Wordpress IndieAuth Plugin

From IndieWeb
Jump to: navigation, search


The WordPress IndieAuth Plugin is a WordPress plugin that adds IndieAuth support to WordPress.

The original release, written in 2013 by  Matthias Pfefferle, added support for logging into a WordPress site using Indieauth.com. The intention from the beginning was to eventually make WordPress an IndieAuth server as well.

In 2017, after stagnation, the plugin was transferred to the Indieweb repository. David Shanske rewrote the existing functionality as it used unsupported/undocumented features of Indieauth.com and made the plugin usable with any IndieAuth server, not just Indieauth.com. Version 2.0, now released, also implements an IndieAuth endpoint inside the plugin, instead of relying on Indieauth.com.

Terminology

  • web sign-in - logging in to WordPress
  • IndieAuth - using wordpress to log in to other places such as Micropub apps

Use Cases

The below is brainstorming the use cases that this plugin solves or will solve in the future. These should include enough information and steps to be able to test the plugin when making changes.

Web Sign-In

Logging in to a multi-user WordPress site via IndieAuth

Assumptions:

  • A group WordPress blog with this plugin, e.g. https://notiz.blog/
  • An individual with a personal WordPress blog with this plugin, e.g. https://pfefferle.org/
    • Note: this works just as well with a personal site that supports IndieAuth that does not run WordPress
  • There is a user record in notiz.blog with the user's profile URL of https://pfefferle.org/

Plugin Configuration:

  • notiz.blog
    • The IndieWeb plugin is set to a multi-author site
    • The IndieAuth plugin has the "Use IndieAuth login" setting checked
    • The IndieAuth plugin is set to use the built-in IndieAuth endpoint
  • pfefferle.org
    • The IndieWeb plugin is set to a single-author site
    • The IndieAuth plugin is set to use the built-in IndieAuth endpoint

How it Works:

  • When the user views the Wordpress login screen of the group blog, there is an additional web sign-in prompt under the username/password
  • The user enters the URL that is in their profile (their personal site), and the plugin redirects to their personal wordpress site
  • The user sees the login request prompt and clicks "Approve"
  • The user is redirected back to the group blog with an authorization code in the query string
  • The group blog verifies the authorization code with the user's WordPress site, and then starts a session for the user

Logging in to a multi-user WordPress site via RelMeAuth

🚫 This is not currently supported

Assumptions:

  • A group WordPress blog with this plugin, e.g. https://notiz.blog/
  • An individual with a personal WordPress blog, e.g. https://pfefferle.org/
    • The personal blog does not have the IndieAuth plugin installed
    • The personal blog has a rel=me link to Twitter and GitHub on the home page
  • There is a user record in notiz.blog with the user's profile URL of https://pfefferle.org/

Plugin Configuration:

  • notiz.blog
    • The IndieWeb plugin is set to a multi-author site
    • The IndieAuth plugin has the "Use IndieAuth login" setting checked
    • The IndieAuth plugin is set to use the built-in IndieAuth endpoint
  • pfefferle.org
    • No IndieAuth plugin is installed
    • A GitHub and Twitter username are entered in the user's profile
    • The IndieWeb Plugin is installed, which adds rel=me links to the user's GitHub and Twitter profile

How it Works:

  • When the user views the Wordpress login screen of the group blog, there is an additional web sign-in prompt under the username/password
  • The user enters the URL that is in their profile (their personal site)
  • The group blog does not find an IndieAuth server at that URL, but notices the rel=me links
  • The group blog sends the user to indielogin.com to complete the RelMeAuth authentication
  • Upon a successful authentication (via Twitter or GitHub, etc) at indielogin.com, the user is redirected back to the group blog with an authorization code from indielogin.com
  • The group blog verifies the authorization code with indielogin.com and starts a session for the user

IndieAuth

Logging in to the IndieWeb Wiki using your WordPress Site via IndieAuth

(Authentication)


Authorizing a Micropub app to Post to your WordPress

(Authorization)

Testing

Due to the variety of ways and environments in which WordPress can be installed, it is useful to have a list of all combinations and use this list when testing changes before releasing a new version.

  • Installation location
    • / - WordPress installed in the web server root
      • (e.g. <code>https://example.com/</code>)
    • /wp/ - WordPress installed in a subfolder
      • (e.g. <code>https://example.com/wp/</code>)
    • hybrid - WordPress installed in a subfolder, configured to serve URLs from the root
      • (e.g. <code>https://example.com/</code>)
  • Number of users
    • Single-user installation (user URL is the blog root)
    • Multi-user installation (user URLs include a path)
  • ... TODO

Troubleshooting

ModSecurity Firewall blocking requests

On servers using the ModSecurity Web Application Firewall, with Atomicorp.com WAF Rules requests may be blocked because of WAF 340162. This rule blocks requests that use external URLs in the URL, to protect against Remote File Injection.

Temporary solutions:

  • ask the hosting in charge of the firewall to disable this rule,
  • or disable it yourself if you have access to server configuration files (this may also work in .htaccess files) [1]:
<IfModule mod_security2.c>
SecRuleRemoveById 340162
</IfModule>

Real solution:

From the WAF Rule description:

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

This may only be available to Atomicorp customers?

See also


WordPress
Topics Getting Started on WordPress • Advanced WordPress Set Up • Plugins • Themes • Examples • WordPress with Bridgy • Development • Data • Security
Primary Plugins Indieweb Plugin • Webmention • Semantic Linkbacks • Micropub • IndieAuth • Post Kinds • Syndication Links • WebSub plugins
POSSE Plugins Social Network Auto Poster • JetPack Publicize • Bridgy Publish plugin • WP Crosspost • Tumblr Crosspostr • Medium • Diasposter
PESOS Plugins Keyring Social Importers • DsgnWrks Twitter Importer • DsgnWrks Instagram Importer
Other Plugins Aperture • Refback plugin • IndieWeb Press This • WordPress uf2 • OpenID • Simple Location • Indieweb Actions • PressForward • Yarns Indie Reader • WhisperFollow • blogroll2email • Webmention for (Threaded) Comments (deprecated)
Themes SemPress • (SemPress Child Themes: SemPress Lite, SenPress, and Index) • ZenPress • Independent Publisher • mf2_s • Twenty Sixteen IndieWeb-friendly fork
Assistance Join the #indieweb chat • IRC and other chat options • WordPress FAQ • WordPress Outreach Club • Troubleshooting Tips • WordPress tools • WordPress channel
See Also WordPress related wiki pages • WordPress.com • AWS Tutorial