IndieAuth: Sign in with your domain name

What is IndieAuth?

IndieAuth is a way to use your own domain name to sign in to websites. It's like OpenID, but simpler! It works by linking your website to one or more authentication providers such as Twitter or Google, then entering your domain name in the login form on websites that support IndieAuth.


Why IndieAuth?

IndieAuth is part of the Indie Web movement to take back control of your online identity. Instead of logging in to websites as "you on Twitter" or "you on Facebook", you should be able to log in as just "you". We should not be relying on Twitter or Facebook to provide our authenticated identities, we should be able to use our own domain names to log in to sites everywhere.

IndieAuth was built to make it as easy as possible for users and for developers to start using this new way of signing in on the web, without the complexities of OpenID.


How to Set Up IndieAuth

  • Add a link on your home page to your various social profiles with the attribute rel="me"
  • Ensure your profiles link back to your home page
  • Enter your domain in a "Web Sign-In" box to being using your own domain as your online identity!
Full setup instructions

Try It!

Community

Join Us

Authentication providers currently supported by IndieAuth.com

  • Github
  • Twitter
  • Google
  • App.net
  • SMS
  • Persona
  • Geoloqi
  • Foursquare
  • Facebook

Using IndieAuth.com to sign users in to your website

1. Create a Web Sign-in form

<form action="http://indieauth.com/auth" method="get">
  <label for="indie_auth_url">Web Address:</label>
  <input id="indie_auth_url" type="text" name="me" placeholder="yourdomain.com" />
  <p><button type="submit">Sign In</button></p>
  <input type="hidden" name="redirect_uri" value="http://example.com/auth" />
</form>

Parameters

  • action: Set the action of the form to an IndieAuth service such as http://indieauth.com/auth, or download the source and run your own IndieAuth server.
  • method: The request method of the form should be "get"
  • me: The "me" parameter is the website address that the user enters
  • redirect_uri: Set the redirect_uri in a hidden field to let indieauth.com know where to redirect back to after authentication is complete


2. The user logs in with their domain

After the user enters their domain in the sign-in form and submits, indieauth.com goes and scans their domain looking for rel="me" links from providers it knows about (see Supported Providers above). It also verifies that the third-party website links back to the user's domain with a rel="me" link as well.


3. The user is redirected back to your site

http://example.com/auth?token=gk7n4opsyuUxhvF4

If everything is successful, the user will be redirected back to the redirect_uri you specified in the form. There will be a token in a query string parameter, token.


4. Verify the token with indieauth.com

At this point you need to use the token to find out the domain name of the authenticated user. Simply make a request to indieauth.com/verify with the token, and you will get back the domain name of the authenticated user.

http://indieauth.com/verify?token=gk7n4opsyuUxhvF4

An example successful response:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "me": "http://aaronparecki.com/"
}

An example error response:

HTTP/1.1 404 Not Found
Content-Type: application/json;charset=UTF-8

{
  error: "invalid_token",
  error_description: "The token provided was not found"
}


5. Done!

At this point you know the domain belonging to the authenticated user. You can store the domain and/or the token in a secure session and log the user in with their domain name identity. You don't need to worry about whether they authenticated with Google, Twitter or Github, their identity is their domain name! You won't have to worry about merging duplicate accounts or handling error cases when Twitter is offline.

Frequently Asked Questions

How is this different from OpenID?

The goals of OpenID and IndieAuth are similar. Both encourage you to sign in to a website using your own domain name. However, OpenID has failed to gain wide adoption, at least in part due to the complexities of the protocol. IndieAuth is a simpler implementation of a similar goal, by leveraging other OAuth providers and behaviors that people are already accustomed to.

Yes, your rel="me" links do not need to be visible, but the html does need to be on your home page. You can hide the links with CSS.

Does this require users to have their own domain name?

Yes, the assumption is that people are willing to own their online identities in the form of a domain name. It is getting easier and easier to host content on your own domain name. See "Getting Started on the Indie Web"" for some suggestions, including mapping your domain to a Tumblr blog, or signing up for a simple web hosting service like Dreamhost.

But doesn't this make me dependent on your site, indieauth.com?

You are more than welcome to run this software on your own website! We continue to host indieauth.com for convenience, for people who don't want to invest the time to write OAuth code for providers over and over again. However, you are encouraged to run this software on your own site if you would like to support IndieAuth logins! Feel free to run your own IndieAuth server by downloading the source code, or you can implement the RelMeAuth protocol directly.

I run an authentication provider, how can I be added to the "supported providers" list?

We gladly welcome new providers! The goal is to support as many as possible so users are not reliant on any one in particular. Here is what you need to do to be supported by IndieAuth.

  • Ensure your users have a way to enter their website address in the "profile" section of your website.
  • When displaying the HTML rendering of a user's page, ensure the rel="me" attribute is set on the link.
  • Write an Omniauth plugin to handle authenticating with your API, and submit it to the List of Omniauth Strategies page.
  • Integrate the new provider into the IndieAuth source code, or just open an issue with your request.

The History of IndieAuth

By

IndieAuth is an implementation of RelMeAuth, originally proposed by Tantek Çelik in February 2010. The original algorithm was described in a short text update on Tantek's website. Later that evening, Jeff Lindsay and Paul Tarjan implemented RelMeAuth in an open source Python library at Hacker Dojo and discussed/tested it in IRC. Tantek later launched a RelMeAuth prototype on his domain, which you can try out at tantek.com/relmeauth.

In 2011, we held the first IndieWebCamp in Portland. The registration process involved setting up OpenID on your own domain (or delegating your domain to an OpenID provider), and signing in to the IndieWebCamp Wiki and adding yourself to the guest list. Most people were able to successfully complete this intentional barrier to entry, but there were still parts that were cumbersome.

It was suggested that for the 2012 IndieWebCamp, we handle registrations via RelMeAuth instead, to slightly lower the barrier to entry. I shuddered at facing the daunting task of writing multiple OAuth clients as MediaWiki extensions in order to properly support RelMeAuth. It was then that the idea of IndieAuth.com was born.

What I needed was to write the RelMeAuth and OAuth client code once and be able to use it on any website needing authentication from here on out. I decided to build IndieAuth.com as a hosted service that anyone can easily use if they want to support RelMeAuth logins. By abstracting our the rel="me" and OAuth client logic into a very simple HTTP+JSON interface, it is now possible to quickly write a web page needing authentication by relying on IndieAuth.com to do the legwork.

In March 2012, I built a prototype of the site and gave a quick explanation in the #indiewebcamp IRC channel. A few days later, I launched this site on indieauth.com!