Distributed IndieAuth was a session at IndieWebCamp Düsseldorf 2017.
Notes archived from: https://etherpad.indieweb.org/indieauth
- ... add names
- confusion about what IndieAuth is
- relmeauth = identifying people; requires user to have silo accounts and site to have API keys for all silos
- if a person doesn't want a Github account or if a site offers Twitter but no Github, you miss things
- distributed indieauth
- personal website becomes OAuth provider, requires 'authorization_endpoint' link
- can be on own site or delegated e.g. to indieauth.com (service will probably be renamed)
- works without 3rd parties or rel=me, any authentication method (e.g. passwords)
- "an IndieWeb-friendly version of OAuth 2.0"
- "lowest common denominator": domain name as identifier
- Aaron: consumers should look for authorization_endpoint first, then fall back to RelMeAuth (RelMeAuth can be delegated to indieauth.com)
- Andi: fallback should work but UI could nudge users to upgrade from RelMeAuth to distributed IndieAuth
- identifying URL is returned from flow, can be different from the "me" parameter
- URL can have a path, not just domains
- Sebastian: Two other options not relying on external services are MailAuth and GPG Auth and it would be nice to have the possibility to login w.
mail but have the mailaddress on your site encrypted, small proposal https://gist.github.com/sebilasse/3fa48e758b6828fe30bdee64778d6e4e
- Quill contains a tutorial for IndieAuth setup if user's setup is wrong or incomplete
- Show of hands: almost nobody uses HTTP Link headers, everyone has rel-links in HTML
- Currently IndieAuth is documented as how-tos only, no spec
- Users who want to implement posting to their own site should start with Micropub directly and not build their own 'token_endpoint'
- Aaron: suggest names for two services to replace indieauth.com; one for users to delegate to and one for (consumer) developers