid-file-client.bundle.js">
</script>
<style>
input[type="file"] {
    background-color:#c0c0c0 !important;
}
</style>
<input id="targetFolder" placeholder="folder to hold uploads"><br>
<input type="file" id="fileArea" multiple>
<input type="button" value="upload" onclick="javascript:upload()">

<script>
function upload() {
    SolidFileClient.popupLogin().then( ()=>{
        const folder = document.getElementById('targetFolder').value;
        const fileInput = document.getElementById('fileArea');
        const files = fileInput.files;
        alert(folder+files.toString())
        for(var i=0;i<files.length;i++){
            var URI = folder + files[i].name;
            var content = files[i];
            SolidFileClient.updateFile(URI, content).then( res=> {
                console.log(res);
            }, err=>{console.log("upload error : "+err)});
        }
    }, err=>{console.log("login error : "+err)});
}
</script>
Mark Hughes (happybeing/theWebalyst)
@happybeing
@kidehen that seems self explanatory so I don't know how else to say it, nor why you think it's strange. This conversation isn't going anywhere, so I'm going to leave it there.
Kingsley Idehen
@kidehen

@theWebalyst ,

Re :point_up: April 16, 2019 5:19 PM:

Moving forward, are you going to address new features such as:

  1. RSS and Atom Feed Generation
  2. Use of POSH (Plain Old Semantic HTML) for Feed Discovery

Those are important features missing from Plume right now.

Ana Junquera Méndez
@AJunque9
@jeff-zucker thank you very much!!
Mitzi László
@Mitzi-Laszlo
@NoelDeMartin thanks for the update :)
Angelo Veltens
@angelo-v
Could someone with more knowledge about WebID-OIDC look into that report https://forum.solidproject.org/t/insecure-solid-authentication-mechanism/1703 Is this a real thing? I think there are countermeasures against that?
Tim Berners-Lee
@timbl
@RubenVerborgh ?
Ruben Verborgh
@RubenVerborgh
Thanks, will follow up today!
Fabian Cook
@fabiancook
This project appears to be of interest of solid https://valueflo.ws/
Angelo Veltens
@angelo-v
Great, thanks Ruben
Mark Hughes (happybeing/theWebalyst)
@happybeing
Mark Hughes (happybeing/theWebalyst)
@happybeing
Nice @fabiancook, I know a few people who will be interested in that.
Jules Cole
@Julian-Cole
@fabiancook very interesting!
elf Pavlik
@elf-pavlik

@fabiancook I've been co-maintaining https://valueflo.ws/ last few years, we move slow but soon want to reach next minor release and request feedback via https://www.w3.org/community/economy/

I plan to develop some prototypes that will use vf: terms and solid, I already have some initial implementation experiments using RDFJS modules eg. https://github.com/valueflows/vf-track-trace.ts , the way it does async iteration and uses Source#match with triple patters it should eventually connect to solid server exposing triple patter fragments, for that I'll test out this early prototype https://github.com/solid/solid-tpf

Ruben Verborgh
@RubenVerborgh
@angelo-v @timbl Had a look at the WebID-OIDC report at https://forum.solidproject.org/t/insecure-solid-authentication-mechanism/1703/7. Summary: we know, and we need a much more granular security mechanism for that reason. Currently, apps are given too much trust. (We are aware, it's just not implemented.)
Angelo Veltens
@angelo-v
Thanks for responding and clarifying that, @RubenVerborgh
Tim Berners-Lee
@timbl
Does making the credential domain specific fix it?
Mitzi László
@Mitzi-Laszlo
Dmitri Zagidulin
@dmitrizagidulin
@angelo-v re webid-oidc and that link — so, keep in mind, that credentials are bound specifically to one domain (the app’s domain)
that said, we do need finer-grained per-app permissions on the server side, as well.
Justin Bingham
@justinwb
right to echo @dmitrizagidulin and @RubenVerborgh - this is really more of a matter of scope of access / authorization for a given app, and it’s not much different than any typical oauth based scenario. with oauth, you give a third party permission to access a set of resources on your behalf. you are trusting that the application will not misuse that access - if they do you remove it. similarly, with solid/oidc - there will be certain third party applications that you provide a subset of access to (e.g. a photo app can access pictures), some that you will trust completely (i.e. a pod manager can see all), and some that end up somewhere in the middle. the mechanisms for allowing users to easily control that fine grained access per app is part of the design, but some of the tooling and server-side support needs to be improved to leverage it (which is being worked on). additionally, it’s important to have a means to certify beneficient / trustworthy apps in the ecosystem.
Angelo Veltens
@angelo-v
@dmitrizagidulin What does it technically mean, "bound to the domain"? What stops me from using curl with those credentials?
Ghost
@ghost~5bfd3ed4d73408ce4fb0367e

