IndieAuth for Developers

Using IndieAuth.com to sign users in to your website

If you are building a website and need to sign people in, you can use IndieAuth.com to handle web sign-in so that you don't have to implement OAuth code for each provider.

1. Create a Web Sign-in form

<form action="https://indieauth.com/auth" method="get">
  <label for="indie_auth_url">Web Address:</label>
  <input id="indie_auth_url" type="text" name="me" placeholder="yourdomain.com" />
  <p><button type="submit">Sign In</button></p>
  <input type="hidden" name="client_id" value="https://example.com/" />
  <input type="hidden" name="redirect_uri" value="https://example.com/auth" />
</form>

Parameters

  • action: Set the action of the form to your IndieAuth service (you can use https://indieauth.com/auth, or download the source and run your own server).
  • me: The "me" parameter is the URL that the user enters
  • client_id: Set the client_id in a hidden field to let indieauth.com know the home page of the application the user is signing in to
  • redirect_uri: Set the redirect_uri in a hidden field to let indieauth.com know where to redirect back to after authentication is complete


2. The user logs in with their domain

After the user enters their domain in the sign-in form and submits, indieauth.com goes and scans their domain looking for rel="me" links from providers it knows about (see Supported Providers above). It also verifies that the third-party website links back to the user's domain with a rel="me" link as well.


3. The user is redirected back to your site

https://example.com/auth?code=gk7n4opsyuUxhvF4

If everything is successful, the user will be redirected back to the redirect_uri you specified in the form. There will be a token in a query string parameter, code.


4. Verify the authorization code with indieauth.com

At this point you need to verify the code which will also return the domain name of the authenticated user. Make a POST request to indieauth.com/auth with the code and all the original parameters of the request, and you will get back the domain name of the authenticated user.

POST https://indieauth.com/auth HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=UTF-8

code=gk7n4opsyuUxhvF4&
redirect_uri=https://example.com/auth&
client_id=https://example.com/

An example successful response:

HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded;charset=UTF-8

me=http://aaronparecki.com/

An example error response:

HTTP/1.1 404 Not Found
Content-Type: application/x-www-form-urlencoded;charset=UTF-8

error=invalid_request&
error_description=The+code+provided+was+not+valid


5. Done!

At this point you know the domain belonging to the authenticated user. You can store the domain secure session and log the user in with their domain name identity. You don't need to worry about whether they authenticated with Google, Twitter or Github, their identity is their domain name! You won't have to worry about merging duplicate accounts or handling error cases when Twitter is offline.