Implementing ActivityPub Client-to-Server

As mentioned in that issue, I don’t care if Webfinger is supported or un-supported. I asked the andStatus maintainer to support lookup of oauth endpoints per the AP specification and was asked how best to support that. As that app insists on a webfinger address for the account, I responded that Webfinger should probably be consulted to locate the AP record - and fetch the AP record to find the OAuth endpoints.

Many of the subsequent comments in that thread basically ridiculed me for suggesting webfinger and defended the use of undocumented platform specific APIs and ignored the many real compatibility issues I raised.

I don’t care if a project uses webfinger or not, but if said project asks specifically for a webfinger address as identification of an account, that project might need to use webfinger. I don’t know how else one would reliably obtain the AP actor URL if the only information you have available is a webfinger identity. We support webfinger if you require it. We don’t actually require it for ActivityPub communications.

In any event, if you look at the issues raised, the andStatus C2S implementation requires a number of additional pieces from a number of platform specific APIs just to function, so I no longer plan to use it as a test implementation for our C2S work, and may be unable to use it at all. My queries for documentation on these extra required pieces did not provide me enough information to be able to implement or respond to those platform specific API calls, so I really have no choice.

It’s not that hard to make oauth2 requests so I’ll probably finish off the C2S bits using a Python script for testing and leave andStatus compatibility to others.

Does any project currently have a proposal for naming the dynamic client registration endpoint (and perhaps a list of attributes it requires) in the actor record? If so, I’d like to re-use it. If not, I’ll come up with something and stick it our FEDERATION.md; although there are already facilities like .well-known/oauth-authorization-server and .well-known/openid-configuration; and maybe this stuff doesn’t belong in the ActivityPub actor record at all.

2 Likes