François' Blog

Group Communication Platform

Published on 2015-08-11 | Last modified on 2015-08-12

Update (2015-08-12): see private-messaging-brainstorming for a discussion on the topic of private messaging. It is in a way quite similar to the proposal below of "Inbox", but without OAuth.


This post will describe some typical features for a group communication platform with code name Phubble. As an example we will organize a birthday party for Alice. This post will describe what would be required of a "platform" to make it work for the IndieWeb.

Alice's birthday party

Alice has a birthday in the near future. Bob, Eve and Mallory want to create a surprise party for Alice. Until now they used "Facebook Groups" to organize such an event among the friends.

Bob wants to coordinate the party with Eve and Mallory and have a secure way of communicating among themselves without Alice, or anyone else finding out about it.

The group of friends contains three members:

Bob creates a private space alice-bday-party on Phubble and assigns the members to it.

Phubble will now have to figure out how to contact/notify the members by some mechanism to notify them they have been added to the private group. For example using an HTTP inbox or maybe email if an HTTP inbox is not listed on the member's homepage.

Bob then posts his first idea to the wall. Eve and Mallory will receive a another notification saying that Bob posted a new message, possibly with the content of the message included, or maybe just a link.

Eve wants to add Peggy to the group. She adds her to the group configured in Phubble with the identity https://peggy.example/. It should be possible for all members of a space to add new members. Only the creator can delete members.

Phubble sends Peggy a notification that she was added to the alice-bday-party space, and will also inform her of any future activity.

Peggy also has an idea and posts it to the space. Now Bob, Eve and Mallory will get a notification.


In order to notify a member (out of the blue) that he or she is a member of a (private) group space there needs to be a mechanism for doing this. Email has long been the most reliable way to do this. Most users will publish their email address on their homepage, for example using the h-card microformat as promoted for the IndieWeb or the rel="me" method. In addition below a mechanism using HTTP is proposed, HTTP inbox.

HTTP inbox

The user advertises a HTTP inbox on their homepage:

    <link rel="inbox" href="">

This endpoint accepts a HTTP POST containing a subject and a message:

POST /inbox HTTP/1.1
Content-Type: application/x-www-form-urlencoded


This request needs an OAuth 2.0 Bearer token to succeed. If non provided, the inbox endpoint will respond with some hints, as proposed by OAuth 2.0 Authorization Server Discovery.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer 

Now Phubble, as an OAuth client, knows where to obtain authorization. Phubble chooses its own "authorization server", e.g. one that supports client certificates, and uses its own URL, e.g. https://phubble.example/ as its identity. Assuming the AS supports Distributed IndieAuth this should work perfectly well.

Once the access token has been obtained it can be sent in the POST request:

POST /inbox HTTP/1.1
Authorization: Bearer SFmrZYeCR9hCol2ORAusJbccHiHrp7MU
Content-Type: application/x-www-form-urlencoded


Now the response will show it succeeded:

    HTTP/1.1 201 Created


Email is a safe fallback. The user's email address can be discovered from the homepage, for example by querying the rel="me" link headers:

    <link rel="me" href="">

This will be all that is needed to send notifications.