1. 2

    I’m 100% behind this, though before I’d adopt it I want to see how the decentralization will happen. Who does the discovery of custom portier brokers?

    1. 2

      Thanks! Unlike Persona’s unfortunate reliance on a single fallback / bridge at login.persona.org, Portier is designed to be decentralized from day one: hosting your own broker in support of your own websites should be trivial. It effectively becomes an implementation detail that you can share between multiple domains. Like your own personal Auth0.

      The trick, then, is how your broker will discover other domains that support OAuth-style authentication, so it can authenticate users with that instead of the email loop fallback. We’re not sure how to solve this yet. Webfinger will likely play a role, but the specifics haven’t been ironed out. We talk about this a little bit in Design.md and in portier/portier.github.io#13.

    1. 2

      Is this similar to the slack magic link login experience?

      1. 3

        It’s a bit similar, but Portier first tries to use a few in-browser, federated authentication strategies before falling back to magic links. Like magic links, it still works for everyone, but for a lot of folks, they never even need to check their email.

      1. 5

        Postmark just dropped our outbound email for high bounce rates. Falling back to SendGrid :/ Try again in 5 minutes.

        Edit: Ask Lobsters: Any suggestions for solving this? Hitting the frontpage of HN, et al. means people are spamming the login form with bogus addresses like a@a.com that bounce and cause trouble for us and the ESPs. Not ideal, but I’m not sure how to solve this for a small scale side-project. Discussion in https://github.com/portier/portier-broker/issues/96

        1. 5

          Hey, seems like a nice idea, but how is it different from OpenID?

          1. 9

            In addition to what Dan said, email addresses are much better UX for users. OpenID had huge issues with users not understanding how a URL could be their identifier, which we hope to avoid with Portier.

            1. 7

              UX for users.

              Developers too… I’ve worked with many a developer who had issues with the OpenID, OAUTH, &c. workflows, so these is pretty intriguing.

              1. 4

                UX for users.

                Developers too…

                DX?

                1. 2

                  That would be a great name… I’ve thought about it when I’ve been working on APIs or languages or tools for languages: what is the user experience for a developer who is using this thing? What can I do to make this thing more pleasant to use? Languages like Elm have great “UX”, whereas tools like Burp & ZAP have terrible UX for analysts. DX is a neat condensation of that…

                  1. 3

                    I agree. I think developers tend to be more accepting of tradeoffs in usability in exchange for capability, which makes designing for them somewhat different from designing for end users.

            2. 6

              In some ways, you can think of Portier acting as an adapter in front of other OAuth / OpenID providers, so you integrate with Portier once, and get consistent support for other providers for free. More in the design document.

              The other big difference is that Portier asks users for an email address, and provides a fallback which ensures that Portier works for all email addresses. This is a huge improvement over classic OpenID, which used opaque URLs for identities, and OpenID Connect, which effectively requires every website to pre-register with, whitelist, and display custom buttons for specific OAuth providers.

              Portier is just email in, auth out, using whatever protocol is most appropriate for that email domain. Way more humane for users.

              Otherwise, most of the virtues of OpenID should carry through. There’s deeper discussion of how Portier compares to Persona in OtherProjects.md.

            1. 4

              Trying to wrap up and launch Portier, a passwordless authentication microservice that’s a spiritual successor to Mozilla Persona. It works well enough locally as a proof of concept, but we’ve got some fit and finish bugs to iron out, as well as some tweaks to make it easy to host on a PaaS like Heroku.

              1. 2

                Nice! I’ve only just taken a quick glance at it but it looks very interesting.

                BTW, is “passwordless authentication microservice” PAM for the hipster generation? :)

                1. 1

                  The PAM pun was unintended, but now that you mention it… ;)

                  What part struck you as the most interesting? Planning on a formal announcement in ~2-3 days, so knowing what captures attention is super helpful.

                2. 1

                  Interesting, I cannot find any information about which protocol it uses, though. Is it BrowserID based or its own?

                  1. 1

                    For federation, we haven’t quite figured out which protocol to use – something based on BrowserID or OpenID Connect Dynamic Discovery / Dynamic Registration is likely. The MVP does Google Sign-In for Gmail users, and falls back to single use email codes for everyone else. More in the design document.

                    For websites relying on Portier, it exposes an API conforming to OpenID Connect’s “implicit” flow. Which actually isn’t terrible.

                    1. 1

                      Hm, I’m somehow less convince now. I liked BrowserID a lot, especially because of the straight-forward spec and this seems to have many moving parts…

                      Allowing for implicit OpenID flow seems nice though, as many providers don’t have that :).

                      In any case, I’m no expert and don’t want to be overly critical.

                      Love Rust though, especially for deployment reasons!

                1. 19

                  devd, by Aldo Cortesi

                  Whenever I need to spin up a local server to work with bits of static HTML, I reach for devd. It’s a super fast, self-contained binary with great ergonomics. Running devd -lo . serves the current directory, opens (-o) your browser for you, and automatically livereloads (-l) your browser whenever any of the files change. It can do much more, including simulating bad connections, reverse proxying, and generating ephemeral self-signed TLS certificates, but I’m completely happy with just the basics.

