indieauth.com

IndieAuth.com Provider Status:

 indieauth.com  provides an authorization server that you can use with your website in order to log in to IndieAuth and Micropub apps.

Note: IndieAuth.com is often conflated with the IndieAuth the protocol. IndieAuth.com has historically provided two services, one for developers who want to have users log in via RelMeAuth, and the second as a personal IndieAuth authorization server. The service for developers is being replaced by indielogin.com, and the other use will eventually be replaced by a service with a new name to help avoid this confusion.

Basic Setup Guide
https://indieauth.com/setup

Using GPG with indieauth.com
You can sign in to sites by signing a challenge with your GPG key! Instructions for setting up GPG auth:

https://indieauth.com/gpg

OpenID
Using indieauth.com as an OpenID provider allows you to sign in to any site that consumes OpenID using your IndieAuth setup.

To use indieauth.com as an OpenID provider for the OpenID identifier of your site, add the following two link tags to the HTML (inside the  element) of your website, replacing "aaronparecki.com" with your domain of course.

 

FAQ
See Also: https://indieauth.com/faq

Why is Twitter not working
As of 2018-05-27, indieauth.com no longer supports logging in with Twitter. more info

Why is GitHub not working

 * If you get an error “The authentication provider replied with an error: csrf_detected” something went wrong in the cookie exchange.
 * In Safari go to Preferences → Privacy and chose to “Allow from websites I visit” instead of “Allow from current website only”. Once you are logged in you can change it back.

Why is Google+ not working
indieauth.com dropped support for Google+ some time in 2016. Google+ will shut down in 2019.

Why are IndieAuth.com and GitHub Pages not playing nicely?
Are you getting a funny error when trying to log into IndieAuth with credentials hosted on your Github Pages powered website? This is likely due to an outdated DNS record!

Quick fix:
 * Change your DNS record to point to the latest IP address that github pages uses. For obvious security reasons, you are going to have to find the correct IP addresses on this page: https://help.github.com/articles/setting-up-a-custom-domain-with-pages#setting-up-dns

What is happening is that if your DNS record points to the old github pages IP address, it sometimes 301 redirects to `/` which is non-standard and IndieAuth does not currently support relative URLs when discovering credentials. See this issue: https://github.com/aaronpk/IndieAuth/issues/46#issuecomment-34565297

Github also wrote a blog post about this change, which many people missed: https://github.com/blog/1715-faster-more-awesome-github-pages

How do I make my site do the authorization itself
If your site implements the IndieAuth protocol itself, then indieauth.com will allow you to use your own server, and many sites will be able to use your server and avoid indieauth.com completely. For more information, see IndieAuth.

Empty Session Errors
If you are seeing strange error messages about empty sessions, you may have blocked cookies! Make sure you allow cookies from indieauth.com and whatever service provider you are using.

Why is my https domain not working?
Q: Why does entering just my domain name (which automatically redirects http to https) not work in IndieAuth?

A: To log in with indieauth as a domain served over HTTPS, you have to type the whole URL, including https://, otherwise most implementations will assume HTTP, and HTTP to HTTPS redirects are considered insecure (especially important for purposes of authentication!)

Why am I getting "insecure redirect" errors?

 * If you get an error about an insecure redirect, check to see whether your silo link is going to https://yoursite which is in turn redirecting to http://yoursite. (Dreamwidth is an example of a site that does this.)  If so, change the link to go directly to http://yoursite

How do I use a specific other site for my IndieAuth
See IndieAuth.

Is it good to delegate auth to 3rd parties
Is it good to delegate authentication to third parties like Facebook or Twitter for IndieAuth?

IndieAuth.com only relies on third parties for ephemeral authentication, once per IndieAuth login attempt. Because the reliance is only ephemeral/transactional, the delegation is ok. It's not great, but it's ok, and certainly better than directly using (Facebook Connect) or the equivalents for other silos.

IndieAuth.com also provides better UI flow and fallbacks than OpenID, while re-using the OAuth flow that users are familiar with from Twitter, Github etc., so it's an incremental improvement over other open identity solutions.

What if I have more than one domain
IndieAuth.com requires symmetric rel=me links on your page and the OAuth provider profile page, and since most silos (like Github and Twitter) only allow you to put one rel=me link on your profile, you cannot use any one profile for multiple domains. There are a few alternatives:


 * use one account for one domain and another account for another domain.
 * use an alternative method for as many domains as you control:
 * email (via emailed one time short code for the user to enter)
 * PGP key authorization

Why not use a DNS TXT record
Q: Why not allow configuring a rel=me link by adding a DNS TXT record to the domain?

A: Two reasons:
 * Usability. In order to use a DNS TXT record you would first need to be aware of how to create such an entry for your domain's DNS zone file - something most users have zero interest in or knowledge of, but you would also then need to put something like a PGP Public Key so that anyone trying to auth to your site would then be able to use to sign their request. Again, very few folks would be able to implement that.
 * Security. The main reason is that the TXT record would be a request to a different server that is not serving your domain and it would not be behind SSL. Whereas rel=me links in the HTML of a home page at least can be protected with https, even if they're not to start with.

