I'm mainly asking this to think out loud what's the right balance between having a giant behemot that can do everything (potentially million of webhooks to be activated daily) vs being a good citizen to other platforms that can integrate with Forem.
Yeah, I'm thinking more that Forem brings the tools that others can build these experiences rather than Forem do it itself. So with webhooks, it would be allowing relatively fine-grained webhooks to be built and linked to. You don't want to be on the receiving end of hundreds of posts a second but you might want to for say, a specific tag.
I see OAuth 2 by itself a bit limiting as it requires the app's registration and if we'll end up with decentralized identities (James Turner being on Forem.dev and James Turner on DEV are already 2 different users, even if behind them there's the same human, the two installations don't know that) we need to decentralize auth as well. This way, don't even know if that's technically feasible yet, these potential apps can follow the user across Forems if authorized to do so.
Yeah, my thought for this part was less technology per-se but more experience. The GitHub auth-flow experience feels really nice when using it. Having a non-technical user go through something that felt like that experience when connecting apps/integrations would be ideal in my opinion.
[re. each Forem is a unit by itself] I would imagine none of them to hold "the entire history of me"
Yep, exactly - I don't think you'd want to for security/privacy reasons let alone just raw data reasons. It would be a pain to manage.
There are systems like IndieAuth designed to solve this issue of not having websites and apps have to register to each other in advance but I'm still studying all the details to understand it better. Do you have any experience with that?
I haven't used it but it seems relatively straight forward conceptually. Take a URL (any URL) and identify the authorization server behind it (which it must have, it can't be any old link), from there you follow an OAuth-like process with a sprinkle of additional URL-checking at the end. That's my take from it anyway.
Besides the discovery portion (which could be useful for adding additional authentication providers like how Forem has Twitter & GitHub), it doesn't seem to bring much more to the table.
That said, a possible API would need this mechanism to be already in place I guess to be able to trigger a query of "get all posts by rhymes from forem.dev, letsbuild.gg but not DEV published since January 2020" for example.
Yeah, that's my "ideal" view if this functionality was here tomorrow. Just from that written example though, my brain says "looks more GraphQL-esque than REST" - that isn't a problem per-se but I didn't see it that way when I wrote my previous comment - brains are weird. 🤷♂️
I feel like we're crossing between API and product design but I like your ideas!
Glad you like them! Yeah I know it isn't API-related directly but is an interesting use case that I felt was a natural benefit of such functionality.
If it's truly decentralized, what's the authorative version of rhymes? Is it my profile on DEV? My profile on letsbuild.gg ? My profile on a future Forem? Do I get to choose? Does the machine choose for me? Would there even by a page where I can see all my profiles?
Here is a crazy thought - why do we need an authorative version of a profile? I don't think a single authorative version is needed but I do think somewhere that you can view these linked accounts across Forem instances would be fundamental.
Given every Forem instances has the same core-code, every instance could technically have this page and do a "network" query across your linked accounts across different Forem instances.
What if we want to build an ecosystem where I can be the same human, with different usernames and profiles and don't want them to communicate because I don't want my employer to know that I have a profile on Forem A, B and C ? Thus I don't want the API to follow me there as well?
With that in mind, I guess it is a case of whether you link profiles or not. I don't see a way to link profiles together and not share information to the various linked parties. You wouldn't really gain anything out of it if the goal was privacy between the different Forems.
Without knowing what the code behind a specific instance of Forem is doing (knowing that people could, in theory, modify it to do custom stuff), the only way for the privacy to exist is to never link between them.
Keep in mind that Forem needs to be a safe place, so people need to be able to delete their data, to stop sharing data with an app, to not let the owner of one Forem know they are a user on another and in theory they should be able to have completely different identities (email and username) on different Forems.
I completely agree about different emails and usernames on different Forems. They shouldn't be a technical (or otherwise) reason to not allow that while still supporting linking of profiles.
1000% agree there would have to be procedures in place to delete their data and stop sharing it with an app. It would be kinda hard to not let an owner of one Forem to know your identity on another Forem if you linked profiles etc together but otherwise, yeah - privacy and user controls need to be easily accessible and usable for anyone on any Forem instance.
Alas, I don't have all the answers yet, but thank you so much for this feedback! I hope we can continue this conversation and that others will join!
Look, I'm happy to talk about this stuff all day and bounce ideas etc off of. Feel free to reach out at any point. 🙂
Yep, exactly - I don't think you'd want to for security/privacy reasons let alone just raw data reasons. It would be a pain to manage.
Yeah, we agree on that. No centralized data store ;-)
Besides the discovery portion (which could be useful for adding additional authentication providers like how Forem has Twitter & GitHub), it doesn't seem to bring much more to the table.
Yeah, still have to go through the entire spec to see if it's enough or not and/or if it's flexible enough to be extendable. The jury is still out on IndieAuth. I also wonder what we can borrow from ActivityPub and if would make sense for us to become a server for it.