                  1. 7

                    In that same vein, my shell has python -m SimpleHTTPServer aliased to webserver so I can quickly browse a directory on a remote machine through a web browser and python is usually installed everywhere.

                    1. 5

                      Also: python3 -m http.server :) As ridiculous as it sounds, I’ve actually had performance issues with Python’s built-in server, especially when I have a bunch of async requests on a page. Devd solved that for me.

                  1. 4

                    This list seems pretty misguided and under-informed, especially with things like disabling malware checks, completely unrelated properties like redirecting “View Source” to an external editor, disabling purely opt-in features like Sync, or disabling pure client-side features like Reader mode, crashed session restoration, caching, and download history. Take it with a grain of salt.

                    1. 4

                      Applying to whatever jobs I can find, feeling incredibly anxious and about to be homeless (in two weeks). Does anyone have a bit of work they could send my way? I can do Rails/HTML/CSS/dev ops/Linuxy stuff, reasonable rates. I need to productively fill my time.

                      First-level phone interview today for a Rails position, so practicing out-loud for that.

                      1. 1

                        Since you’re in the Duluth/Superior area, I know Target is hiring a ton of developers in the Twin Cities. Might be worth looking into if you’re open to traditional employment over consulting. Otherwise, I’d dig through the employers listed in local bootcamp websites, since they’re more likely to be open-minded about specific experience vs. ability to learn.

                      1. 7

                        This is a major bummer.

                        We used Persona extensively at my last job, and it was an enormously-helpful leg up when adding login features:

                        After some internal discussion we proposed Mozilla Persona as a solution for authentication. It fit the constraints outlined previously: it is a single source of identity, it is not homegrown, it allows users to reuse their work email addresses as their unique identifiers and, finally, it is no more than simply an identity provider.

                        When the assertion token is verified by Persona, it responds with the user’s email address. The Dashboard web server uses the Google Drive API to securely retrieve the authorization list from the Google Spreadsheet set up by administrators and checks if the just-signed-in user’s email address exists in this authorization list.

                        I did attempt to run the service myself when they first announced that it was being backburnered last year, and was disappointed to find that the developers had not prioritized re-use or installation by others.

                        1. 2

                          Sorry about that.

                          There’s some talk in #letsauth on Freenode of trying to build a Persona successor with more of an emphasis on easy self-hosting. The rest of the details are, understandably, up in the air right now. Out of curiosity, what do you think of solutions like https://passwordless.net/?

                          1. 1

                            Passwordless is an interesting concept! Often recovery or magic link emails take a long time to reach a recipient so it feels brittle, and I wouldn’t personally use a Node thing. I loved the simple integration of Persona.

                        1. 1

                          I don’t know. I’m not taking sides, but simply not being home isn’t a really great defense. It’s not like you have to be sitting there watching bit-torrent run. And same thing with malware and viruses. And it’s pretty normal to connect via ssh, etc.

                          And “disconnecting it from his home network” is only convincing if he he means the modem was completely powered off, which isn’t mentioned.

                          1. 4

                            That’s fair. The article does mention that the company finally discovered a typo in their record of his MAC address, so presumably he was right. But it doesn’t go into enough detail to answer whether he was sufficiently careful at measurement. I read it thinking that perhaps the modem doesn’t have built-in wifi, so that disconnecting it from the router was possible, and was what he meant.

                            1. 4

                              “disconnecting it from his home network” is only convincing if he he means the modem was completely powered off, which isn’t mentioned.

                              That actually is mentioned in the pastebin linked from the original article. Comcast registered 50 GB of traffic while the modem itself was physically unplugged.

                              1. 1

                                He measured it at his router, too.

                              1. 4

                                “one of the first things I would do before starting [Python development] again would be to try mirroring the documentation.”

                                In a pinch, you can run pydoc -p 8080 to get a nice, browsable interface to the docstrings of every module in your environment.

                                1. 2

                                  I also stopped using chrome for my daily browser a while back, but not because of the auto-updating. I found it pretty painless and didn’t run into the same issues he did.

                                  That said, Chrome was starting to feel sluggish and bloated, taking up more and more memory with no extensions. Right now I use chrome for debugging client-side stuff, otherwise I use Firefox. The only plugin I use in firefox is ublock and it’s quick, stable, and an overall good user experience.

                                  1. 7

                                    Right now I use chrome for debugging client-side stuff

                                    Can you point to anything in particular that you’re missing from Firefox’s tools? We’ve put a ton of effort into them over the last year, and it helps to know what gaps are sending people back to Chrome’s tools.

                                    1. 1

                                      The debugging tools work well enough for me, the big improvement I’ve noticed recently is that scrolling on Mac got much better in the last update. Still a long way from Safari but it’s not as jarring as it used to be.

                                      1. 1

                                        I’m going to try using them tomorrow while I work and I’ll let you know any particulars I can come up with. I can’t think of any at the moment.

                                    1. 3

                                      I’m mostly wrapping up my PyCon talks on Rust / Python FFI and CoreOS. Trying to make sure I’m staying within my time budget, putting together slides, and filling in holes in my knowledge for Q&A.

                                      Speaking of, if you’re interested in those topics, what sorts of questions might you have about them? :)