If you are building a website and need to sign people in, you can use IndieLogin.com to handle all the complicated parts.
Users will identify themselves with their website, and can authenticate using one of the supported authentication providers such as Twitter, GitHub, GitLab, Codeberg, or email. The user ID returned to you will be their website, ensuring that you don't end up creating multiple accounts depending on how the user authenticates.
<form action="https://indielogin.com/authorize" method="get">
<label for="url">Web Address:</label>
<input id="url" type="text" name="me" placeholder="yourdomain.com" />
<p><button type="submit">Sign In</button></p>
<input type="hidden" name="client_id" value="https://example.com/" />
<input type="hidden" name="redirect_uri" value="https://example.com/redirect" />
<input type="hidden" name="state" value="0f512fa8a1c35599da5302b8" />
<input type="hidden" name="code_challenge" value="IUOQwm1DM_vprDKyiwYOmTRcEhcNEPszEstfsPmwWRE" />
<input type="hidden" name="code_challenge_method" value="S256" />
</form>Note: You can also generate these parameters server-side and send them as an HTTP redirect instead of building a form.
action: Set the action of the form to this service (https://indielogin.com/authorize) or download the source and run your own server.me: (optional) The me parameter is the URL that the user enters. If you leave this out, then this website will prompt the user to enter their URL.client_id: Set the client_id in a hidden field to let this site know the home page of the application the user is signing in to.redirect_uri: Set the redirect_uri in a hidden field to let this site know where to redirect back to after authentication is complete. It must be on the same domain as the client_id.state: You should generate a random value that you will check after the user is redirected back, in order to prevent certain attacks.code_challenge: Generate a random string between 43-128 characters, then generate a SHA256 hash and base64-url encode that to create the code_challenge. You can use example-app.com/pkce to test your work.code_challenge_method=S256: Set to S256 to indicate the hash method used.prompt=login: (optional) If this parameter is present in the request, this website will not remember the user's previous session and will require that they authenticate from scratch again.After the user enters their domain in the sign-in form and submits, IndieLogin.com will scan their website looking for rel="me" links from providers it knows about (see Supported Providers).
They will authenticate using one of the supported providers, such as authenticating with their own IndieAuth server, logging in on GitHub, or verifying a temporary code sent to their email address.
https://example.com/redirect?state=0f512fa8a1c35599da5302b8&code=59793a91e25f7a59894185ce7a64ff06edd0a6375ed45b21684ef3f586cf0d4b&iss=https%3A%2F%2Findielogin.com%2F
If everything is successful, the user will be redirected back to the redirect_uri you specified in the form. You'll see three parameters in the query string, state, iss, and code. Check that the state matches the value you set originally, and check that iss matches https://indielogin.com/ in order to confirm the redirect is coming from the legitimate website.
At this point you need to exchange the authorization code which will return the website of the authenticated user. Make a POST request to https://indielogin.com/token with the code, client_id, redirect_uri, and code_verifier, and you will get back the full website of the authenticated user.
POST https://indielogin.com/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: application/json code=59793a91e25f7a59894185ce7a64ff06edd0a6375ed45b21684ef3f586cf0d4b& redirect_uri=https://example.com/redirect& client_id=https://example.com/& code_verifier=8203421945e4b0a62e0bd8d1076ec77c13e0e3cf0e04042d435ebf5e
An example successful response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"me": "https://aaronparecki.com/"
}
An example error response:
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "invalid_request",
"error_description": "The code provided was not valid"
}
At this point you know the website belonging to the authenticated user.
You can store the website in a secure session and log the user in as their website identity. You don't need to worry about whether they authenticated with Twitter, Github, GitLab, Codeberg, or email address, their identity is their website! You won't have to worry about merging duplicate accounts or managing OAuth credentials at these platforms.
