Update (2015-08-12): see private-messaging-brainstorming for a discussion on the topic of private messaging. It is in a way quite similar to the proposal below of "Inbox", but without OAuth.
This post will describe some typical features for a group communication platform with code name Phubble. As an example we will organize a birthday party for Alice. This post will describe what would be required of a "platform" to make it work for the IndieWeb.
Alice has a birthday in the near future. Bob, Eve and Mallory want to create a surprise party for Alice. Until now they used "Facebook Groups" to organize such an event among the friends.
Bob wants to coordinate the party with Eve and Mallory and have a secure way of communicating among themselves without Alice, or anyone else finding out about it.
The group of friends contains three members:
Bob creates a private space
Phubble and assigns the members to it.
Phubble will now have to figure out how to contact/notify the members by some mechanism to notify them they have been added to the private group. For example using an HTTP inbox or maybe email if an HTTP inbox is not listed on the member's homepage.
Bob then posts his first idea to the wall. Eve and Mallory will receive a another notification saying that Bob posted a new message, possibly with the content of the message included, or maybe just a link.
Eve wants to add Peggy to the group. She adds her to the group configured in
Phubble with the identity
should be possible for all members of a space to add new members. Only the
creator can delete members.
Phubble sends Peggy a notification that she was added to the
alice-bday-party space, and will also inform her of any future
Peggy also has an idea and posts it to the space. Now Bob, Eve and Mallory will get a notification.
In order to notify a member (out of the blue) that he or she is a member of a (private) group space there needs to be a mechanism for doing this. Email has long been the most reliable way to do this. Most users will publish their email address on their homepage, for example using the h-card microformat as promoted for the IndieWeb or the rel="me" method. In addition below a mechanism using HTTP is proposed, HTTP inbox.
The user advertises a HTTP inbox on their homepage:
<link rel="inbox" href="https://tuxed.net/inbox">
This endpoint accepts a HTTP POST containing a subject and a message:
POST /inbox HTTP/1.1 Host: tuxed.net Content-Type: application/x-www-form-urlencoded subject=New+message+in+%22Alice%27s+birthday%22+space&content=Lorem+ipsum+dolor+sit.
This request needs an OAuth 2.0 Bearer token to succeed. If non provided, the
inbox endpoint will respond with some hints, as proposed by
OAuth 2.0 Authorization Server Discovery.
HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="Inbox", authorization_endpoint="https://as.example.org/authorize", token_endpoint="https://as.example.org/token"
Now Phubble, as an OAuth client, knows where to obtain authorization.
Phubble chooses its own "authorization server", e.g. one that supports
client certificates, and uses its own URL, e.g.
https://phubble.example/ as its identity. Assuming the AS supports
this should work perfectly well.
Once the access token has been obtained it can be sent in the POST request:
POST /inbox HTTP/1.1 Host: tuxed.net Authorization: Bearer SFmrZYeCR9hCol2ORAusJbccHiHrp7MU Content-Type: application/x-www-form-urlencoded subject=New+message+in+%22Alice%27s+birthday%22+space&content=Lorem+ipsum+dolor+sit.
Now the response will show it succeeded:
HTTP/1.1 201 Created
Email is a safe fallback. The user's email address can be discovered from the
homepage, for example by querying the
<link rel="me" href="mailto:firstname.lastname@example.org">
This will be all that is needed to send notifications.