If you are building a website and need to sign people in, you can use IndieAuth.com to handle web sign-in so that you don't have to implement OAuth code for each provider.
<form action="https://indieauth.com/auth" method="get"> <label for="indie_auth_url">Web Address:</label> <input id="indie_auth_url" type="text" name="me" placeholder="yourdomain.com" /> <p><button type="submit">Sign In</button></p> <input type="hidden" name="client_id" value="https://example.com/" /> <input type="hidden" name="redirect_uri" value="https://example.com/auth" /> </form>
https://indieauth.com/auth, or download the source and run your own server).
After the user enters their domain in the sign-in form and submits, indieauth.com goes and scans their domain looking for rel="me" links from providers it knows about (see Supported Providers above). It also verifies that the third-party website links back to the user's domain with a rel="me" link as well.
If everything is successful, the user will be redirected back to the redirect_uri you specified in the form. There will be a token in a query string parameter,
At this point you need to verify the code which will also return the domain name of the authenticated user. Make a POST request to indieauth.com/auth with the code and all the original parameters of the request, and you will get back the domain name of the authenticated user.
POST https://indieauth.com/auth HTTP/1.1 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 code=gk7n4opsyuUxhvF4& redirect_uri=https://example.com/auth& client_id=https://example.com/
An example successful response:
HTTP/1.1 200 OK Content-Type: application/x-www-form-urlencoded;charset=UTF-8 me=http://aaronparecki.com/
An example error response:
HTTP/1.1 404 Not Found Content-Type: application/x-www-form-urlencoded;charset=UTF-8 error=invalid_request& error_description=The+code+provided+was+not+valid
At this point you know the domain belonging to the authenticated user. You can store the domain secure session and log the user in with their domain name identity. You don't need to worry about whether they authenticated with Google, Twitter or Github, their identity is their domain name! You won't have to worry about merging duplicate accounts or handling error cases when Twitter is offline.