💾 Archived View for blakes.dev › hdoc › jAH62VKrQYa6R2kkr_X7Hg.gmi captured on 2024-12-17 at 09:19:59. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-05-10)
-=-=-=-=-=-=-
Source (manually imported from Hedgedoc)
[IndieAuth] provides a simple, standards-based way for websites to authenticate with a domain or web URL. To easily verify authenticity, we can let users show IndieAuth URLs as their username.
The following [11m<link>[0m HTML tags, [11m<meta>[0m tags, and HTTP headers MUST be used alongside the existing ones defined in the Discovery by Clients section of the IndieAuth spec.
This endpoint, which has no set path, MUST be queried as an IndieAuth token authenticated GET request. The server will introspect the token to determine the domain from the client ID and will sign a string made of the internationalized domain name [IDN], the ampersand [11m&[0m, and the original URL of the IndieAuth login. The server will respond with an appropriate error code and message should this fail for any reason, and a [11m200 OK[0m response with the signature -- without the signed data -- in unprefixed hexadecimal.
(This section is non-normative.)
http GET /indieauth/sign Accept: text/plain Authorization: Bearer cb9cd737e449... --- 200 OK Content-Type: text/plain 4ac5236c6b1e435daaa8b6b78c9b3fff...
(Note that this section depends on FEP-888d.)
The following fields are declared in the namespace [11mhttps://w3id.org/fep/f9ec#[0m, which MAY be referred to with the compact IRI [11mindieauth:*[0m. To implement this FEP, these MUST be used on [11mActor[0ms who have signed in with IndieAuth and opted in to displaying their login URL as their handle. If the ActivityPub server is a provider, it MUST NOT reference the server's provider.
Before displaying the IndieAuth-based handle for the first time, servers MUST verify that the signature is valid against the currently advertised key. This is the procedure for doing so.
1. The verifying server looks up the login referenced in the [11mpreferredHandle[0m of the [11mActor[0m. * When the handle has not yet been verified, the [11mauthenticity_public_key[0m meta value or equivalent header (see IndieAuth extensions section above) MUST be present and configured.
* If this handle has previously been verified but is now failing this check, the verifying server MAY choose to hide the handle and retry later, or it MAY choose to continue showing it until a few failed retries ("a few", in this case, is the maximum retries the server is configured for), after which it SHOULD consider the handle no longer verified and stop showing it.
2. The verifying server recomposes the signed data based on the known domain of the user and the [11mpreferredHandle[0m.
3. The verifying server finally verifies the Ed25519 signature against the data and advertised public key.
* If this fails, the `preferredHandle` should stop being shown immediately and it MUST no longer be considered verified; instead, the server assumes that the use of the handle has been de-authorized. The server MAY notify the user (such as by email) that the signature is no longer valid and the user must sign in again to reauthorize it.
(This section is non-normative.)
The handle, when verified, should be shown alongside an appropriate monotone IndieAuth icon, and in place of the handle or URL that the software already shows. Non-standard APIs, such as the Mastodon API, should put the IndieAuth display handle into a separate field.
(This section is non-normative.)