IndieAuth - IndieWebCamp
What is IndieAuth
IndieAuth is a way to use your own domain name to sign in to websites. It's like OpenID, but works with services you probably already use!
The #1 reason to setup IndieAuth is because you've found this wiki, and setting up IndieAuth will allow you to login and contribute to the community, including doing common things like:
- Add a link on your home page to your various social profiles with the attribute
- Ensure your profiles link back to your home page
- Enter your domain in a "Web Sign-In" box to being using your own domain as your online identity!
Use IndieAuth for your OpenID
To use indieauth.com as an OpenID delegate for the OpenID identifier of your site, add the following two link tags to the HTML (inside the
element) of your website, replacing "aaronparecki.com" with your domain of course.
- IndieAuth is an implementation of Web sign-in/RelMeAuth with an HTTP API
- indieauth.com is the primary implementation used by most people currently
Why is my https domain not working?
Q: Why does entering just my domain name (which automatically redirects http to https) not work in IndieAuth?
A: To log in with indieauth as a domain served over HTTPS, you have to type the whole URL, including https://, otherwise most implementations will assume HTTP, and HTTP to HTTPS redirects are considered insecure (especially important for purposes of authentication!)
Why is Twitter not working
While there are several reasons why Twitter might not working for IndieAuth sign-in, here are some common things to look for:
- Be sure you link from your site to your https (note the s) Twitter profile URL. E.g.:
- As of 2014-01 we are seeing occasional SSL errors trying to fetch profiles from twitter.com. Until this is resolved, you may wish to try using another provider such as Google+ or Github.
Why am I getting "insecure redirect" errors?
- If you get an error about an insecure redirect, check to see whether your silo link is going to https://yoursite which is in turn redirecting to http://yoursite. (Dreamwidth is an example of a site that does this.) If so, change the link to go directly to http://yoursite
Why is Google+ not working
- Ensure you add your website under your "Other Profiles" section on your Google+ profile. Google only adds the rel=me markup for your "Other Profiles"
- Ensure that your "Other Profiles" section has permissions set to "Public"
Why is IndieAuth and GitHub Pages not playing nicely?
Are you getting a funny error when trying to log into IndieAuth with credentials hosted on your Github Pages powered website? This is likely due to an outdated DNS record!
- Change your DNS record to point to the latest IP address that github pages uses. For obvious security reasons, you are going to have to find the correct IP addresses on this page: https://help.github.com/articles/setting-up-a-custom-domain-with-pages#setting-up-dns
What is happening is that if your DNS record points to the old github pages IP address, it sometimes 301 redirects to `/` which is non-standard and IndieAuth does not currently support relative URLs when discovering credentials. See this issue: https://github.com/aaronpk/IndieAuth/issues/46#issuecomment-34565297
Github also wrote a blog post about this change, which many people missed: https://github.com/blog/1715-faster-more-awesome-github-pages
How do I make my site do the authorization itself
For how to do distributed or delegated IndieAuth, see distributed-indieauth.
How do I use a specific other site for my IndieAuth
IndieAuth is part of the Indie Web movement to take back control of your online identity. Instead of logging in to websites as "you on Twitter" or "you on Facebook", you should be able to log in as just "you". We should not be relying on Twitter or Facebook to provide our authenticated identities, we should be able to use our own domain names to log in to sites everywhere.
IndieAuth was built to make it as easy as possible for users and for developers to start using this new way of signing in on the web, without the complexities of OpenID.
Is it good to delegate auth to 3rd parties
Is it good to delegate authentication to third parties like Facebook or Twitter for IndieAuth?
IndieAuth only relies on third parties for ephemeral authentication, once per IndieAuth login attempt. Because the reliance is only ephemeral/transactional, the delegation is ok. It's not great, but it's ok, and certainly better than directly using (Facebook Connect) or the equivalents for other silos.
IndieAuth also provides better UI flow and fallbacks than OpenID, while re-using the OAuth flow that users are familiar with from Twitter, Github etc., so it's an incremental improvement over other open identity solutions.
Why not OpenID Email etc
See: Why web sign-in.
Why not WebFinger
Why not add WebFinger support to IndieAuth?
"The problem is it's too easy to not own your email address (@gmail.com, etc) so it's not really an "indie" identifier. The point of IndieAuth is to encourage people to own their online identity."
See Frequently Asked Questions for more FAQs.
The IndieAuth API
The IndieAuth API lets you support RelMeAuth logins without writing all the OAuth code for each provider!
The IndieAuth source code is available on Github. Feel free to fork it and submit pull requests if you make any changes!
Please open specific bugs and action items on the IndieAuth Github project. This page is for collecting thoughts that may not yet be action items or for things that apply to the IndieAuth protocol in general rather than the indieauth.com implementation.
Contact page support
Some sites (which? list examples below) have a separate /about or /contact page where they list all their other profiles with rel-me links, and then link to that separate page from their home page with rel=me. This is a valid way to support web-sign-in per the relmeauth spec.
However, IndieAuth does not currently support following one-deep rel-me links on people's sites to look for auth providers.
Note: Crawling the second level of links will add significant time to the "scan" part of indieauth. One optimization is to only crawl a second level link if it's on the same domain as the authenticating domain. This means you wouldn't be able to have the chain example.com -> about.me/example -> github.com/example, you'd have to have something like example.com -> example.com/about -> github.com/example. Aaronparecki.com 09:08, 1 September 2013 (PDT)
- only the latter use-case has been seen (in microformats.org research) of
example.com -> example.com/about -> github.com/example
- a user may use about.me through a redirect, e.g.:
- example.com --redirect--> about.me/example --rel=me link--> github.com/example
Sites in the wild with a contact page separate to the homepage
- Add sites you find here
Goal: IndieAuth should at least support consuming an OpenID provided by an indieweb server itself (i.e. perhaps ignore any OpenID delegation). Being a self-hosted OpenID provider enables the independent to completely avoid any silo dependency, even ephemeral, for authentication.
