This page describes using IndieAuth for authentication rather than authorization. In this case, no token endpoint or Micropub endpoint are needed.
In these examples, the following URLs will be used.
The site the user is signing in to is the IndieWebCamp wiki:
The user signing in is Aaron Parecki:
In this example, Aaron has delegated authorization to an external service:
Web Sign-In Form
The site contains a web sign-in form prompting the user to enter their URL to sign in. Upon submitting the form, the site begins the auth process by discovering the user's auth endpoint.
aaronparecki.com points to the authorization endpoint by specifying a rel values on the index page.
<link rel="authorization_endpoint" href="https://indieauth.com/auth">
TODO: What if no authorization_endpoint link can be found?
The authorization-endpoint is responsible for requesting authorization from the user and generating an authorization code. To start the sign-in flow, the user's browser will be directed to the authorization endpoint.
Values are shown without URL encoding for readability.
Starting the sign-in flow, direct the user's browser to the authorization endpoint with the parameters for the request. This is usually done via a
https://indieauth.com/auth?me=https://aaronparecki.com/& redirect_uri=https://indiewebcamp.com/auth/callback& client_id=https://indiewebcamp.com& state=1234567890& response_type=id
(Note: if response_type is omitted, it is assumed to be "id")
The authorization server presents this information to the user, and when they approve, generates an authorization code and redirects the user to the redirect URI specified.
HTTP/1.1 302 Found Location: https://indiewebcamp.com/auth/callback?code=xxxxxxxx state=1234567890 me=https://aaronparecki.com/
The authorization server should present an interface describing the request being made. It must indicate:
The Redirect URI
Redirect URI verification
The site verifies the auth code by querying the authorization endpoint. To verify the auth code, the token endpoint makes a POST request to the authorization endpoint with the following values:
POST https://indieauth.com/auth Content-type: application/x-www-form-urlencoded code=xxxxxxxx& redirect_uri=https://indiewebcamp.com/auth/callback& client_id=https://indiewebcamp.com& state=1234567890
After the authorization server verifies that the redirect_uri, client_id and state match the code given, the response will include the "me" value corresponding to the user that signed in.
HTTP/1.1 200 OK Content-Type: application/x-www-form-urlencoded me=https://aaronparecki.com/