What would you consider the minimal features to be considered an #ActivityPub C2S server?
-
"Social API servers SHOULD provide an inbox collection that accepts the GET HTTP method. Social API servers SHOULD allow actors to read their own inbox collection.
"Social API servers SHOULD provide an outbox collection that accepts the POST HTTP method."
I'm not crazy about the language though. It needs tightening up.
-
@steve @reiver one part I am concerned isn't "minimal" is the section on client to server interactions.
https://swicg.github.io/activitypub-api/basicprofile#client-to-server
That said, this is about the minimum of what I'd want to work with as a client developer: creating web content and organizing it into collections.
-
@steve @reiver that's interesting.
It's something a client can quickly detect with an OPTIONS request.
Inbox read access seems important but not essential.
I can think of a lot of write-only client applications that don't need read access to the inbox. Like a video game that shares in-game achievements, or a follow button widget.
-
@evan @reiver I wasn't thinking of something instead, although I can imagine implementations that use pre-shared "app tokens" or HTTP Basic Auth (as examples). The motivation for the question is the C2S list maintained by @smallcircles. It seems like most of those are not what I'd think of as C2S (Social API) servers.
@steve @reiver @smallcircles that's interesting!
I think the whole reason we have OAuth is so you don't have to put your password into a third-party app. Basic Auth sounds like trouble!
For the pre-authed token, aka "personal access tokens", I use those a lot for different APIs, but I think they're usually just treated as Bearer tokens? So they'd fit here.
-
@steve @reiver that's interesting.
It's something a client can quickly detect with an OPTIONS request.
Inbox read access seems important but not essential.
I can think of a lot of write-only client applications that don't need read access to the inbox. Like a video game that shares in-game achievements, or a follow button widget.
-
@steve @reiver @smallcircles that's interesting!
I think the whole reason we have OAuth is so you don't have to put your password into a third-party app. Basic Auth sounds like trouble!
For the pre-authed token, aka "personal access tokens", I use those a lot for different APIs, but I think they're usually just treated as Bearer tokens? So they'd fit here.
@steve @reiver @smallcircles I think Bonfire and Emissary both support cookie auth for their social API implementations, but that seems like an internal implementation issue and not an interoperability issue. Third party apps can't use cookie auth I think?
-
-
-
@evan Using my browser-based C2S test app, it looks like Mastodon enables CORS for at least actor, activity, outbox collection, and Note objects.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login