selfauth

From IndieWeb


selfauth is a single user authorization endpoint written as single-file PHP without a database.

If you are looking for a minimal, self-hostable token endpoint, see Mintoken.

Why

  • You don't need silo accounts to use Selfauth, so it's IndieAuth without Twitter or Github.
  • More privacy: you don't tell silos that you want to login somewhere, only your own server.
  • Not vulnerable for social engineering with silo accounts.

How-to

  1. Download the latest version of selfauth from GitHub: https://github.com/Inklings-io/selfauth/archive/master.zip.
  2. Upload index.php and setup.php to any public folder on your website. The rest of this how to assumes a folder called auth in the root of your website, reachable on https://example.com/auth/.
  3. Navigate to setup.php in your browser, e.g. https://example.com/auth/setup.php and follow the steps on screen.
    • It will ask you to provide the URL you want to login with, probably your homepage, and
    • a password to identify yourself with.
  4. Add a link to your homepage so websites you are logging in to can find it. Do this by adding the following to your <head>, don’t forget to change the href to link to where you uploaded the files!
    <link rel="authorization_endpoint" href="https://example.com/auth/" />

You are done and can now login to any IndieAuth supporting website with nothing other than your own site!

This How-to was derived from the official README on 2017-08-13. Always check out a project’s README file to double check for new developments.

IndieWeb Examples

Martijn van der Ven

Martijn van der Ven has been using selfauth to login to Telegraph and this wiki as of 2017-06-23. Important part of his selfdogfood principle.

fluffy

fluffy has been using selfauth since December 2018 for providing IndieAuth login to webmention.io et al, as well as her own website's admin dashboard

Criticism

  • It's easier to use rel=me and re-use your existing accounts, with all it's security features.
    • However, this criticism is only applicable when using selfauth for authenticating to sites. When authorizing an app such as a Micropub app to let it post to your site, some other software needs to run in order for that to happen: either a self-hosted token endpoint or a service such as IndieAuth.com.

See Also