IndieAuth

From IndieWeb
Jump to: navigation, search

IndieAuth is a federated login protocol for Web sign-in, enabling users to use their own domain to sign in to other sites and services. IndieAuth can be used to implement OAuth2 login AKA OAuth-based login.

IndieAuth is built on ideas and technology from existing proven technologies like OAuth and OpenID but makes it easier for users as well as developers. It decentralizes much of the process so completely separate implementations and services can be used for each part.

Read More: IndieAuth: OAuth for the Open Web

If you’re familiar with writing an OAuth client, then you're familiar with the problem of having to register your client manually with each OAuth provider. IndieAuth uses DNS as a replacement for client registration, thereby eliminating the need for any manual registration with providers.

Note: IndieAuth is often conflated with the IndieAuth.com service provider. The first is the subject of this page: the way the IndieAuth protocol works. The second is a service that provides an authorization endpoint, and was also previously used by this wiki until the wiki switched to using indielogin.com.

Why

By choosing your IndieAuth provider, you can tell applications where to send you to sign in. This gives you more control over the privacy and security of your logins.

Most Micropub clients use IndieAuth to log you in, obtaining your authorization by directing you to your chosen IndieAuth server. This allows you to use your own website to log in to the tools you use to post content.

IndieAuth is part of taking back control of your online identity. Instead of logging in to websites as “you on Twitter” or “you on Facebook”, you should be able to log in as just “you”. We should not be relying on silos to provide our authenticated identities, we should be able to use our own personal domains to log in to sites everywhere.

You can use it right now to log in to this wiki and contribute to the community, including doing common things like:

How it works

Basic flow with a user signing in to a (web) app

  1. The user fills in his/her personal URL This is called Web sign-in.
  2. The app fetches the URL, looking for an authorization endpoint. For this, the user can use IndieAuth.com, but it can also be at their own domain. The app redirects the User to their authorization endpoint.
  3. The user authenticates at their own authorization endpoint. IndieAuth.com uses RelMeAuth to authenticate users, but if a user uses an authorization endpoint on his/her own site, it can be a password, e-mail link, or any other authentication mechanism the authorization endpoint provides. They prove their identity to their authorization endpoint while the app waits for them to complete.
  4. The authorization endpoint issues a temporary authorization code, and sends it to the app by redirecting the user's browser back to the app.
  5. The app checks the code with the authorization endpoint, and if the code is valid and if the user’s identifier matches the identifier the authorization endpoint gives, the login is completed, and the user can enter and use the app.

How to

If all you're trying to do is log in to the wiki, then you may not need to set up IndieAuth at all! Instead, you can just link to your existing Twitter or GitHub accounts and the wiki will use those to authenticate you! See indielogin.com/setup for more details.

Set up using IndieAuth.com

IndieAuth.com is a service that allows you to sign in as your site by using your social media profiles. Your homepage and social media profiles need to link to each other for verification. Instead of registering for an account at indieauth.com, it uses your existing social media accounts to verify you own the URL you're signing in as.

  1. Add rel-me links to your homepage for various ways to reach you,
    e.g. <a href="https://github.com/aaronpk" rel="me">GitHub</a>.
  2. Make sure any social media profiles you linked to have a link back to your homepage.
  3. Finally, include <link rel="authorization_endpoint" href="https://indieauth.com/auth"> on your homepage.

You are done! Try to log in to a site that supports IndieAuth, such as:

These services should redirect you to your chosen IndieAuth endpoint to sign in, which in this case is indieauth.com.

See: full setup instructions

Set up in WordPress

If you use WordPress, you can install the Wordpress IndieAuth Plugin which provides a built-in IndieAuth server.

Set up your own IndieAuth provider

Use an existing implementation or build your own!

IndieWeb Examples

The following people have an authorization endpoint on their own domain.

Aaron Parecki

Aaron Parecki at https://aaronparecki.com/auth as of 2016-04-13. As of 2017-10-04, authentication is done via a push notification to his mobile phone rather than entering a password.

Sebastiaan Andeweg

Sebastiaan Andeweg has an authorization endpoint at https://seblog.nl/auth as of IndieWebWeek 2017 in Düsseldorf and Nürnberg.

Martijn van der Ven

Martijn van der Ven has an authorization endpoint on http://vanderven.se/martijn/ as of 2017-06-30. Powered by selfauth.

Jeena Paradies

Jeena Paradies has an authorization endpoint at https://jeena.net/indieauth as of IndieWebCamp 2017 in Berlin

Malcolm Blaney

Malcolm Blaney has an authorization endpoint on https://unicyclic.com/mal as of IndieWeb Summit 2018.

Kristof De Jaeger

Kristof De Jaeger has an authorization endpoint on https://realize.be as of November 2018.

Implementations

IndieAuth.com

selfauth

Acquiescence

  • Acquiescence is a simple IndieAuth authorization and token endpoint. It is currently limited to GitHub for authorization. Barry Frost uses Acquiescence on his website.

