IndieAuth is built on ideas and technology from existing proven technologies likeOAuthandOpenIDbut makes it easier for users as well as developers. It decentralizes much of the process so completely separate implementations and services can be used for each part.
If you’re familiar with writing an OAuth client, then you’re familiar with the problem of having to register your client manually with each OAuth provider. IndieAuth uses DNS as a replacement for client registration, thereby eliminating the need for any manual registration with providers.
Note:IndieAuth is often conflated with theIndieAuth.comservice provider. The first is the subject of this page:the way the IndieAuth protocol works. The second isa servicethat provides an authorization endpoint, and was also previously used by this wiki until the wiki switched to usingindielogin.com.
By choosing your IndieAuth provider, you can tell applications where to send you to sign in. This gives you more control over the privacy and security of your logins.
MostMicropubclients useIndieAuthto log you in, obtaining your authorization by directing you to your chosen IndieAuth server. This allows you to use your own website to log in to the tools you use to post content.
IndieAuth is part of taking back control of your online identity. Instead of logging in to websites as “you on Twitter” or “you on Facebook”, you should be able to log in as just “you”. We should not be relying onsilosto provide our authenticated identities, we should be able to use our ownpersonal domainsto log in to sites everywhere.
You can use it right now to log in to this wiki and contribute to thecommunity, including doing common things like:
- Adding yourself tochat-namesafter joining one of ourdiscussion channels, and
- RSVP toan upcoming event.
How it works
Basic flow with a user signing in to a (web) app
- The user fills in his/her personal URLThis is calledWeb sign-in.
- The app fetches the URL, looking for an authorization endpoint.For this, the user can use IndieAuth.com, but it can also be at their own domain. The app redirects the User to their authorization endpoint.
- The user authenticates at their own authorization endpoint.IndieAuth.com usesRelMeAuthto authenticate users, but if a user uses an authorization endpoint on his/her own site, it can be a password, e-mail link, or any other authentication mechanism the authorization endpoint provides. They prove their identity to their authorization endpoint while the app waits for them to complete.
- The authorization endpoint issues a temporary authorization code, and sends it to the app by redirecting the user’s browser back to the app.
- The app checks the code with the authorization endpoint, and if the code is valid and if the user’s identifier matches the identifier the authorization endpoint gives, the login is completed, and the user can enter and use the app.
If all you’re trying to do is log in to the wiki, then you may not need to set up IndieAuth at all! Instead, you can just link to your existing Twitter or GitHub accounts and the wiki will use those to authenticate you! Seeindielogin.com/setupfor more details.
Set up using IndieAuth.com
IndieAuth.comis a service that allows you to sign in as your site by using your social media profiles. Your homepage and social media profiles need to link to each other for verification. Instead of registering for an account at indieauth.com, it uses your existing social media accounts to verify you own the URL you’re signing in as.
- Addrel-melinks to your homepage for various ways to reach you,
- Make sure any social media profiles you linked to have a link back to your homepage.
- Finally, include
https://indieauth.com/auth">on your homepage.
You are done! Try to log in to a site that supports IndieAuth, such as:
These services should redirect you to your chosen IndieAuth endpoint to sign in, which in this case is indieauth.com.
Set up in WordPress
If you use WordPress, you can install theWordPress IndieAuth Pluginwhich provides a built-in IndieAuth server.
Set up your own IndieAuth provider
The following people have an authorization endpoint on their own domain.
Martijn van der Ven
Kristof De Jaeger
WordPress IndieAuth Plugin
- TheWordPress IndieAuth Pluginprovides a self-contained IndieAuth server for WordPress
- Knownprovides a built-in IndieAuth server
Drupal IndieWeb Module
- TheDrupal IndieWebmodule provides a self-contained IndieAuth server for Drupal
- selfauthis a single-user authorization endpoint implemented in a single PHP file
- https://glitch.com/~befitting-priceis a nodejs port ofselfauthwritten for nodejs running on glitch.com
- Micro.blogimplements IndieAuth for all hosted micro.blog subdomains as well as verified sites.
- IndieAuth.comis an implementation ofWeb sign-in/RelMeAuthwith an HTTP API
- IndieAuth.comis a common authorization server implementation used by many people
- Acquiescenceis a simple IndieAuth authorization and token endpoint. It is currently limited toGitHubfor authorization.Barry Frostuses Acquiescence on his website.
- https://glitch.com/~cellar-doora nodejs implementation with tests and hcard support (Github project).
dobradoprovides a built-in IndieAuth server.
