#indieauth
-
Greg McVerry
http://jgregorymcverry.com/
•
Mar 23
we were looking at indieauth to include in thimble but passportjs warns folks not to use: http://bit.ly/2ns1xSV still true? #indieweb@jgmac1106 I don't know the state of that plugin, but you could just do it manually: https://indieauth.com/developers or https://indieweb.org/indieauth-for-login -
Day 86: Updating IndieAuth Docs #100DaysOfIndieWeb
Beginning a slow project of updating the docs about the IndieAuth spec, today I started by updating a few pages on the wiki. Right now, most of the docs about IndieAuth (the spec), and how to use it, live across a variety of pages on the wiki, grouped together at https://indieweb.org/Category:IndieAuth.
My goal with the spec IndieAuth is to make it an extension of the OAuth 2.0 spec. It has always been based off of the OAuth 2.0 spec, but I've never written it up properly as an extension. It's always been just a series of how-to guides. Additionally, I had originally started by specifying all of the responses being form-encoded responses, whereas the OAuth 2.0 spec says all responses must be JSON format. I've been slowly converting my various apps that use IndieAuth to support both, based on the HTTP Accept header, although I haven't publicized this much yet.
Today's project was updating the existing IndieAuth documentation on the wiki to explicitly include the JSON versions as a valid response format.
Eventually I hope to write up IndieAuth as a formal extension to OAuth 2.0, in the same format that something like the Device Flow is an extension.
-
Day 81: Removing SMS and Clef from IndieAuth.com #100DaysOfIndieWeb
Sadly, Clef is shutting down in a couple months. If you haven't heard of it, it was a clever way to use your email and a mobile app to sign in to websites. I had integrated Clef logins to indieauth.com as one way to authenticate your email address. Since they are shutting down in June, I am proactively removing it from the website right now.
The other method for authenticating your email address is is to receive a verification code sent to your address, which I will of course continue to support.
While I was in the code, I figured it was about time to retire SMS authentication as well. While conceptually receiving a code via SMS or email are equivalent, in practice this is not true. SMS is actually a pretty insecure protocol, and it's possible (and not that expensive) to intercept SMS messages to all phones in a nearby area if you have the right hardware.
So as of today, SMS authentication is no longer an option for indieauth.com, and you will have to receive verification codes sent to your email instead of using the Clef app. I may bring back SMS support in indieauth.com as a second factor authentication in the future.
Here is my list of providers I use now.
-
Day 73: Updated Documentation for indieauth.com #100DaysOfIndieWeb
Today I updated the documentation for indieauth.com to include a setup guide for using indieauth.com as your OpenID provider, and added more prominent links to the OpenID and PGP instructions in various places on the site.
The header bar and footer now include direct links to PGP and OpenID setup instructions. The main setup page also now links to the PGP setup page and includes an example of linking to your PGP key along with the other example providers.
I wrote a setup guide for configuring indieauth.com as an OpenID provider.
At this point, OpenID 1 is almost completely gone. There are only a few sites that still consume it, and most of the former major providers have all shut down. Quite a lot of people have migrated to using indieauth.com as their provider since it's one of the few remaining services online. Hopefully this new setup guide will make it even easier to find for people looking to migrate.
-
Joel Purra
https://joelpurra.com
•
Jan 9
Almost none, but still some; might selfhost =) Like the distributed concept, would like to see more usage! https://lwn.net/Articles/708151/@joelpurra I like the concept too! My goal with #indieauth is to use domains as identities (like OpenID) but using OAuth 2.0 techniques. -
Joel Purra
https://joelpurra.com
•
Jan 9
Will consider #indieauth, but negatively angled "why not #openid" info had (has) me thinking otherwise https://indieweb.org/OpenID@joelpurra There also seem to be almost no OpenID providers left except indieauth.com, since myopenid shut down.
-
Joel Purra
https://joelpurra.com
•
Jan 9
Will consider #indieauth, but negatively angled "why not #openid" info had (has) me thinking otherwise https://indieweb.org/OpenID@joelpurra Well I would never suggest anyone use OpenID 1 for anything new, but I can see how that's confusing. Will see if I can rephrase.
-
@joelpurra @oplife indieauth.com should still be running an OpenID provider. I just used it to sign in to StackOverflow yesterday!
