New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Claiming podcasts - what can we do to help? #342
Comments
I can see how to do this. A simple api endpoint at the podcast host listed in the feed that accepts a token and something to identify the podcast and a return api hook to send the response to (which probably has the token in just like the link in the email. Space for an optional identifying message from the service to the podcaster is probably a good idea too. Podcast host has a notification for users in their dashboard (presumably they know they're signing up for something so they're watching for this). One click and the token is sent back to the requester. Job done no email. I believe I could build this for 3speak as a demo very quickly. One issue... The services love harvesting emails. But this would be much better.
|
I think the OAuth-type of bouncing from PodcastDirectory to PodcastHost works. No need for a notification system. But you're absolutely right - a token was what I was looking for! directory.example.com looks at the RSS feed, sees the
... linking to the 'auth' URL, and posting to it "token=3c2a2f4e&rss=https://host.example.com/rss&callback=https://directory.example.com/callback" host.example.com takes a user through authentication if not logged in, and shows...
...and then posts to https://directory.example.com/callback the token and RSS. I think OAuth has some additional security on this. |
At pod.link, we let podcasters claim their show with the email method. It definitely has its downsides, especially with Anchor and Acast shows, and I've been imagining how a better solution might work. To make it more familiar to users, I'd mimic the language of other oAuth flows. So the app could see the
Any participating service would still have to scrape the email address as a fallback for non-participating hosts. So the checkbox to share an email address seems redundant to me. |
Would definitely want to get hosting company input on these ideas. @tomrossi7, @albertobeta, @amandato, @PofMagicfingers, @mkadin ? |
Agreed! Would love host feedback, and will be pushing this on Monday. I'd also be happy to write a simple PHP example codebase for this (the benefit of that being that it can be written simply enough to be clear how it works for hosts to implement). |
Good idea James. Real code always helps. |
How does this vaguely work for documentation? Rewritten slightly to be a separate tag. "Claiming" a podcast in a podcast directory means that your customer can be authorised as the owner of that podcast in a directory. You might claim a podcast in Podchaser to add host information; in GoodPods to be notified of comments; or in Spotify to add it to the Spotify dashboard for analytics. A "quick-claim" is a programmatic way to claim a podcast, by taking your customer from a podcast directory to an authenticated page on their podcast host. For podcast directoriesRun a podcast directory, and want to check that someone owns this podcast? Benefits of using "quick-claim" are that it's one-click within a browser or webview, rather than sending a potential user an email. Assuming they are logged-in to their podcast host (or can log in), they can approve your request instantly and come back to your website within seconds, thus significantly lowering your abandoned shopping cart or registration. Additional benefits are that anyone authorised to access the podcast host dashboard may claim the show; and the email address within the RSS feed need not be the one used by your user. Check that quick-claiming is enabled in the RSS feed.