Microblog.pubimplements IndieAuth endpoints (authorization and token endpoint) with U2F support and you can use your ActivityPub identity to login to other websites/app
Grav IndieAuth Plugin
TheIndieAuth Plugin for Gravadds IndieAuth support to a Grav website.
- commentpara.deprovides IndieAuth identities to anyone wishing to log in to a website anonymously.
- indieauth-openidconverts an existing OpenID setup to work with IndieAuth
MostMicropubapps use IndieAuth to allow the app to post to your site
IndieLogin.comis a service that consumes IndieAuth. It authenticates users usingIndieAuth,RelMeAuth, email and PGP, wrapping all the logic in a simple API. It is a very easy way to get started consuming IndieAuth logins.
The IndieAuth.com service provides an authorization endpoint to bootstrap yourMicropubserver development. It lets you authenticate via GitHub, email, and PGP. Eventually this will be replaced with a new service,MyIndieAuth.com, although development of that service has not yet begun.
Historically, IndieAuth.com also provided an API for developers to use to authenticate users, tho this is being phased out in favor ofIndieLogin.com.
TheIndieAuth.com source codeis available on GitHub.
There are a growing number of web sites that you can log in to using IndieAuth and gain additional functionality:
- MostMicropubclients use IndieAuth to sign in
- This site! Signing-in with IndieAuth enables you to edit the wiki!
- https://unicyclic.comis a reader that you can sign in to with IndieAuth.
- Monocle,Together,Indigenous(iOS and Android)
- Thesereadersrequires IndieAuth to sign in
- OwnYourGram enables you to copy your Instagram photos to your website
- OwnYourSwarm enables you to copy your Swarm checkins to your website
A user should only have to communicate their own homepage URL to the website they are trying to log in to. This is the core idea ofWeb sign-in. This means a developer should in their turn be able to find everything they need on that one user supplied URL.
Discovery from the User’s Homepage
IndieAuth defines two new
relvaluesfor this. A user can simply link to the endpoints they want to use from their homepage, add the correct
relvalue and be done.
An example would be to link to them in the
section of their HTML, like so:
Developers can discover these endpoints using traditional HTML or Microformats parsing.
The Authorization Endpoint
Seeauthorization-endpointfor implementation details.
The authorization endpoint is a page where applications can send users to and asking them to identify themselves. Because the user defines their own endpoint on their homepage, this can be part of their own website or a completely separate service. This is how the user provides proof they really operate the homepage URL they provided.
An application can also ask the user to grant it certain rights by requesting them through the authorization endpoint. AMicropubclient might ask to be allowed
createrights. The user can then either accept these or not when they have been redirected to their endpoint.
For developers, the authorization endpoint also functions as a verification service. If they get a code from a user they can check its validity with the endpoint to make sure it was truly issued by the user.
Third Party Services
- IndieAuth.comhas an authorization endpoint that lets you usesiloaccounts likeGitHubor simple alternatives likeemailas authentication options. Use the URL
https://indieauth.com/authas your value for
- commentpara.deallows anyone to (anonymously or pseudonymously) log in to websites supporting IndieAuth by using
https://commentpara.de/as their homepage.
- SeeImplementationsabove for more details, or to find if your platform already has a built-in option.
- selfauthis an authorization endpoint inPHPmade to be easy to deploy.
- Acquiescenceis an authorization endpoint inRubydeveloped and used byBarry Frost.
- Knownenables an authorization endpoint when theIndiePub pluginis turned on.
- WordPress IndieAuth Pluginprovides an authorization endpoint to WordPress sites.
- dobradoprovides an authorization endpoint
The Token Endpoint
Seetoken-endpointfor implementation details.
The token endpoint is a service that creates access tokens for applications to store and use inMicropubrequests. After authorizing the application, the token endpoint creates a token that the application stores. The application will send it in a header when making a Micropub request, and the Micropub endpoint is expected to be able to validate the token while processing the request.
Third Party Services
- IndieAuth.comhas a token endpoint. Use the URL
https://tokens.indieauth.com/tokenas your value for
- Acquiescenceis a token endpoint inRubydeveloped and used byBarry Frost.
- Knownenables a token endpoint when theIndiePub pluginis turned on.
- WordPress IndieAuth Pluginprovides a token endpoint to WordPress sites.
- dobradoprovides a token endpoint
The IndieAuth.com FAQ is here:
Feel free to add more questions here that seemed to be asked more than once.
How is IndieAuth different from OpenID Connect
Do I need a silo account
No silo accounts are required for IndieAuth services, but some may chose to use them as an authentication method.
Do I need to enter my URL every time
Q: Do I need to enter my URL every time I log in to an app that uses IndieAuth?
