IndieAuth for ProcessWire Development

I have slowly but surely been working on an IndieAuth module for ProcessWire. IndieAuth lets you sign in to applications using your domain name and grant access to read/write to your site. I initially set up a version of this in 2016. My understanding of IndieAuth was limited at the time and it really only let you use IndieAuth to sign into your own site. There are some interesting possibilities there, but it was premature.

So what does this module actually do?

1. Authentication: When you visit a site like indielogin.com and enter your domain name, you will be taken to your ProcessWire admin area to approve the request. If you approve the request, you will be returned to the site and logged in as your domain name.

2. Authorization: When you visit an application like Quill, it needs to also get your permission to post to your site. You will be taken to your ProcessWire admin area to approve the request and the scopes that the app is requesting (create, update, delete, etc.). If you approve the request, you will be returned to the app, logged in as your domain name, and the app will have an access token for your site.

Features

• Browse the applications you have granted access tokens to. See when each one was granted, last used, and will expire.
• Revoke any application’s access tokens
• Set the default expiration period for new access tokens. The initial default is 14 days.
• During authorization, confirm and change the scopes granted to the application. For example, an app may request “create” and “delete” scopes, but you can grant only “create.”
• During authorization, you can also choose to grant an access token with no expiration

Try it out!

I have been testing the new module and think it is almost ready to release in the ProcessWire modules directory. I would like to have a few more people beta test it and provide feedback first, though. If you’re interested, follow these steps:

1. Download ProcessWire IndieAuth from Github and follow the instructions there to install it
2. Test Authentication: visit indielogin.com and enter your domain name. Follow the prompts to authenticate and you should end up back on indielogin.com with a success message.
3. Test Authorization: visit Quill and enter your domain name. Follow the prompts, noting the additional fields for scopes and expiration. After successfully authorizing, you should end up back on Quill with a success message.
   • Go back to the ProcessWire admin area of your site. Visit Access > IndieAuth and you should see an entry for the access you just granted to Quill.

Optionally test access tokens

To test access tokens, you will need a module that accepts them. I have set up a minimal Micropub module for that purpose. All it does currently is verify the access token and shows a debugging message indicating the request was received.

Follow the instructions to install the Micropub module. Go back to Quill and try to post a short note to your site. Quill is expected to respond with “Something went wrong,” but scroll down and the section labelled Micropub response should show “Debugging: Micropub request received.” If you see that, it means the Micropub module successfully received and verified the access token!

The Micropub module will eventually be fully functional so you can publish to your site using a variety of Micropub clients, but that is a separate project that is going to take me some more time. I wanted to get the IndieAuth module out there instead of waiting to release both at the same time.

More information

If you’re interested in more details on IndieAuth, I recommend “OAuth for the Open Web” by Aaron Parecki. If you are interested in implementing IndieAuth in your project, see the IndieAuth specification.