Why not use proxyUrl from ActivityPub?
Is this what youâre referring to? ActivityPub
This is pretty close to what weâre working on here, but maybe not exact? Iâm having a hard time finding any better documentation on this, or anyone implementing this in the wild to use as a reference. proxyUrl seems to to expect a POST that will authenticate a user to view a remote stream, not the simple GET address on their home server.
If this is already meant/used in this way, then weâre great, and nothing needs to be added to Activity Intents. But if it is in use for different purposes, then weâd be breaking something.
I will keep digging to see if I can find this in use already.
we could extend proxyUrl to allow GET with query parameter instead of just POST with form-encoded parameter. itâs already quite similar to mastodonâs remote interaction handler, except that one takes uri parameter instead of id.
GET /authorize_interaction?uri=https://object.example HTTP/1.1
Host: mastodon.example
this loads some page that shows the object and allows you to either follow an account or view a status.
basically i am saying that the definition of proxyUrl could be expanded to allow GET and then it can be used as a link relation:
{
"rel": "https://www.w3.org/ns/activitystreams#proxyUrl",
"href": "https://mastodon.example/authorize_interaction"
}
GET /authorize_interaction?id=https://object.example HTTP/1.1
Host: mastodon.example
this is assuming you really need a GET. personally i donât see a reason to care about GET vs POST here, and in fact a POST can make sense because you are not simply asking for a representation, you are potentially resolving and caching a remote object into the local database.
I found some information on the ActivityPub primer that says this is really intended for authenticated, C2S requests using POST.
I think weâre discussing something similar in spirit to proxyUrl but very different in the details. This feature in Activity Intents is aimed at helping me get back to my home server when Iâm out on the open Internet.
So, I think we might take some ideas from this, but we shouldnât try to extend or repurpose this existing data point. That would only lead to confusion.
Hey, I never got back around to this, directly. Iâm going to write this up using Object and see how it looks.
You made a good point about using View activities for this. I really want that one to work out, but unless weâre expecting to send View documents for every item we view, we should probably not use it in this way.
1 Like
how is that different? when youâre out on the âopen internetâ, you can look up your own webfinger, take the link with the correct rel, and then plug your âopen internetâ URI into that endpoint. i donât see how that isnât just basically mastodonâs existing authorize_interaction endpoint, or how thatâs any different than as:proxyUrl in spirit. the only technical difference is that proxyUrl generally returns JSON-LD instead of a HTML web UI, but that can be handled by conneg.
I think you identified the issue. As itâs in use now, proxyUrl expects a POST and returns JSON. I want something pretty similar that expects a GET and returns an HTML page.
If we simply repurpose proxyUrl, there would be no way of knowing if the server supports a POST/JSON endpoint or a GET/HTML endpoint. It would confuse existing systems, and completely break Activity Intents.
I donât want to clutter up WebFinger responses with unnecessary additions, but Activity intents is an incremental change that will take time for the many Fediverse projects to implement. We canât use this existing value and expect everyone has already implemented it âthe new way.â Doing that would kill adoption of Activity Intents entirely.
â
I missed this point in your original note, sorry:
Yes, https://w3id.org/fep/3b86/Object would be very similar to Mastodonâs /authorize_interaction endpoint. Several other activities also map directly to Mastodon APIs. The difference is that weâre not hard-coding a Mastodon-specific path, so different projects can support the feature set without mimicking Mastodonâs URL layouts, too.
@benpate Iâm currently working on an ActivityPub server and came across thisâvery neat proposal!
Instead of having a dedicated endpoint for each activity type in ActivityPub, what if instead it was a general endpoint to prompt the server to create on behalf of the current session?
For example, sending a cross origin POST request with an entire activity (like Create/Note) and the end user has to accept the activity. This would allow for servers to accept a wide range of activities while also allowing them to strip or limit types depending on their implementationâs purpose.
An alternative to the above example is redirecting with a query parameter the homeserver fetches and fills in {templating parameters}
Welcome to SocialHub!
Interestingly, you had the same idea as me. Untrusted publishing / "share intent" functionality for arbitrary activities · Issue #53 · swicg/activitypub-api · GitHub discusses a single endpoint where you can submit entire arbitrary activities.
1 Like
Hey Grant, thanks for checking out Activity Intents. As @trwnh noted, weâve had some discussion on making a more generic endpoint. Two thoughts:
You can certainly use a single endpoint for all inbound activitys. Youâd just need to point each intent template to the same URL endpoint. So, Create could point to `https://my.server.social/do-the-thing?activity=Create\` and Follow could point to https://my.server.social/do-the-thing?activity=Follow
I can see some utility in allowing remote sites to initiate an arbitrary activity on the userâs home server. It would certainly open up Activity Intents to a wider set of uses than we can currently imagine. And yes, for security reasons my home server MUST MUST MUST confirm this with the user before actually publishing it.
