busybee fluffy rambles Notes

Yes, Publ supports TicketAuth for authenticated feed subscriptions. At least in theory. It passes manual testing and I think a couple of folks have implemented test consumers that have been verified to work with it, but I don’t know of anyone who actively follows my blog with a TicketAuth-enabled feed reader.

My feeling with how Microsub would interact with TicketAuth is that the ticket endpoint would be responsible for relaying the bearer token along to the Microsub implementation, perhaps via some sort of credential store, or maybe that the token store would be expressed by the Microsub endpoint. I haven’t super thought it through, mostly because there’s a couple of reasons I’m not a fan of Microsub and if I ever get around to implementing the reader I want to implement I was planning on it just being a fully self-contained application that you happen to sign into using IndieAuth (it could support Microsub as a data store for other reader clients but it’d be intended to be used as its own client as the primary interaction model).

Or I guess another way of looking at it is that the reader I want to build would be a reader UI, Microsub endpoint, and TicketAuth endpoint all in one single integrated implementation, just because it feels easier in terms of how I want stuff to work.

The big security concern with TicketAuth (or any authenticated feed mechanism other than private/individual feed URLs, which has its own set of problems to contend with) is that as soon as anyone has any credentials for a feed that multiple people are subscribed to, you need to make damned sure that you’re retrieving/parsing/storing the feed separately for each credential. It’s for that reason that I haven’t just hacked TicketAuth into Feed-On-Feeds, because its fundamental design would make this rather inconvenient.