Wordpress IndieAuth Plugin

Known

  • Known provides a built-in IndieAuth server

Comment Parade

  • commentpara.de provides IndieAuth identities to anyone wishing to log in to a website anonymously.

Drupal IndieWeb Module

  • The Drupal IndieWeb module provides a self-contained IndieAuth server for Drupal

indieauth-openid

IndieCert

Micro.blog

Cellar Door

Dobrado

dobrado provides a built-in IndieAuth server.

Micropub

Most Micropub apps use IndieAuth to allow the app to post to your site

Microblog.pub

Microblog.pub implements IndieAuth endpoints (authorization and token endpoint) with U2F support and you can use your ActivityPub identity to login to other websites/app

Services

IndieLogin.com

IndieLogin.com is a service that consumes IndieAuth. It authenticates users using IndieAuth, RelMeAuth, email and PGP, wrapping all the logic in a simple API. It is a very easy way to get started consuming IndieAuth logins.

Read the full documentation

IndieAuth.com

The IndieAuth.com service provides an authorization endpoint to bootstrap your Micropub server development. It lets you authenticate via GitHub, email, and PGP. Eventually this will be replaced with a new service, MyIndieAuth.com, although development of that service has not yet begun.

Historically, IndieAuth.com also provided an API for developers to use to authenticate users, tho this is being phased out in favor of IndieLogin.com.

Read the full documentation

The IndieAuth.com source code is available on GitHub.

Supporting Sites

(This section is a stub and needs expansion!)

There are a growing number of web sites that you can log into using IndieAuth and gain additional functionality:

IndieAuth Protocol

A user should only have to communicate their own homepage URL to the website they are trying to log in to. This is the core idea of Web sign-in. This means a developer should in their turn be able to find everything they need on that one user supplied URL.

Discovery from the User's Homepage

IndieAuth defines two new rel values for this. A user can simply link to the endpoints they want to use from their homepage, add the correct rel value and be done.

An example would be to link to them in the <head> section of their HTML, like so:

   <link rel="authorization_endpoint" href="https://example.com/auth">
   <link rel="token_endpoint" href="https://example.com/token">

Developers can discover these endpoints using traditional HTML or Microformats parsing.

The Authorization Endpoint

The authorization endpoint is a page where applications can send users to and asking them to identify themselves. Because the user defines their own endpoint on their homepage, this can be part of their own website or a completely separate service. This is how the user provides proof they really operate the homepage URL they provided.

An application can also ask the user to grant it certain rights by requesting them through the authorization endpoint. A Micropub client might ask to be allowed create rights. The user can then either accept these or not when they have been redirected to their endpoint.

For developers, the authorization endpoint also functions as a verification service. If they get a code from a user they can check its validity with the endpoint to make sure it was truly issued by the user.

Third Party Services

Self-Hostable Implementations

The Token Endpoint

The token endpoint is a service that creates access tokens for applications to store and use in Micropub requests. After authorizing the application, the token endpoint creates a token that the application stores. The application will send it in a header when making a Micropub request, and the Micropub endpoint is expected to be able to validate the token while processing the request.

Third Party Services

Self-Hostable Implementations

FAQ

The IndieAuth.com FAQ is here:

Feel free to add more questions here that seemed to be asked more than once.

How is IndieAuth different from OpenID Connect

Main article: How is IndieAuth different from OpenID Connect

Do I need a silo account

No silo accounts are required for IndieAuth services, but some may chose to use them as an authentication method.

See also the answer to this question on the IndieAuth.com page.

Do I need to enter my URL every time

Q: Do I need to enter my URL every time I log in to an app that uses IndieAuth?

Yes, like traditional username/password forms, you need to enter your URL when you log in to an app. Browsers will remember your URL you enter and will suggest it using their normal autofill mechanisms as well.

indieauth-autofill.jpg

Should I use HTTPS

The IndieAuth specification is an extension of OAuth 2.0, and OAuth 2.0 recommends using https URLs for everything. IndieAuth doesn't provide any new reason to require or not require https so delegates this recommendation to OAuth 2.0.

Why do I see form-encoded responses

IndieAuth originally used standard form-encoding for requests and responses, since it has been a standard encoding format since the beginning of the web.

Over time, implementations added support for sending JSON responses as well as form-encoded. When IndieAuth was written up as a formal OAuth 2.0 extension, it documented only the JSON responses in order to be compatible with OAuth 2.0. At that point, most implementations already supported JSON responses, or did content negotiation to support both formats.

How can an application get additional information about the user

The IndieAuth specification offers the user’s profile page where further public information about the user can be found, e.g. by parsing an h-card. There is currently no common way of retrieving private information.

Issues

For issues about the IndieAuth spec, please see the IndieAuth GitHub project.

For issues with the IndieAuth.com service, please see the IndieAuth.com Github project.

Older discussions and brainstorming has been moved to IndieAuth-brainstorming.

Talks and Demos

Articles

See Also