IndieAuth

What is IndieAuth?

IndieAuth is an implementation of RelMeAuth with a REST API on top.

IndieAuth is a way to use your own domain name to sign in to websites. It's like OpenID, but simpler! It works by linking your website to one or more authentication providers such as Twitter or Google, then entering your domain name in the login form on websites that support IndieAuth.

Contents 1 IndieAuth 1.1 What is IndieAuth? 1.2 Why IndieAuth? 1.2.1 Why not OpenID Email etc 1.3 How to set up IndieAuth 1.4 The IndieAuth API 1.5 Source Code 1.6 Issues 1.6.1 Twitter t.co 1.6.2 OpenID support 1.7 To do 1.7.1 Issues 1.8 Talks 1.9 See Also

Why IndieAuth?

IndieAuth is part of the Indie Web movement to take back control of your online identity. Instead of logging in to websites as "you on Twitter" or "you on Facebook", you should be able to log in as just "you". We should not be relying on Twitter or Facebook to provide our authenticated identities, we should be able to use our own domain names to log in to sites everywhere.

IndieAuth was built to make it as easy as possible for users and for developers to start using this new way of signing in on the web, without the complexities of OpenID.

Frequently Asked Questions

Why not OpenID Email etc

See: Why web sign-in.

How to set up IndieAuth

• Add a link on your home page to your various social profiles with the attribute rel="me"
• Ensure your profiles link back to your home page
• Enter your domain in a "Web Sign-In" box to being using your own domain as your online identity!

The IndieAuth API

The IndieAuth API lets you support RelMeAuth logins without writing all the OAuth code for each provider!

Read the full documentation

Source Code

The IndieAuth source code is available on Github. Feel free to fork it and submit pull requests if you make any changes!

Issues

Twitter t.co

New Twitter users' "home page" or "web page" field on Twitter gets "t.co'd" which can interfere with IndieAuth.

Technically, per the RelMeAuth spec, IndieAuth should be following the t.co redirect but that doesn't appear to be working. (See Issue #7)

OpenID support

Goal: IndieAuth should at least support consuming an OpenID provided by an indieweb server itself (i.e. perhaps ignore any OpenID delegation). Being a self-hosted OpenID provider enables the independent to completely avoid any silo dependency, even ephemeral, for authentication.

IndieAuth used to support consuming OpenID as well as web-sign-in.

There were strange problems with consuming OpenIDs from various OpenID providers

• Why does IndieAuth not support OpenID?
  • were these only problems with delegated OpenIDs?
    • with which providers (that were delegated to)?

What were these specific issues? Let's document them here:

• server/URL - errors encountered
• ...

To do

Want to help? See if you can contribute to one or more of the following:

• Two Factor Auth (TFA) support for providers that support it (e.g. Google)
  • See the WordPress Google Authenticator plugin for clues/patterns/source (PHP) showing how to do this.
  • See also Add Two-Factor Authentication To Your Website with Google Authenticator (Python examples)
  • Will Norris blogged about indie two-factor auth
• Add support for one-level deep links like /contact (per RelMeAuth: users with separate contact pages algorithm and real world examples).
• Set up indieauth.com as an OpenID delegate so you can use it to sign in to sites that use OpenID instead of delegating to sites like myopenid.com
• create an Architecture Diagram for IndieAuth per Mozilla Security Blog: Speeding Up Security Reviews
• create a Detailed Application Diagram for IndieAuth per the same[1].
• write-up Data flow enumeration per the same[2].
• write-up a Threat Analysis per the same[3].

Issues

• The token can be sent to IndieAuth without TLS (or the docs make it appear so) such a request should be refused (*not* redirected) to prevent DNS poisoning, MITM, and race-condition attacks.
• Care should be taken by the client to ensure that no token is re-used (at least within some reasonable time-frame) to prevent replay attacks.

Talks

• 2012-06-24: Aaron Parecki gave a talk on IndieAuth at Portland's Open Source Bridge 2012 conference! Tuesday June 26th at 4:45pm

See Also

• RelMeAuth
• microformats
• Web Sign-In Use Cases