Yeah, that's my "ideal" view if this functionality was here tomorrow. Just from that written example though, my brain says "looks more GraphQL-esque than REST" - that isn't a problem per-se but I didn't see it that way when I wrote my previous comment - brains are weird. 🤷♂️
Interesting. I also think of API Gateways that are able to stitch different microservices together to build a response and they predate GraphQL in a way. The difference here is that each "microservice" will be a Forem installation with the same exact code. The technology behind all of this is an avenue to be explored. I suspect how we build "discovery" is going tell us what the right architecture here is.
Here is a crazy thought - why do we need an authorative version of a profile? I don't think a single authorative version is needed but I do think somewhere that you can view these linked accounts across Forem instances would be fundamental.
Agreed. Linking one another is an opt-in. Fundamentally a person could spend their online life using two Forems that never talk to each other and be fine with it.
Given every Forem instances has the same core-code, every instance could technically have this page and do a "network" query across your linked accounts across different Forem instances.
Back to the discovery part ;-)
Without knowing what the code behind a specific instance of Forem is doing (knowing that people could, in theory, modify it to do custom stuff), the only way for the privacy to exist is to never link between them.
True that! As Forem can be modified and self-installed, the trust level by default should be share nothing, but then if you share nothing, as you say, what's to be gained to link them? Forem's code is AGPL which requires modifications to be published in theory. This might help. Another possibility is to trust only servers managed by Forem.com but that could limit the network effect.
Look, I'm happy to talk about this stuff all day and bounce ideas etc off of. Feel free to reach out at any point. 🙂
Thank you!
For further actions, you may consider blocking this person and/or reporting abuse
Yeah, I'm thinking more that Forem brings the tools that others can build these experiences rather than Forem do it itself. So with webhooks, it would be allowing relatively fine-grained webhooks to be built and linked to. You don't want to be on the receiving end of hundreds of posts a second but you might want to for say, a specific tag.
Yeah, my thought for this part was less technology per-se but more experience. The GitHub auth-flow experience feels really nice when using it. Having a non-technical user go through something that felt like that experience when connecting apps/integrations would be ideal in my opinion.
Yep, exactly - I don't think you'd want to for security/privacy reasons let alone just raw data reasons. It would be a pain to manage.
I haven't used it but it seems relatively straight forward conceptually. Take a URL (any URL) and identify the authorization server behind it (which it must have, it can't be any old link), from there you follow an OAuth-like process with a sprinkle of additional URL-checking at the end. That's my take from it anyway.
Besides the discovery portion (which could be useful for adding additional authentication providers like how Forem has Twitter & GitHub), it doesn't seem to bring much more to the table.
Yeah, that's my "ideal" view if this functionality was here tomorrow. Just from that written example though, my brain says "looks more GraphQL-esque than REST" - that isn't a problem per-se but I didn't see it that way when I wrote my previous comment - brains are weird. 🤷♂️
Glad you like them! Yeah I know it isn't API-related directly but is an interesting use case that I felt was a natural benefit of such functionality.
Here is a crazy thought - why do we need an authorative version of a profile? I don't think a single authorative version is needed but I do think somewhere that you can view these linked accounts across Forem instances would be fundamental.
Given every Forem instances has the same core-code, every instance could technically have this page and do a "network" query across your linked accounts across different Forem instances.
With that in mind, I guess it is a case of whether you link profiles or not. I don't see a way to link profiles together and not share information to the various linked parties. You wouldn't really gain anything out of it if the goal was privacy between the different Forems.
Without knowing what the code behind a specific instance of Forem is doing (knowing that people could, in theory, modify it to do custom stuff), the only way for the privacy to exist is to never link between them.
I completely agree about different emails and usernames on different Forems. They shouldn't be a technical (or otherwise) reason to not allow that while still supporting linking of profiles.
1000% agree there would have to be procedures in place to delete their data and stop sharing it with an app. It would be kinda hard to not let an owner of one Forem to know your identity on another Forem if you linked profiles etc together but otherwise, yeah - privacy and user controls need to be easily accessible and usable for anyone on any Forem instance.
Look, I'm happy to talk about this stuff all day and bounce ideas etc off of. Feel free to reach out at any point. 🙂
Yeah, we agree on that. No centralized data store ;-)
Yeah, still have to go through the entire spec to see if it's enough or not and/or if it's flexible enough to be extendable. The jury is still out on IndieAuth. I also wonder what we can borrow from ActivityPub and if would make sense for us to become a server for it.
Interesting. I also think of API Gateways that are able to stitch different microservices together to build a response and they predate GraphQL in a way. The difference here is that each "microservice" will be a Forem installation with the same exact code. The technology behind all of this is an avenue to be explored. I suspect how we build "discovery" is going tell us what the right architecture here is.
Agreed. Linking one another is an opt-in. Fundamentally a person could spend their online life using two Forems that never talk to each other and be fine with it.
Back to the discovery part ;-)
True that! As Forem can be modified and self-installed, the trust level by default should be share nothing, but then if you share nothing, as you say, what's to be gained to link them? Forem's code is AGPL which requires modifications to be published in theory. This might help. Another possibility is to trust only servers managed by Forem.com but that could limit the network effect.
Thank you!