Yes, like traditional username/password forms, you need to enter your URL when you log in to an app. Browsers will remember your URL you enter and will suggest it using their normal autofill mechanisms as well.
Can anyone supply the URL as the client ID when they make the request?
Yes, just like you can find someone’s client ID and supply that in the request with public client in OAuth 2.0.
In OAuth 2.0 there is the idea of public vs. confidential clients, public clients are when things can’t be kept secret, like native apps.
A secret already can’t be used when it is deployed in native apps in traditional OAuth 2.0, so we’re just taking the idea of public clients and doing all the protections that you would have to do with public clients and extending that to all clients.
Should I use HTTPS
The IndieAuth specification is an extension of OAuth 2.0, andOAuth 2.0 recommends using https URLsfor everything. IndieAuth doesn’t provide any new reason to require or not require https so delegates this recommendation to OAuth 2.0.
Why do I see form-encoded responses
IndieAuth originally used standard form-encoding for requests and responses, since it has been a standard encoding format since the beginning of the web.
Over time, implementations added support for sending JSON responses as well as form-encoded. When IndieAuth was written up as aformal OAuth 2.0 extension, it documented only the JSON responses in order to be compatible with OAuth 2.0. At that point, most implementations already supported JSON responses, or did content negotiation to support both formats.
How can an application get additional information about the user
The IndieAuth specification offers the user’s profile page where further public information about the user can be found, e.g. by parsing anh-card. There is currently no common way of retrieving private information.
How is this any different than OpenID 1.0?
OpenID 1.0 solved a lot of the same problems as this, and then those problems kind of got push by the wayside when OpenID Connect came around.
With OpenID 1.0, the whole idea was bring your own identity. In fact, it was only the “prove the identity” aspect. It didn’t include anything around OAuth which is about the ability to get something that can be used to access an API. OpenID 1.0 only solved half of that first of it all.
So yes, the original goals of OpenID 1 absolutely apply. OpenID Connect chose to ignore individual identity and instead, switched to where enterprises issue identities and everybody is siloed off and the issuer controls the identity.
Does this use Webfinger for discovery?
IndieAuth uses even less steps than Webfinger. Currently all IndieAuth applications a user enters their full URL which then fetchs HTTP and HTML link rels to find the appropriate endpoints.
If you wanted to have a user type in an email address to start out with, you would then need to use something like WebFinger to turn that into URL first.
We don’t see a lot of that being done right now in the things that are running today.
If you have no pre-existing registration, how are you identifying yourself?
Clients are all identified by a URL. In the OAuth 2.0 world, the primary thing that client registration gives you is: it ensures that system exchanging the code is actually the same system the code was issued to.
So instead of pre-registration, registration is DNS. An application will be running at example.com, that’s already an identifier that’s unique in the system, that is used as the identifier, and if we need to find out information about the app we can go and look it up at that URL.
Where do I get user information from?
On that last step of the authentication flow, you get a reference to the user who’s been identified. You can use this to extract ah-cardthat’ll tell you everything that the user chooses to share publicly with you. This can include their name, e-mail, photo and a username that they’d prefer to use.
For issues about the IndieAuth spec, please see theIndieAuth GitHub project.
For issues with the IndieAuth.com service, please see theIndieAuth.com Github project.
Older discussions and brainstorming has been moved toIndieAuth-brainstorming.
Talks and Demos
- 2018-12-10IndieAuth: OAuth for the Open Webat the W3C Strong Authentication and Identity Workshop
- 2018-07OAuth.io included IndieAuth in a presentation at API Daysin San Francisco
- 2016-09-24 Sebastian Lassehad a demoshowing the use of protocol handlers to keep the “me” in the browser (video) atIWC Brighton
- 2014-05-06: Aaron Pareckiheld a sessionatInternet Identity Workshop XVIII
- 2013-08-13: Aaron Pareckigave a talk on IndieAuthat the W3C Workshop on Social Business
- 2012-06-24: Aaron Pareckigave a talk on IndieAuthat Portland’s Open Source Bridge 2012 conference! Tuesday June 26th at 4:45pm
- 2018-10-24Aaron Parecki:Identity for the Decentralized Web with IndieAuth(archived)
- 2018-07-07Aaron Parecki:OAuth for the Open Web(archived)
- 2018-07-02Manton Reece:IndieAuth for Micro.blog(archived)
- 2018-01-23Aaron Parecki:WebSub and IndieAuth Published on w3.org!(archived)
- 2016-08-30Aaron Parecki:IndieAuth(archived)and sub-chapters on OAuth.com: