"Delegated" in the same sense that matrix uses it, for example, here: https://matrix-org.github.io/synapse/latest/delegate.html
(hosting on sub.example.tld while preserving federated @username@example.tld usernames)
Digging through the code, it seems like doipjs does not perform any WebFinger requests for AP validation at all, which means it will fail to validate https://example.tld/@username AP claims for delegated profiles cuz there is just nothing there, actual profile is hosted on a different (sub)domain.
Is there any specific reason as to why no WebFinger request is performed for AP validation if initial attempt to locate profile at provided url fails?
Example of a failed validation: https://keyoxide.org/hkp/61ADEA93AEEC0534176B36494C82DB4C8F1BA6FA
My setup looks like this:
i have a 301 redirect for both webfinger and nodeinfo endpoints pointing to the subdomain hosting AP capable software, like so:
example.tld/.well-known/webfinger 301 => sub.example.tld/.well-known/webfinger
example.tld/.well-known/nodeinfo 301 => sub.example.tld/.well-known/nodeinfo
sub.example.tld/.well-known/webfinger endpoint will return { subject: "acct:username@example.tld", ... } when looking up either acct:username@example.tld or acct:username@sub.example.tld which allows to establish a two-way relationship between example.tld and sub.example.tld in order to prevent any hijacking by a malicious 3rd party.
I know this approach is not standardized, but this appears to be the only way to achieve delegation atm.
And it seems to be enough for other popular AP-capable software, namely Mastodon, to correctly recognize delegated profiles "hosted" on @example.tld and properly federate with them.
(try looking up @cuteBoiButt@torchmc.ru on your favorite Mastodon instance to see this in action :з)
I can try to cook up a pr improving AP validation to support such setups if there are no objections ^.^