I now have the building blocks for Ticketing for IndieAuth set up.

On my staging site, the metadata endpoint now advertises the ticket_endpoint. That endpoint is accepting POST requests with parameters: ticket, resource, and subject. If the request is valid, it will be stored and return HTTP 202 with the message “Accepted.” Tickets are not automatically redeemed yet.

In the IndieAuth module admin, I set up a page to issue a ticket by entering a URL for “Allow access to” (the resource) and “Send ticket to” (the subject). Submitting that form will check the subject URL for an indieauth-metadata endpoint that advertises a ticket_endpoint. If that is found successfully, a ticket is created and sent there.

Finally, I updated the token_endpoint to accept POST requests with grant_type=ticket and exchange the ticket for an access token.

Next I will be working on automatically redeeming received tickets for access tokens and setting up some private posts to work with granted access tokens.

I am currently using the same code that generates authorization codes to make the tickets. I think this should work fine because it already handles creating an opaque string that is valid for a short period of time (5 minutes). The module also ensures these can only be used once and logs key information for each request like client_id (source code). I need to run some tests to ensure tickets can’t be used as authorization codes and I might need to add some metadata to differentiate the two in the admin area.

Feel free to try to send a ticket to my staging site and ping me in IndieWeb dev chat. I can also send you a ticket if you’d like to try that out. I look forward to discussing this with other implementers!