Gregory's Server
Evan, that, and they don't even have /.well-known/host-meta set up to properly redirect it.
|
9 comments
Evan Prodromou
WebFinger lets us take an ID like name@domain.example and get an actor endpoint https://domain.example/some/path/to/idnumber.jsonld . The format of the actor endpoint is implementation-dependent, so the WebFinger lets us have a nice little ID that is easily recognizable.
Evan Prodromou
@grishka The problem (?) is that I could configure my WebFinger server to point to someone else's actor endpoint, which would be misleading. So if evan@domain.example points to https://whitehouse.example/users/potus, it would make it seem like evan@domain.example is the right shortcut for getting to the President of the United States's ActivityPub endpoint. (It will happen.) It's not *that* big a deal, but it's a little bit of a problem.
Evan Prodromou
@grishka What we need is a way for the AP descriptor to say, "these are valid Webfinger strings to use for this account." There's not a way to do that in the AP standard (yet; I'm going to start working on a FEP for it).
Evan Prodromou
@grishka The way Mastodon hacked around this, and other implementations have copied, was by taking another element of the actor, `preferredUsername`, and the domain part of the actor endpoint, and making a Webfinger id out of those two. So, in the above example, it'd make a Webfinger ID out of potus@whitehouse.example.
Evan Prodromou
@grishka It then does the Webfinger lookup again with that new Webfinger ID, and checks that it points to the right Actor endpoint. It then stores this webfinger ID as the right one to use for this actor from now on.
Evan Prodromou
@grishka So, the problem I'm seeing with threads is that its webfinger IDs are on the threads.net domain, like mosseri@threads.net. But the actor endpoints are on the www dot threads.net domain (I typed that out because threads keeps eliding out the www), so all the services are going through the dance I described above, and ending up with "corrected" Webfinger IDs like mosseri@www.threads.net.
Evan Prodromou
@grishka In general, we just want to use the bare domain name if at all possible, at least for the actor endpoint. 
top.ofthe.top
Most activitypub implementations rely on webfinger anyway and I see that threads.net's webfinger solves the problem by returning proper URI even if I mistakely request But www subdomain is desirable for cookies isolation in cases when site has multiple other subdomains for different purposes. |
> > that, and they don't even have /.well-known/host-meta set up to properly redirect it.
I don't think
.wwwwill cause problems, their webfinger works, request tohttps://threads.net/.well-known/webfinger?resource=acct:mosseri@threads.netreturns{"subject":"acct:mosseri@threads.net","links":[{"href":"https://www.threads.net/ap/users/mosseri/","rel":"self","type":"application/activity+json"}]}