Why not OpenID Email etc
See: Why web sign-in.

Why not WebFinger
Why not add WebFinger support to IndieAuth?

"'The problem is it's too easy to not own your email address (@gmail.com, etc) so it's not really an 'indie' identifier. The point of IndieAuth is to encourage people to own their online identity.'"

Do I need a silo account
Q: Do I need an account on some third party silo to use it?

Short answer: no. You can use PGP or a self-hosted IndieAuth service.

Longer answer: you do not need a silo account to use IndieAuth, e.g. you may set it up with PGP or a self-hosted IndieAuth service.

However, the vast majority of people already have silo accounts, and most people who have their own websites already have visible hyperlinks to their silo profiles, thus the easiest way to get most people setup with IndieAuth is using RelMeAuth by adding rel=me to their silo hyperlinks, and configuring their silo profiles to link back to their personal website.

And despite using a silo, there is little downside because the use is ephemeral (the site using IndieAuth has no idea which silo used to verify your personal site identity), and there are a number of advantages for most folks:
 * UX familiarity. Most users are already familiar with the authentication flow of signing into a site or app with Twitter or GitHub (or even Facebook has a similar flow.
 * security. Silos have a much larger security staff (and with likely more expertise) than you do, and thus have likely secured their sign-in and authentication/authorization code and user flows much more than solution you would maintain yourself.
 * two-factor authentication (TFA) Most silo accounts can be secured with TFA which adds an additional degree of security, whereas the DIY IndieAuth solutions do not have such a capability, nor does anyone know of anyone who has implemented TFA on their personal site.

One potentially non-trivial downside (depends on the user) of using a silo account for authorization is that the silo account may be tracking your use of IndieAuth.com, and who knows what they will do with that data. The silo accounts do not see what services (like this wiki) that you sign-into however with IndieAuth.

Issues
See Also: https://github.com/aaronpk/IndieAuth.com/issues

Contact page support
Some sites (which? list examples below) have a separate /about or /contact page where they list all their other profiles with rel-me links, and then link to that separate page from their home page with rel=me. This is a valid way to support web-sign-in per the RelMeAuth spec.

However, IndieAuth.com does not currently support following one-deep rel-me links on people's sites to look for auth providers.

Note: Crawling the second level of links will add significant time to the "scan" part of IndieAuth.com. One optimization is to only crawl a second level link if it's on the same domain as the authenticating domain. This means you wouldn't be able to have the chain example.com -> about.me/example -> github.com/example, you'd have to have something like example.com -> example.com/about -> github.com/example. Aaronparecki.com 09:08, 1 September 2013 (PDT)
 * only the latter use-case has been seen (in microformats.org research) of "example.com -> example.com/about -> github.com/example"
 * a user may use about.me through a redirect, e.g.:
 * example.com --redirect--> about.me/example --rel=me link--> github.com/example

Sites in the wild with a contact page separate to the homepage


 * Add sites you find here …
 * Julian Foad (www.foad.me.uk) has rel=me links to & from a separate contact page (julian.foad.me.uk) which has the rel=me links to Twitter & Github.
 * Chris Roos tried (see https://github.com/aaronpk/IndieAuth.com/issues/48 )

Better Error Handling
My experience was that I had a slight URL mismatch when I first tried to set up IndieAuth, something like an http/https goof or having a trailing slash in one place and no trailing slash in the other. Whatever the problem, it prevented sign-in. I figured out that problem, but when I tried to sign back in, I got the error:

"Parameter 'profile' must be one of the rel=me links in the site specified in the 'me' parameter"

This didn’t make any sense to me, as a novice to IndieAuth. After several failed retries, I finally realized that IndieAuth.com had cached my old URL and needed me to rescan to pick up the corrected information. Once I did that, everything worked -- Eric Meyer

Two possible fixes here:


 * 1) Be more aggressive about rescanning for a domain that’s never worked, or had recent errors.  (Perhaps limited to certain types of errors.)
 * 2) Reword the error message to be less obscure and include some information about common ways to trigger the error and ways to address them.
 * 3) Parameter 'profile' must be ..." is a debugging message, not an error message. There is no mention of "parameter" or "profile" in any other user-facing aspect interaction of IndieAuth. This message needs to be replaced ASAP with a description in terms of what the user is doing. - Tantek 07:26, 18 September 2013 (PDT)
 * 4) What the heck is *actually* going wrong? I don't even know - we need to capture a technical description of the problem(s) that may be causing this message to occur so we can attempt to craft an actual actionable error message for the user. - Tantek 07:26, 18 September 2013 (PDT)

To do
Want to help? See if you can contribute to one or more of the following:
 *  Two Factor Auth (TFA) support  for providers that support it (e.g. Google)
 * See the WordPress Google Authenticator plugin for clues/patterns/source (PHP) showing how to do this.
 * See also Add Two-Factor Authentication To Your Website with Google Authenticator (Python examples)
 * Will Norris blogged about indie two-factor auth
 * Add support for one-level deep links like /contact (per RelMeAuth: users with separate contact pages algorithm and real world examples).
 * See also: https://github.com/aaronpk/IndieAuth.com/issues