But this confirmation step causes a UX dilemma. How should my server confirm with me if a remote web page initiates an activity that it doesnât understand? As an example, letâs say Iâm on a web page that POSTs this activity back to my home server to review:
{
"type":"Foo",
"bar":"baz",
}
My home server has no idea what a âFooâ activity is, or what the properties below it represent. So, itâs canât really give me a confirmation screen thatâs any better than showing me the raw JSON properties of the activity. While that might work for a software developer who knows what Foo/bar/baz represents, it is inviting all kinds of mischief when non-technical users learn to blindly accept the qr-code-looking gibberish that shows up on their screen.
If we can solve this âconfirmation problemâ somehow, Iâd love to include a generic option in the Activity Intents FEP. But we canât put such a heavy requirement on non-technical usersin the process.
@grant OpenWebAuth Protocol might be what youâre looking for (discussion thread: FEP-61cf: The OpenWebAuth Protocol).
cc @FenTiger
My thought is that unknown activities would show a warning similar to most browserâs SSL error pages. It would show âwe donât know how to correctly display the activityâ or something along those lines with a âpost anywayâ hidden behind a dropdown. This would (hopefully) encourage hesitation to sending an unknown activity type.
This warning page would also show a JSON representation of the raw activity in a collapsible box (to avoid confusing people)
I understand the utility of it, but we need to find another way forward. For instance, some commonly understood way to generate a preview of the activity.
But if we have to show JSON-LD to end users, weâve failed. Iâll bet that most ActivityPub developers shouldnât have to parse through JSON-LD in their browser to confirm that itâs correct - to say nothing of non-technical people.
Isnât this what AS2 Core tells you to do with name/summary/content?
There are alternatives to showing raw JSON. browser.pub for example has 3 views: visual, tabular, and raw.
I also donât think that UX challenges justify saying that a capability should be taken away from people who need that capability. The information in the JSON-LD should be convertible to a plain text description, and if you donât know what a term means it would ideally be something you can look up and find a term definition. If you see a term whose definition you donât know you can use caution.
Consider the equivalent example of someone giving you an HTML document to publish. Or someone giving you a written plain text letter and asking you to publish that. Itâs the same issue. They might have encoded a message you donât understand. Thatâs not a reason to disallow publishing HTML or plain text. Itâs a general issue with any user generated content. If youâre worried, run it through a sanitizer, but then thatâs a different issue.
Ben, Grant, the way forward is to abruptly display a 404 to the end user because this is a bug.
Unless I am misunderstanding this conversation: If I stumble onto Instance A and they try to trigger a "Foo" Activity Intent, and I enter my handle, Instance A is supposed to webfinger the handle and discover that: no, my instance does not handle "rel": "https://w3id.org/fep/3b86/Foo
To that end, when Instance A attempts to trigger the intent, it should know ahead of time that my handle doesn't support it, and thus not offer my handle as a supported endpoint.
This is what happens in NodeBB right now when you try to register your Mastodon handle. It discovers that it supports only two intents, Create and Object, and so if you hit "upvote" (which would normally fire the Like intent), it won't offer Mastodon as a supported endpoint.
a, falling back to using name, summary, and content works when you're talking about activities and objects (e.g. "I scrobbled a zipwarg, but here's what a preview or summary of that looks like, so just push it to your outbox and call it a day)
But Activity Intents is about instructing another server to process an action on your behalf. If the receiving end doesn't understand the activity itself, how can it perform the requisite side effects?
Is your server publishing activities on your behalf without letting you review them?
By default, all activities have no side effects beyond getting published to an outbox. If there arenât any understood side effects, then thereâs nothing to perform. Iâd be more worried about what is getting published on my behalf!
I think framing this FEP as âprocessing an action on your behalfâ is getting it mixed up, but to be fair, there isnât a clean split between activities as published resources vs activities as actions or procedures. Personally, I think any âside effectsâ should be separated out â and thereâs a similar idea described in https://w3id.org/fep/fc48 by @silverpill for how a server might process custom activities with such âside effectsâ. (Youâd need an extended outbox handler that checks for such side effects, but if you can standardize a generic framework for it, then youâd have some idea of what a client expects to happen or be done.)
The only âactionâ being discussed here is âpublish an arbitrary activityâ. Itâs not a bug, because you wouldnât trigger publishing an arbitrary activity through the Create rel, and you wouldnât define a new rel for each and every possible (infinite) activity type. Thatâs why I linked the GitHub issue for the âshare intentâ proposal, because that proposal doesnât care what type of activity it receives â it all ends up in your outbox eventually (when you approve it).
1 Like