IndieAuth used to support consuming OpenID as well as web-sign-in.
There were strange problems with consuming OpenIDs from various OpenID providers
- Why does IndieAuth not consume OpenID?
- were these only problems with delegated OpenIDs?
- with which providers (that were delegated to)?
- were these only problems with delegated OpenIDs?
What were these specific issues? Let's document them here:
- server/URL - errors encountered
Github Issue: https://github.com/aaronpk/IndieAuth/issues/16
- The token can be sent to IndieAuth without TLS (or the docs make it appear so) such a request should be refused (*not* redirected) to prevent DNS poisoning, MITM, and race-condition attacks.
Need Simple Copy Paste How To
The explanation in http://waterpigs.co.uk/articles/indiewebcamp-signin-ux/ provides a list of three lengthy descriptions of what you need to setup IndieAuth, which was then subsequently criticized as "this is not a straightforward process" in the post: http://aralbalkan.com/notes/on-evolving-indieauth/
Thus we need a a simple copy paste how to that is not three lengthy descriptions.
Any explanation of how to use IndieAuth needs to start with a 1-2 sentence summary. No more.
Explanations for IndieAuth need to be at least as simple to understand as those for Twitter Sign-in and Facebook Connect.
Selectively Displaying rel-me Info
Selectively Displaying rel-me Info (e.g. hiding your phone number).
Tantek points out that he would like to be able to use SMS auth on IndieAuth, but doesn't want his cell phone number public on his site. 
Ideally your site would know that the request was coming from an (your?) IndieAuth server, and only render your phone number if so.
This would require either
- some sort of pre-registration with the indieauth server so your site could verify a shared secret
- crypto signing with public keys so that pre-registration is not required
Here is a potential example flow.
- Sign in once to your IndieAuth server
- Click a "generate shared secret" button, which is some 128-bit string that the IndieAuth server stores internally on your user record.
- You take the string and add some code like this to your home page:
if header['IndieAuth-Secret'] == shared_secretwhich checks to see if the secret is passed in an HTTP header called "IndieAuth-Secret".
2 public key
- The IndieAuth server publishes its public key in its own h-card like
- When the IndieAuth server makes a request to fetch the HTML of your home page, it also adds an HTTP header which is a signature of the IndieAuth server hostname, your domain name and the timestamp. It would send three additional headers:
IndieAuth-signature: signature of indieauth.com;example.com;1378052578(Format is a placeholder, in reality we might use something closer to the JSON web token format or something)
- When your server gets the request for your home page, it can read the IndieAuth-server header to discover which server is making the request, then go fetch its public key.
- It would then compute the signature of the three pieces of information and verify that the signature passed in the header matches, at which point it can render the private info.
Please document here if there is some other existing mechanism that can solve this!
A potential workaround is putting your phone number in a
tag in your HTML head so that it isn't visible to viewers of your web page. (Currently aaronparecki.com does this.) While this doesn't actually prevent a person from seeing your phone number, it is at least an unlikely place for them to look.
Better Error Handling
My experience was that I had a slight URL mismatch when I first tried to set up IndieAuth, something like an http/https goof or having a trailing slash in one place and no trailing slash in the other. Whatever the problem, it prevented sign-in. I figured out that problem, but when I tried to sign back in, I got the error:
Parameter "profile" must be one of the rel=me links in the site specified in the "me" parameter
This didn’t make any sense to me, as a novice to IndieAuth. After several failed retries, I finally realized that IndieAuth.com had cached my old URL and needed me to rescan to pick up the corrected information. Once I did that, everything worked -- Eric Meyer
Two possible fixes here:
- Be more aggressive about rescanning for a domain that’s never worked, or had recent errors. (Perhaps limited to certain types of errors.)
- Reword the error message to be less obscure and include some information about common ways to trigger the error and ways to address them.
- Parameter 'profile' must be ..." is a debugging message, not an error message. There is no mention of "parameter" or "profile" in any other user-facing aspect interaction of IndieAuth. This message needs to be replaced ASAP with a description in terms of what the user is doing. - Tantek 07:26, 18 September 2013 (PDT)
- What the heck is *actually* going wrong? I don't even know - we need to capture a technical description of the problem(s) that may be causing this message to occur so we can attempt to craft an actual actionable error message for the user. - Tantek 07:26, 18 September 2013 (PDT)
Want to help? See if you can contribute to one or more of the following:
- Two Factor Auth (TFA) support for providers that support it (e.g. Google)
- Add support for one-level deep links like /contact (per RelMeAuth: users with separate contact pages algorithm and real world examples).
- create an Architecture Diagram for IndieAuth per Mozilla Security Blog: Speeding Up Security Reviews
- create a Detailed Application Diagram for IndieAuth per the same.
- write-up Data flow enumeration per the same.
- write-up a Threat Analysis per the same.
- 2012-06-24: Aaron Parecki gave a talk on IndieAuth at Portland's Open Source Bridge 2012 conference! Tuesday June 26th at 4:45pm
- 2013-08-13: Aaron Parecki gave a talk on IndieAuth at the W3C Workshop on Social Business
- 2014-05-06: Aaron Parecki held a session at Internet Identity Workshop XVIII
July 29th, 2014