OAuth, IndieAuth, and the Future of Authorization APIs

Discussion / Backchannel

• #indiewebcamp on freenode.net
• Join via the web: indiewebcamp.com/IRC
• Live Notes: etherpad.mozilla.org/indieauth
• Hashtag: #indieauth

2007: Twitter

• "Microblogging"
• A sense of ownership over your account
• Encouraged an ecosystem of many different apps

Twitter Clients (2012)

• Twitter.com
• Twitterific (OS X)
• Echofon (Windows, OS X, Firefox)
• Janetter (Windows, OS X)
• Tweetings (Windows, OS X)
• Echelon (OS X)
• Hibari (OS X)
• Destroy Twitter (Windows, OS X, Linux)
• HootSuite (browser based)

Twitter Client Attribution

Twitter Stats Apps

The Dark Ages

Obvious problems...

• Gave your username/password to third-party apps
• Apps store the password in plaintext
• Apps get complete access to your account
• No way to revoke access except to change your password
• Compromised apps may expose your password

bret.io (Jekyll)

kartikprabhu.com (Bundle)

waterpigs.co.uk (Taproot)

tantek.com (Falcon)

kylewm.com (Red Wind)

Working within constraints

• (Re)invent as little as possible
• HTTPS is easier than cryptography
• HTML & form-encoded for content (vs JSON or XML)
• Users are represented by a URL
• Apps are represented by a URL
• (Native apps just need an "about" page online)

			Application
			client_id = https://indiewebcamp.com/
			redirect_uri = https://indiewebcamp.com/auth/callback
			
				User
				me = https://aaronparecki.com/
			
			
				User's authorization server
				authorization_endpoint = https://indieauth.com/auth
			
		

Sign-In Form

When submitted, the server discovers the user's authorization_endpoint, and redirects the browser there with the parameters for the request.

Send the user to their auth server

https://indieauth.com/auth?me=https://aaronparecki.com/&
   client_id=https://indiewebcamp.com/&
   redirect_uri=https://indiewebcamp.com/auth/callback&
   state=1234567890
		

Auth server presents the request

User authenticates, server generates an authorization code

HTTP/1.1 302 Found
Location: https://indiewebcamp.com/auth/callback?
  code=xxxxxxxx&
  state=1234567890&
  me=https://aaronparecki.com/
		

Wiki verifies the authorization code

POST https://indieauth.com/auth
code=xxxxxxxx&
redirect_uri=https://indiewebcamp.com/auth/callback&
client_id=https://indiewebcamp.com&
state=1234567890

HTTP/1.1 200 OK
me=https://aaronparecki.com/
		

• Third-party app
• Needs authorization from your website
• Will make a POST request to your server to create the note

			Application
			client_id = https://quill.p3k.io/
			redirect_uri = https://quill.p3k.io/auth/callback
			
				User
				me = https://aaronparecki.com/
			
			
				User's services
				authorization_endpoint = https://indieauth.com/auth
				token_endpoint = https://tokens.indieauth.com/token
				micropub = https://aaronparecki.com/micropub
			
		

Sign-In Form

When submitted, the server discovers the user's authorization_endpoint, and redirects the browser there with the parameters for the request.

Send the user to their auth server

https://indieauth.com/auth?me=https://aaronparecki.com/&
   client_id=https://quill.p3k.io/&
   redirect_uri=https://quill.p3k.io/auth/callback&
   state=1234567890&
   scope=post
		

Auth server presents the request

User authenticates, server generates an authorization code

HTTP/1.1 302 Found
Location: https://quill.p3k.io/auth/callback?
  code=xxxxxxxx&
  state=1234567890&
  me=https://aaronparecki.com/
		

Quill obtains an access token

POST https://tokens.indieauth.com/token
me=https://aaronparecki.com/&
code=xxxxxxxx&
redirect_uri=https://indiewebcamp.com/auth/callback&
client_id=https://indiewebcamp.com&
state=1234567890&
scope=post
		

Quill obtains an access token

HTTP/1.1 200 OK
me=https://aaronparecki.com/&
access_token=XXXXXX&
scope=post

Token endpoint verifies the auth code

• Token endpoint gets the auth code and issues an access token if it's valid
• The token endpoint can query the authorization server to ask if the auth code is valid
• In traditional OAuth 2.0 implementations, these are the same server
• You can create your own token endpoint, or use tokens.indieauth.com to bootstrap

indiewebcamp.com/token-endpoint

Using the Access Token

• Quill can use the access token to create posts on the user's website.
• Your site needs to be able to verify access tokens
• It can query the token endpoint to check if an access token is valid

Micropub

• A vocabulary for creating and editing posts
• Based on the Microformats 2 vocabulary
• Authentication handled by OAuth 2.0 Bearer Tokens (usually obtained via IndieAuth)
• Form-encoded requests, so that a browser can make requests directly!

Micropub Endpoint

• Will typically live within your website or CMS
• Knows how to create posts on your site
• For static sites, may be a separate server that can commit to the git repository (example: ugitpub.herokuapp.com)

Micropub Request

POST https://aaronparecki.com/micropub
Authorization: Bearer XXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded

h=entry&
content=Hello+World
		

Micropub Response

HTTP/1.1 201 Created
Content-Type: application/x-www-form-urlencoded
Location: http://aaronparecki.com/notes/2014/06/23/1/
Link: <http://aaron.pk/n4Wj1> rel="shortlink"
		

Post with Location

POST https://aaronparecki.com/micropub
Authorization: Bearer XXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded

h=entry&
content=Hello+World
location=geo:45.525185,-122.681633
		

Micropub

• Why form-encoded and multipart? Why not JSON?
• (Re)invent as little as possible
• All server-side environments support form-encoded requests
• Provides an extensible method of attaching files and other content

Thanks!

• Try it out: indieauth.com
• Read More: indiewebcamp.com/indieauth
• Learn about the #indieweb: indiewebcamp.com

• aaronparecki.com
• @aaronpk