On the subject of fake news headlines, fake reviews, fake ratings, and fake likes; is there such a thing as a fake promotion?
I was watching a commercial for TGI Fridays https://www.youtube.com/watch?v=3QeuTk8eHKA/
, a chain restaurant. The waitress were twirling around trays of food in hand as they danced with smiling faces all the way to the guests tables. The bartender was also in the commercial dancing around serving customers and smiling as thought this was how things really are at TGI Fridays. This commercial promoted its food apps and suggested that while at TGI Fridays, you will enjoy the entertaining dining experience of their staff as well as good food. This was a fake promotion intended to lure a person to the establishment by suggesting that they would experience good food with an entertaining atmosphere however, this type of entertainment does not exist at TGI Fridays. So if Solid is going create an environment to tackle fake news, fake reviews, and fake ratings, how does it also deal with fake promotions?

How do you combat online fake ratings, and fake reviews, fake news, and fake promotions when it’s the companies themselves that hire third parties to create the same? I almost wonder if there should be a Solid Fine that, pod providers can implement when a user violates the terms and conditions of the pod provider, among other things, by facilitating fake news, fake reviews, fake likes and false advertising. Just a suggestion.

Ghost
@ghost~5bfd3ed4d73408ce4fb0367e
Should there be a Report Abuse button on all solid pods?
Ghost
@ghost~5bfd3ed4d73408ce4fb0367e
And while were talking about trusted apps, should we not also talk about trusted pod providers? How are pod providers rated?
elf Pavlik
@elf-pavlik
besides trust in organization running the pods, they will also have various Terms of Service, I know that @michielbdejong has relevant experience from https://tosdr.org/
i wonder if ToS;DR has enough data to create some kind of ToS generator with wizard like interface
Michiel de Jong
@michielbdejong
We get asked that a lot :) ToS;DR is a review project, I think generating ToS with a wizard would be complex (but I do think there are some other projects out there that try to do it)
Justin Bingham
@justinwb
Tim Berners-Lee
@timbl
me too
Ghost
@ghost~5bfd3ed4d73408ce4fb0367e
agreed
Dmitri Zagidulin
@dmitrizagidulin

@angelo-v

What does it technically mean, "bound to the domain"? What stops me from using curl with those credentials?

good question
so, each credential (access token or ID token), is audience scoped to say "This is only valid at THIS resource server, and no other"
but this is more done to prevent servers stealing credentials and re-using them
with an app.. so basically, if you have a malicious web app, there is nothing to be done, even theoretically. It can access a user's data, ship it somewhere else, etc. The OAuth2 Threat Model document talks about this, and points out that, well, there's nothing to be done, the only thing you can do is mitigate -- limit the scope of access each app has
the other fundamental tool to deal with this are trusted app stores, like each desktop OS and each mobile OS currently has
obviously this does not mean that there are 0 malicious apps or viruses anymore. but the number is reduced (and of course, this takes some resources, on the part of the OS maker)
and then there's open source software, and that has a bit more eyeballs on it, a little harder to subvert.