Kirby Login app

= What is Kirby =

Kirby is a mockup of a mobile app that can be used to sign GPG challenges. It is meant as a reference implementation of this type of app.

The end result is that you can sign in to any site that supports IndieAuth verification via GPG, without a pre-existing relationship with the site you're signing in to.

The end user experience after setup is as follows:
 * Enter your domain in an IndieAuth login prompt
 * A challenge code is presented on screen
 * Scan the code with your mobile app
 * You are signed in to the site

Ideally the user should not even have to know they are using GPG under the hood, it should Just Work™

= Setup =

Generate a public/private key pair
Upon first launch of the app, it will prompt you to generate a public/private key pair within the app.



The app should store this securely on the device, such as in the Keychain in iOS. (Bonus points that in iOS 8, it will be possible to unlock keychain items with your thumbprint!)

Export your public key


From within the app, you can export your public key by emailing it to yourself or copying it to the clipboard.

Link to your public key from your website
On your website, add a  tag pointing to the public key.

&lt;link rel="pgpkey" href="/key.asc"&gt;



= Signing In =

Login prompt
When signing in to a site that supports GPG auth, you'll enter your domain name like you would as normal. The site will find your GPG public key you linked to.



Clicking the Kirby GPG button will present a Kirby Code challenge.



Scan the Kirby Code
Launching the Kirby app on your mobile device will open it directly to a camera interface. Point it at the code on your computer screen and it will scan the code.



The code is actually a JSON encoding of a challenge and a URL to submit the signature to.

{ "u":"https://indieauth.com/verify", "c":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1Ni      J9.eyJtZSI6Imh0dHA6Ly9hYXJvbnBhcmV       kuY29tIiwidXNlcl9pZCI6MSwicHJvZmls       pZCI6MzAzNCwicmVkaXJlY3RfdXJpIjoia" }

The mobile app will sign the challenge with the private key, and submits the signed text to the URL indicated.

POST /verify HTTP/1.1 Host: indieauth.com Content-type: x-www-form-encoded

signature=-BEGIN+PGP+MESSAGE-%0AVersion%3A +GnuPG+v1%0A%0AowGbwMvMwMRo7vqUYcv%2Fmo2Mpw9EJTEEL %2F0ekVrpZZAa4Zjpn%2BnlHWYYmOnj7JWR%0A5J4M4nuGVnka %2BmV6WeoB60Qi21Y9pAr4r%2BX7sc3AtMeBaSkRXgWeWfzLKs FJKcs0mjHvIA%0A%3DXq5z%0A-END+PGP+MESSAGE-

Signature is Verified
After the server verifies the signature matches what it was expecting, it generates an authorization code and completes the signin.



= See Also =
 * IndieAuth
 * Category:IndieAuth
 * indieauth.com