As above, you should see an Give them a "claim this with your podcast host" buttonYou will send a POST to the auth field present in the podcaster's RSS feed, with three values: a. The Here's an example in PHP of your button: echo '<form method="post" action="'.$auth.'">';
echo '<input type="hidden" name="guid" value="'.$guid.'">';
echo '<input type="hidden" name="token" value="'.$token.'">';
echo '<input type="hidden" name="returnurl" value="https://directory.example.com/claim/process">';
echo '<input type="submit" value="Claim this now">';
echo '</form>'; Handle the responseIf the user wants to claim the podcast, they will press a button on their podcast host's website, and you will get a POST to the returnurl above. It will contain the same GUID as above, and the token. Check the GUID is the one you were expecting; and ensure the token is correctly formatted. If it is, the user has successfully claimed the podcast. For podcast hostsQuick-claim is designed to allow your customers to demonstrate that they own their podcast on third-party services, like Podchaser or Goodpods, as an example. The benefits of using "quick-claim" are that it's one-click for your customers from the service they wish to claim, direct to you. You can monitor the services your users are using, and can give multiple people access to claiming a podcast on a separate service based on your service's access levels. Ease of use on third-party services retains the customer with your company, thus lowering churn, and possibly giving them more access and interaction, prolonging their activity with you. If you're a podcast host wanting to add quick claiming for your customers, then here's how you can do it painlessly: Add a
|
I know it is a somewhat far off dream... but I'd dearly love to dump having to put emails in feeds completely. It's just a nasty spam harvesting system as it is today. This would certainly be the first step on that journey. |
Agree. To be honest, we don't need them for this; it's just part of the "other" use of the Or, and perhaps better, we use the same auth for transfer locking. |
Hi, I really like this idea of quick claiming. Quick idea here : I'm not 100% sure it fits with "podcast locking" term. If we complexify a bit the usage maybe we could rename the tag to something like But most importantly, as I see the value behind this idea, the implementation we're currently discussing has some flaws IMHO. First, it doesn't seem enough secure to me, as there is no way to authenticate the server response : If we visit a directory with a claim button these are public informations : guid, claiming auth_url are in the feed, the token the directory is generating, and the return_url. With the current implementation of the draft protocol, anyone can claim any feeds without having to log into the hosting provider. The second issue I see is "user path/worklow". What happens if the user can't login, or click a back link, or something has failed (e.g. the user has no access to this podcast) ? We need to mimick what payment platform like paypal uses : success_url, error_url, back_url. That's a bit verbose, but don't worry we can simplify, i have a few ideas. Third issue is that we have no way to "identify" the service asking for permission. What works with OAuth is that apps are registered into the service provider, so it can show the user a name, icon and purpose. If we wan't to keep a decentralized approch, we need to add these informations somewhere. I'll use the great doc wrote by @jamescridland and use it as a base to explain how I would implement this, as a podcast directory & podcast hosting company. I'll use the "Claiming" a podcast in a podcast directory means that your customer can be authorized as the owner of that podcast in a directory. You might claim a podcast in Podchaser to add host information; in GoodPods to be notified of comments; or in Spotify to add it to the Spotify dashboard for analytics. A "quick-claim" is a programmatic way to claim a podcast, by taking your customer from a podcast directory to an authenticated page on their podcast host. For podcast directoriesRun a podcast directory, and want to check that someone owns this podcast? Benefits of using "quick-claim" are that it's one-click within a browser or webview, rather than sending a potential user an email. Assuming they are logged-in to their podcast host (or can log in), they can approve your request instantly and come back to your website within seconds, thus significantly lowering your abandoned shopping cart or registration. Additional benefits are that anyone authorised to access the podcast host dashboard may claim the show; and the email address within the RSS feed need not be the one used by your user. Check that quick-claiming is enabled in the RSS feed.
As above, you should see an Give them a "claim this with your podcast host" buttonYou will redirect your user to the auth url present in the podcaster's RSS feed, with 1 to 3 URL parameters :
|
This is great work, @PofMagicfingers . The use of JWT seems good and sensible, given it's based on a standard which is already there. I'd like to go so far as to suggest that, if done correctly, this would allow podcast hosts to publish RSS feeds without email addresses altogether, and thus avoid privacy and spam issues. That, though, needs the acceptance of someone like Apple or Spotify. |
Does anyone volunteer to write this up into a proposal document? If nobody raises their hand I'll do it. This is sufficiently complex enough to really need it's own doc in the proposal-docs folder. |
