In a world in which everyone owns their own identity, how shall we authenticate one another? OAuth 2.0 has become increasingly common, but suffers from a few shortcomings that make it unsuitable for use on the Indieweb.
In the first place, the protocol requires an app to register with the authorization server to be used (see the RFC, section 2). This makes sense when, say, building a Facebook app, or a Twitter app, but breaks-down in a world in which everyone is their own authorizing authority.
The second issue is simply that OAuth 2.0 is not an authentication protocol– it is a protocol designed to authorize applications to access resources on a principal’s behalf. Without augmenting the protocol in some way, the app will have no information that can identify the user on their app– just a grant of permissions to carry out certain operations on the resource provider.
This led Aaron Parecki and others to develop a related protocol– IndieAuth. Here, your identity is your domain name. When you wish to authenticate with a site, you no longer pick one of a few silos (“sign-in with Google”, “sign-in with Facebook”, and so forth), but instead provide your domain name. The site will fetch your page (or, at least, its head) to discover your IndieAuth provider endpoints.
From there, the flow largely proceeds in the same manner as OAuth with the additional bit that the authorization endpoint will provide not only a token, but a canonical URL identifying the user. The full authorization flow is described here.
This is an important step forward, but making everyone on the Indieweb responsible for implementating an authentication server would not be very practical. Fortunately, there are multiple standalone implementations available, beginning with IndieAuth.com. This is an IndieAuth authentication implementation that will allow one to authenticate using either one’s existing social media accounts or PGP keypair, even (or, perhaps, especially) when using a static site.
In order to integrate with IndieAuth.com, the site author needs to add
a link to each account to the home page with the attribute
rel="me", and ensure that those accounts list your home page in
their profiles:
<ul>
<li>
<a href="https://twitter.com/jdoe" rel="me">Twitter</a>
</li>
<li>
<a href="https://github.com/jdoe" rel="me">Github</a>
</li>
...
</ul>
This manual will cover the details for a sample site See below.