Publ: Development Blog

Publ v0.7.2, Authl v0.5.0

Posted (3 weeks ago)

Big new releases for Publ and Authl!

Publ changes:

Authl changes:

  • Improve the meta robots rules on the login form
  • Add IndieWeb endpoint discovery to the profile

Ticket Auth is a pretty cool protocol which I have a lot of optimism for. You know how one of the big problems with self-hosted blogging is that there’s no way to share private posts on your feed without revealing that you have private posts and requiring people to log in to actually read them? Ticket Auth is a huge solution for that.

There’s a few things that need to happen before it actually gets used, though. The main thing is that feed readers need to get support for Ticket Auth, and there also needs to be a way to associate your user profile with the Ticket Auth endpoint. In an IndieWeb context this is pretty straightforward; on your profile page you’d have something like:

<link rel="ticket_endpoint" href="https://feed-reader.example/tickets">

and when you sign in, Publ sees that you have that ticket endpoint and initiates the flow to it. Then the feed reader has a bearer token that it can use to fetch the secure feed on your behalf.

However, outside of IndieAuth it gets a little trickier. There’s technically no requirement that someone uses the IndieAuth login flow to get a ticket, but the protocol relies pretty heavily on there being a tight coupling between the identity provider and the feed reader. The most straightforward way to support this in non-IndieWeb feed readers is to simply have feed readers grow IndieAuth support, though, and then use that to sign in to the IndieWeb sites you’re following.

There’s probably some other mechanism that could be used to provide matching third-party identity between a feed reader and, say, a Twitter identity, but that’s getting so far off into the weeds.

My recommendation to anyone implementing a new feed reader in this day and age: integrate with existing IndieAuth login flows, and/or allow folks to identify themselves with a public IndieWeb profile when they log in with a username and password. Then you can provide them a public profile page that also has the Ticket Auth endpoint, and then we can finally break free of walled-garden social media.