I love the idea of making this easier! And I have another possible way this could be handled. Look at how something domain-authentication works with an email service provider: add a TXT record to your DNS, service-provider then polls the domain for the change to match what it's expecting. We could apply this same kind of claim-code approach to podcasts. It could work like this:
Now where to put the tag? I think that, ideally, it should be a separate channel-level tag, like But what about for feed-generators that aren't updated or don't support the feature? I think, like Apple Podcasts and a couple other tools I've seen, we could advise putting that token in a standard, editable RSS field, or even some kind of link or emoji/unicode character in the description/content. This method does, however, depend on the timeliness of the feed's refreshing. If the feed comes directly from the source, then any kind of cache is probably flushed nearly immediately. But if there's a third-party service, like FeedBurner or Podcast Mirror, it can take longer for the change to show up. However, the directory could continue looking for it until found, so the podcaster doesn't have to wait around or do anything further. |
Well, actually that's what we've done on the catalog side of podCloud at first. Podcasters could add their show to our catalog and verification was done by looking for a token inside the feed. We had many issues and support requests asking for help with this. Most of the time podcasters didn't really knew where to put a tag in their RSS feed, or they were using a service or a plugin that didn't let them do that. We moved to just looking for the token anywhere in the feed : episode or channel descriptions... And we still had some users confused about where to add the token, when they could remove it or not, and some didn't want to clutter their description with a garbage token. We've really "eased" catalog registration since we switched to an email based verification like Spotify. Also, if we have to add a separate tag for each directory, that means multiple tags to maintain for a solo podcaster, a new UI to let users configure it for a hosting platform... The podcaster need to add a new token for every new platform they register to, we have to maintain a slug list. Given my experience with that, I'd rather go with our first approch with one tag, and a back and forth between the directory and a source of authority set up in the feed. |
I agree with @PofMagicfingers that the added layer of security to authenticate the callback to the service as actually being from the hosting company is warranted. This security layer adds some complexity to implementation...but the approach seems solid. I had thought to bring up @theDanielJLewis's idea earlier as well, but I agree with the cacheing feeds problem. Many hosts cache their feeds for at least a few minutes, so if the solution includes delay, it lacks the smoothness that this solution is looking to create. Want to be straight with folks in saying that I don't think this feature would be prioritized very highly on our roadmap as long as Apple / Spotify require emails in the feeds. Obviously could be a nice improvement for the user flows of 3rd party services, but I don't see this as a huge problem that podcasters are facing / complaining to us about. Users are used to email auth flows. That doesn't mean this doesn't have value; just noting that this probably wouldn't be super high on the list for us in case that's useful. |
This is valuable feedback also Mike. I imagine most hosts feel that way. If we do this type of tag it probably would just be a future-proofing issue that lays road instead of prompting change. |
It depends, I think, how bad the spam issue becomes. If Apple walks the walk about privacy (rather than just talking about it), then they should appreciate the benefit of a better service here. |
Thanks @daveajones for creating the md doc. We discussed on podcastindex.social about specifying the key algorithm used inside the tag : actually we don't need to, I checked and the algorithm type is included inside the JWT generated by the server. |
👍👍 |
Closing this, given we chose to go with an opaque |
Use case
Currently, if you want to "claim" a podcast on most podcast directories, then they achieve this in one of two ways.
This falls over in a few ways:
a. it relies on quick transmission of emails, unimpeded by spam filters
b. the podcast publisher needs access to this email address (quite hard for a large team)
c. the email address could be used for multiple podcasts
d. it causes a lot of basket abandonment, as podcasters have to move from a website to an email, get distracted by the other emails there, and go and do something else, forgetting to claim their podcast
The drawbacks with 'claiming' feeds have caused some podcast apps/directories to just not bother with this step, and that's a mistake that would be nice to fix, too.
Suggestion
I don't really know what I'm doing here, but I'd like to suggest some form of key/token thing that allows this to be automated. So the above is changed to...
This seems quite similar to OAuth, so there might be something there in how it works. I think we also need to give an auth URL for a podcast publisher. This would a) tell the podcast directory that this is supported; and b) tell the podcast directory where to go to request clarification from the podcast host that this really is this person's podcast.
<podcast:locked auth="https://example.com/claiming/login.php" owner="email@example.com">yes</podcast:locked>
This is a problem, and it would be really nice to have a programmatic, smooth solution to it. I'm not sure I've identified a solution yet.
Later: I've added some documentation below as to how I think it might work.
The text was updated successfully, but these errors were encountered: