IndieAuth for ProcessWire Released
IndieAuth lets you sign in to applications using your domain name and grant access to read/write to your site. This module adds IndieAuth support to your ProcessWire site, enabling two main things:
- Authentication: When you visit a site like indielogin.com and enter your domain name, you will be taken to your ProcessWire admin area to sign in and approve the request. If you approve the request, you will be returned to the site and logged in as your domain name.
- Authorization: When you visit an application like Quill, it needs to also get your permission to post to your site. You will be taken to your ProcessWire admin area to sign in and approve the request/scopes that the app is requesting (create, update, delete, etc.). If you approve the request, you will be returned to the app, logged in as your domain name, and the app will have an access token for your site.
Features
- Browse the applications you have granted access tokens to. See when each one was granted, last used, and will expire.
- Revoke any application’s access tokens
- Set the default expiration period for new access tokens. The initial default is 14 days.
- Automatically remove expired tokens
- During authorization, confirm and change the scopes granted to the application. For example, an app may request “create” and “delete” scopes, but you can grant only “create.”
- During authorization, you can also choose to grant an access token with no expiration
Installation from Modules Directory
The recommended method is to use the ProcessWire admin area’s module interface.
- Navigate to Modules > New. In the Module Class Name field, enter
ProcessIndieAuth
- Copy the template files from the module’s directory
/extras/templates
into your site’s/site/templates
directory. - Verify that the plugin installed pages:
- IndieAuth Metadata Endpoint
- Authorization Endpoint
- Token Endpoint
- Token Revocation Endpoint
- IndieAuth page under the admin’s Access menu
- Look up the user(s) that you want to allow to use IndieAuth and assign them the “indieauth” role
- Update your home page template to add the link elements inside the <head> element:
<?=$modules->get('ProcessIndieAuth')->getLinkElements();?>
This should result in three <link> elements in the source HTML:
<head>
<link rel="indieauth-metadata" href="/indieauth-metadata-endpoint/">
<link rel="authorization_endpoint" href="/authorization-endpoint/">
<link rel="token_endpoint" href="/token-endpoint/">
</head>
Sign In
To test signing in with IndieAuth, visit indielogin.com and enter your domain name. Follow the prompts to authenticate and you should end up back on indielogin.com with a success message.
Sign In and Authorize
To authorize an application with IndieAuth, your site will first need a module that uses access tokens. I have a Micropub for ProcessWire module in development that does that. Micropub is a standard that lets you publish to your site using third-party clients. If you’d like to try it out, follow the instructions on GitHub to install it.
After installing, visit Quill and enter your domain name. Follow the prompts and note the additional fields for “scope” and “expiration,” since you are authorizing an application to interact with your site. After successfully authorizing, try to post a short note from Quill. Quill should redirect you to the new post if it was successful.
For a list of other Micropub clients you can try, see https://indieweb.org/Micropub/Clients.
Admin and Options
In the admin, you can see which applications you have granted access tokens to. You can see when each token was issued, last accessed, and its expiration. You can also manually revoke a token at any time. Navigate to: Access > IndieAuth.
There are a couple options in the admin at: Modules > Configure > ProcessIndieAuth:
- Default access token lifetime (in seconds): This defaults to 14 days and is what appears in the authorization screenshot above.
- Automatically remove access tokens after expiration (enabled by default): When enabled, the site checks approximately every six hours and removes expired access tokens. Regardless of whether this option is enabled, the module will reject any application attempting to use an expired access token. Since access tokens cannot (currently) have their expiration extended, I recommend keeping this option enabled so the admin list stays tidy and current.
Finally, this module writes some admin logs. Access those at: Setup > Logs > indieauth
More About IndieAuth
If you’re interested in more details about IndieAuth, I recommend the article “OAuth for the Open Web” by Aaron Parecki (or the video presentation). If you are interested in implementing IndieAuth in your project, see the IndieAuth specification.
View responses or leave your own response