IndieAuth was build on ideas and technology from existing proven technologies like OAuth and OpenID but aims at making it easier for users as well as developers. It also decentralises much of the process so completely separate implementations and services can be used for each part.
IndieAuth is part of taking back control of your online identity. Instead of logging in to websites as “you on Twitter” or “you on Facebook”, you should be able to log in as just “you”. We should not be relying on silos to provide our authenticated identities, we should be able to use our own personal domains to log in to sites everywhere.
You can use it right now to log in to this wiki and contribute to the community, including doing common things like:
- Adding yourself to IRC People after joining one of our discussion channels, and
- RSVP to an upcoming event.
IndieAuth is also used by many Micropub clients, so you can use your own website to log in to the tools you use to post content.
Set up using IndieAuth.com
IndieAuth.com is a service that allows you to sign in as your site by using your social media profiles. Your homepage and social media profiles need to link to each other for verification. Instead of registering for an account at indieauth.com, it uses your existing social media accounts to verify you own the URL you're signing in as.
- Add rel-me links to your homepage for various ways to reach you,
<a href="https://twitter.com/indiewebcamp" rel="me">Twitter</a>.
- Make sure any social media profiles you linked to have a link back to your homepage.
- Finally, include
<link rel="authorization_endpoint" href="https://indieauth.com/auth">on your homepage.
You are done. Try to log in to the wiki.
How It Works
Basic flow with a User signing in to a (web)App
- The User fills in his/her personal URL This is called Web sign-in.
- The App fetches the URL, looking for an Authorization Endpoint. For this, the user can use IndieAuth.com, but it can also be at their own domain. The App redirects the User to their AuthEndpoint.
- The User authenticates at their own Authorization Endpoint. IndieAuth.com uses RelMeAuth to authorize users, but if a user uses an Authentication Endpoint on his/her own site, it can be a password, e-mail link, or any other authentication the AuthEndpoint provides. They prove their identity to their AuthEndpoint, the App waits.
- The User gets a code from the AuthEndpoint, in the form of a redirect to the App. (With this, the User gives the code to the App.)
- The App checks the code with the AuthEndpoint, and if the code is valid and if the User’s identifier matches the identifier the AuthEndpoint gives, the login is completed, and the User can enter and use the app.
The Three Parts of IndieAuth
Discovery from the User’s Homepage
A user should only have to communicate their own homepage URL to the website they are trying to log in to. This is the core idea of Web sign-in. This means a developer should in their turn be able to find everything they need on that one user supplied URL.
IndieAuth defines two new
rel values for this. A user can simply link to the endpoints they want to use from their homepage, add the correct
rel value and be done.
An example would be to link to them in the
<head> section of their HTML, like so:
<link rel="authorization_endpoint" href="https://example.com/auth"> <link rel="token_endpoint" href="https://example.com/token">
Developers can use any way they want of finding these.
The Authorization Endpoint
The authorization endpoint is a page where applications can send users to and asking them to identify themselves. Because the user defines their own endpoint on their homepage, this can be part of their own website or a completely separate service. This is how the user provides proof they really operate the homepage URL they provided.
An application can also ask the user to grant it certain rights by requesting them through the authorization endpoint. A Micropub client might ask to be allowed
create rights. The user can then either accept these or not when they have been redirected to their endpoint.
For developers the authorization endpoint also functions as a verification service. If they get a code from a user they can check its validity with the endpoint to make sure it was truly issued by the user.
Third Party Services
- IndieAuth.com has an authorization endpoint that wraps RelMeAuth and will let you use silo accounts like Twitter or simple alternatives like email as authentication options. Use the URL
https://indieauth.com/authas your value for
- commentpara.de allows anyone to (anonymously or pseudonymously) log in to websites supporting IndieAuth by using
https://commentpara.de/as their homepage.
- selfauth is an authorization endpoint in PHP made to be easy to deploy.
- Acquiescence is an authorization endpoint in Ruby developed and used by Barry Frost.
- Known enables an authorization endpoint when the IndiePub plugin is turned on.
The Token Endpoint
The token endpoint is a service that creates access tokens for applications to store. This way a user can authorize a Micropub client to make posts without having to go through the authorization process every time.
Third Party Services
- IndieAuth.com has a token endpoint. Use the URL
https://tokens.indieauth.com/tokenas your value for
- Acquiescence is a token endpoint in Ruby developed and used by Barry Frost.
- Known enables a token endpoint when the IndiePub plugin is turned on.
