Kirby Login app

From IndieWeb
(Redirected from kirby-login-app)
Jump to: navigation, search

What is Kirby

Kirby is a mockup of a mobile app that can be used to sign GPG challenges. It is meant as a reference implementation of this type of app.

The end result is that you can sign in to any site that supports IndieAuth verification via GPG, without a pre-existing relationship with the site you're signing in to.

The end user experience after setup is as follows:

  • Enter your domain in an IndieAuth login prompt
  • A challenge code is presented on screen
  • Scan the code with your mobile app
  • You are signed in to the site

Ideally the user should not even have to know they are using GPG under the hood, it should Just Work™


Download the Kirby App


Generate a public/private key pair

Upon first launch of the app, it will prompt you to generate a public/private key pair within the app.

kirby-2-generate-key.png kirby-3-key-saved.png

The app should store this securely on the device, such as in the Keychain in iOS. (Bonus points that in iOS 8, it will be possible to unlock keychain items with your thumbprint![1])

Export your public key

kirby-4-export-key.png kirby-5-email-export.png

From within the app, you can export your public key by emailing it to yourself or copying it to the clipboard.

Link to your public key from your website

On your website, add a rel="pgpkey" tag pointing to the public key.

<link rel="pgpkey" href="/key.asc">


Signing In

Login prompt

When signing in to a site that supports GPG auth, you'll enter your domain name like you would as normal. The site will find your GPG public key you linked to.


Clicking the Kirby GPG button will present a Kirby Code challenge.


Scan the Kirby Code

Launching the Kirby app on your mobile device will open it directly to a camera interface. Point it at the code on your computer screen and it will scan the code.


The code is actually a JSON encoding of a challenge and a URL to submit the signature to.


The mobile app will sign the challenge with the private key, and submits the signed text to the URL indicated.

POST /verify HTTP/1.1
Content-type: x-www-form-encoded


Signature is Verified

After the server verifies the signature matches what it was expecting, it generates an authorization code and completes the signin.


Alternate Setup

Assuming you're ok with establishing a relationship with an authorization server, the setup flow could be streamlined to not require linking to your public key from your website.

Delegate to an authorization server

First you'll need to choose an authorization server and point to it from your website. For example, to delegate to, add a link tag like the following:

<link rel="authorization_endpoint" href="">

This tells clients trying to sign you in that they should direct your browser to to complete the sign-in process. See Choose your own authorization server for more details.

Sign in to your authorization server

Sign in to your authorization server using some existing mechanism. In the case of, you might sign in by using Github or SMS auth.

Scan the code to upload your public key

Click the "Connect Kirby App" button and the authorization server generates a barcode that you can scan from the app. The barcode encodes a secret one-time URL that the app can use to upload the public key.

From this point on, your authorization server holds on to the public key, and can use it to verify a challenge it generates when you want to sign in to a website.

See Also