Today I just launched support for BlueSky as a new authentication option in IndieLogin.com!
IndieLogin.com is a developer service that allows users to log in to a website with their domain. It delegates the actual user authentication out to various external services, whether that is an IndieAuth server, GitHub, GitLab, Codeberg, or just an email confirmation code, and now also BlueSky.
This means if you have a custom domain as your BlueSky handle, you can now use it to log in to websites like indieweb.org directly!
Alternatively, you can add a link to your BlueSky handle from your website with a rel="me atproto" attribute, similar to how you would link to your GitHub profile from your website.
<a href="https://example.bsky.social" rel="me atproto">example.bsky.social</a>
This is made possible thanks to BlueSky's support of the new OAuth Client ID Metadata Document specification, which was recently adopted by the OAuth Working Group. This means as the developer of the IndieLogin.com service, I didn't have to register for any BlueSky API keys in order to use the OAuth server! The IndieLogin.com website publishes its own metadata which the BlueSky OAuth server can use to fetch the metadata from. This is the same client metadata that an IndieAuth server will parse as well! Aren't standards fun!
The hardest part about the whole process was probably adding DPoP support. Actually creating the DPoP JWT wasn't that bad but the tricky part was handling the DPoP server nonces sent back. I do wish we had a better solution for that mechanism in DPoP, but I remember the reasoning for doing it this way and I guess we just have to live with it now.
This was a fun exercise in implementing a bunch of the specs I've been working on recently!
- OAuth 2.1
- DPoP
- Client ID Metadata Document
- Pushed Authorization Requests
- OAuth for Browser-Based Apps
- Protected Resource Metadata
Here's the link to the full ATProto OAuth docs for reference.