Supporting Sites and Clients
There are a growing number of web sites that you can log into using IndieAuth and gain additional functionality:
- This site! Signing-in with IndieAuth enables you to edit the wiki!
- Micropub for WordPress
- This WordPress plugin allows users to use Micropub clients like Quill to login to a WordPress site using any IndieAuth endpoint.
These people have linked their websites to IndieAuth endpoints and/or allow other people to login to their sites using IndieAuth.
Martijn van der Ven
This section is for issues with the IndieAuth protocol that are not specific to either authorization-endpoint or token-endpoint. Issues with how the protocol is presented, as well as security considerations can go here.
Should the specification make recommendations on HTTPS?
A token can be sent to an IndieAuth endpoint without HTTPS (the docs do not forbid this), such a request should be refused. In the case of an HTTPS redirect being in place for the domain the request should not be redirected to prevent DNS poisoning, MITM, and race-condition attacks.
Need Simple Copy Paste How To
The explanation in http://waterpigs.co.uk/articles/indiewebcamp-signin-ux/ provides a list of three lengthy descriptions of what you need to setup IndieAuth, which was then subsequently criticized as "this is not a straightforward process" in the post: http://aralbalkan.com/notes/on-evolving-indieauth/
Thus we need a a simple copy paste how to that is not three lengthy descriptions.
Any explanation of how to use IndieAuth needs to start with a 1-2 sentence summary. No more.
- Introduction to Twitter Sign-in: https://dev.twitter.com/docs/auth/sign-twitter
- How Facebook Connect works: http://blog.facebook.com/blog.php?post=41735647130
Explanations for IndieAuth need to be at least as simple to understand as those for Twitter Sign-in and Facebook Connect.
IndieAuth using form-encoded responses instead of JSON
IndieAuth uses standard form-encoding for requests and response because it has been a standard encoding format since the beginning of the web. If it were a JSON response, then 7 years down the road you'd be asking "why is the response in JSON instead of ____" where ____ is the next trendy thing that replaces JSON. (Remember when XML was the new hotness?)
Proposal for content negotiation: https://www.tuxed.net/fkooman/blog/proposed_changes_to_indieauth_protocol.html#content_negotiation — Wwelves.org perpetual-tripper 02:26, 5 March 2015 (PST)
- To me this would violate Postel's law, requiring every implementation to publish many different formats. I don't care which format IndieAuth produces, but I do think we should settle on one canonical format. Kylewm.com 10:03, 5 March 2015 (PST)
- Agreed that there should be only one format. The only valid argument for JSON is that the OAuth 2.0 spec defines the response as JSON. Aaron Parecki 10:06, 5 March 2015 (PST)
- OK I withdraw my objection to content negotiation. Agree it is a relatively small burden on a relatively small number of providers; it's worth supporting multiple formats for convenience to the large number of consumers Kylewm.com 12:06, 5 March 2015 (PST)
- Just to be anti-inventing-new-formats (too many of them around and demanding attention), I'd go for form-encoded -- Kartik Prabhu 00:21 2015-03-06
- I just never saw HTTP POST form encoded _responses_ anywhere, only POST url encoded form requests... Any link to other (REST) services that use this? e.g. XMLHttpRequest does not support form encoded responses at all... fkooman
Requesting additional user details
The auth consumers may want to receive additional information about a user, and not just their homepage URL. Andy Baio raised some points in regard to this in a backer-only Kickstarter post, Opening the Source and The Great Auth Debate, 2015-03-16, when deciding what authenticator to use for Upcoming.org.
- Silos may give the application access to the user’s social graph: who their friends are, who they are following.
- Silos may give the application location information about the user.
- create an Architecture Diagram for IndieAuth per Mozilla Security Blog: Speeding Up Security Reviews
- create a Detailed Application Diagram for IndieAuth per the same.
- write-up Data flow enumeration per the same.
- write-up a Threat Analysis per the same.
Talks and Demos
- 2012-06-24: Aaron Parecki gave a talk on IndieAuth at Portland's Open Source Bridge 2012 conference! Tuesday June 26th at 4:45pm
- 2013-08-13: Aaron Parecki gave a talk on IndieAuth at the W3C Workshop on Social Business
- 2014-05-06: Aaron Parecki held a session at Internet Identity Workshop XVIII
- 2016-09-24 Sebastian Lasse had a demo showing the use of protocol handlers to keep the "me" in the browser (video) at IWC Brighton
- Web sign-in
- Web Sign-In Use Cases
- IndieAuth Authorization Brainstorming
- An (unofficial) proposal for an IndieAuth logo