IndieWebCamp is a 2-day creator camp focused on growing the independent web

authorization-endpoint


An authorization endpoint is an HTTP endpoint that micropub and IndieAuth clients can use to identify a user or obtain an authorization code to be able to post to their website.

Contents

Endpoint Discovery

Check the user's website for a link with a rel-value of "authorization_endpoint":

<link rel="authorization_endpoint" href="http://indieauth.example.org/">

Use this URL as endpoint for processing.

If no authorization_endpoint link can be found, the IndieAuth client software may fall back to e.g. indieauth.com by using https://indieauth.com/auth as URL.

TODO: MUST HTTP links be supported?

Using an Authorization Service

You can use an existing authorization service such as indieauth.com if you don't want to build your own authorization service.

Creating an Authorization Endpoint

An authorization endpoint must be able to both generate authorization codes as well as verify authorization codes.

Identification header

The endpoint MUST return a

IndieAuth: authorization_endpoint

header for all requests.

It can be used to verify that it's really an endpoint

Generating Authorization Codes

Verifying Authorization Codes

FAQ

Why are auth codes verified with a POST instead of a GET

If auth codes are sent as a GET request in the query string, they may leak to log files or the HTTP "referer". The decision was made by the OAuth 2.0 working group to use POST requests and the HTTP Authorization header for sending these sensitive tokens and auth codes.

Can the authorization codes be used more than once

No, the authorization code must not be used more than once. If the code is used more than once, the authorization server must deny the request.[1] A maximum lifetime of 10 minutes is recommended for the authorization codes, although many implementations have a lifetime of 30-60 seconds.

Can I add additional parameters for the authorization request

No, but you can use the "state" parameter to encode or reference additional application-specific parameters. The state parameter will be passed around and was designed for this purpose as well as to prevent CSRF attacks.

Does the auth server have to support the state parameter

Yes, the state parameter can be used by the client to maintain state between the request and the callback, so the auth server must support it. It is also used to prevent CSRF attacks.

Software implementing the authorization endpoint spec

See Also