Wordpress IndieAuth Plugin
The original release, written in 2013 by Matthias Pfefferle, added support for logging into a WordPress site using Indieauth.com. The intention from the beginning was to eventually make WordPress an IndieAuth server as well.
In 2017, after stagnation, the plugin was transferred to the Indieweb repository. David Shanske committed to rewriting the existing functionality as it used unsupported/undocumented features of Indieauth.com and to try to make the plugin usable with any IndieAuth server, not just Indieauth.com.
This second release is still in process before being released.
There is a third release hoped for that would add the server functionality directly to the plugin.
The below is brainstorming the use cases that this plugin solves or will solve in the future.
Logging in to a multi-user Wordpress via IndieAuth
✔️ Implemented in the original release
- The Website field in the User's profile lists a URL that has one or more rel="me" profiles to Twitter, GitHub, etc.
- The user wants to use another service to log in to Wordpress instead of typing a password. This is usually Rel-Me-Auth.
How it works:
- When installing the plugin, the admin configures an authentication service to use (defaults to indieauth.com). In the original release, it only supported indieauth.com
- When viewing the Wordpress login screen, there is an additional web sign-in prompt under the username/password
- The user enters the URL that is in their profile, and the plugin redirects to the authentication service
- The plugin verifies the auth code with the service and logs the user in
Note: The does not currently do discovery on the provided URL to find the authorization_endpoint, but there is a PR pending for this. The trust relationship here is that the user has to add the website to their user account for it to allow login.
Using IndieAuth Authorization
❌ Not yet implemented
- For now, the Micropub plugin handles this.
- Recent commits have added support verifying tokens from token endpoints, and could take this function over in future as the code functionality is there, but hooks in at a deeper level.
- Goal of this was to allow access to the WordPress REST API, which is customizable(It is used for the Webmention plugin, for example) using an Indieauth Token.