Plugin / IndieAuth

IndieWebCamp WordPress Outreach Club

Frequently Asked Questions (FAQ)

IndieAuth is a way for doing Web sign-in, where you use your own homepage or author post URL( usually /author/authorname ) to sign in to other places. It is built on top of OAuth 2.0, which is used by many websites.
IndieAuth is an extension to OAuth. If you are a developer, you have probably used OAuth to get access to APIs. As a user, if you have given an application access to your account on a service, you probably used OAuth. One advantage of IndieAuth is how easily it allows everyone’s website to be their own OAuth Server without needing applications to register with each site.
IndieAuth was built on top of OAuth 2.0 and differs in that users and clients are represented by URLs. Clients can verify the identity of a user and obtain an OAuth 2.0 Bearer token that can be used to access user resources. You can read the specification for implementation details.
The goals of OpenID and Web Sign In are similar. Both encourage you to sign in to a website using your own domain name. However, OpenID has failed to gain wide adoption. Web sign-in prompts a user to enter a URL to sign on. Upon submission, it tries to discover the URL’s authorization endpoint, and authenticate to that. If none is found, it falls back on other options. This plugin only supports searching an external site for an authorization endpoint, allowing you to log into one site with the credentials of another site. This functionality may be split off in future into its own plugin.
Indieauth.com is the reference implementation of the IndieAuth Protocol and available for public use. If you activate this plugin you do not need to use this site. IndieAuth.com uses rel-me links on your website to determine your identity for authentication, but this is not required to use this plugin.
As of version 3.2, the endpoints return the display name, avatar, and URL from your user profile.
No. When you provide the URL of the WordPress site and authenticate to WordPress, it will return the URL of your author profile as your unique URL. Only one user may use the URL of the site itself. This setting is set in the plugin settings page, or if there is only a single user, it will default to them.
That, as mentioned, depends on the server. By default, the built-in IndieAuth server uses the WordPress login. By adding Indieauth support, you can log into sites simply by providing your URL.
We recommend your site uses SSL to ensure your credentials are not sent in cleartext. As of Version 3.3, this plugin supports Proof Key for Code Exchange(PKCE), if the client supports it.
Once you have proven your identity, the token endpoint issues a token, which applications can use to authenticate as you to your site. The plugin supports you using an external token endpoint if you want, but by having it built into your WordPress site, it is under your control. You can manage and revoke tokens under User->Manage Tokens. You will only see tokens for the currently logged in user.
The WordPress function, get_current_user_id works to retrieve the current user ID if logged in via IndieAuth. The plugin offers the following functions to assist you in using IndieAuth for your service. We suggest you check on activation for the IndieAuth plugin by asking if ( class_exists( 'IndieAuth_Plugin') ) indieauth_get_scopes() – Retrieves an array of scopes for the auth request. indieauth_check_scope( $scope ) – Checks if the provided scope is in the current available scopes indieauth_get_response() – Returns the entire IndieAuth token response indieauth_get_client_id() – Returns the client ID indieauth_get_me() – Return the me property for the current session. new IndieAuth_Client_Discovery( $client_id ) – Class that allows you to discover information about a client $client->get_name() – Once the class is instantiated, retrieve the name $client->get_icon() – Once the class is instantiated, retrieve an icon If any of these return null, the value was not set, and IndieAuth is not being used. Scopes and user permissions are not enforced by the IndieAuth plugin and must be enforced by whatever is using them. The plugin does contain a list of permission descriptions to display when authorizing, but this is solely to aid the user in understanding what the scope is for. The scope description can be customized with the filter indieauth_scope_description( $description, $scope )
The plugin allows you to generate a token under User->Manage Tokens with access. You can provide this to an application manually.
Many server configurations will not pass bearer tokens. The plugin attempts to work with this as best possible, but there may be cases we have not encountered. The first step is to try running the diagnostic script linked to in the settings page. It will tell you whether tokens can be passed. Temporarily enable WP_DEBUG which will surface some errors in your logs. If you feel comfortable with command line entries, you can request a token under Users->Manage Tokens and use curl or similar to test logins. Replace example.com with your site and TOKEN with your bearer token. curl -i -H 'Authorization: Bearer TOKEN' 'https://example.com/wp-json/indieauth/1.0/test curl -i -H 'Authorization: Bearer test' 'https://tiny.n9n.us/wp-json/indieauth/1.0/test?access_token=TOKEN' This will quickly test your ability to authenticate to the server. Additional diagnostic tools may be available in future. If this does not work, you can add define( 'INDIEAUTH_TOKEN_ERROR', true ); to your wp-config.php file. The INDIEAUTH_TOKEN_ERROR flag will return an error if there is not a token passed allowing you to troubleshoot this issue, however it will require authentication for all REST API functions even those that do not require them, therefore this is off by default. If your Micropub client includes an Authorization HTTP request header but you still get an HTTP 401 response with body missing access token, your server may be stripping the Authorization header. If you’re on Apache, try adding this line to your .htaccess file: SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 If that doesn’t work, try this line: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] If that doesn’t work either, you may need to ask your hosting provider to whitelist the Authorization header for your account. If they refuse, you can pass it through Apache with an alternate name. The plugin searches for the header in REDIRECT_HTTP_AUTHORIZATION, as some FastCGI implementations store the header in this location.
Some hosting providers filter this out using mod_security. For one user, they needed Rule 340162 whitelisted as it detects the use of a URL as an argument.

Ratings

5
4 reviews

Rating breakdown

Details Information

Version

3.4.2

First Released

13 Sep, 2013

Total Downloads

8,878

Wordpress Version

4.9.9 or higher

Tested up to:

5.2.4

Require PHP Version:

5.4 or higher

Tags

Contributors

Languages

The plugin hasn't been transalated in any language other than English.

DIRECTORY DISCLAIMER

The information provided in this THEME/PLUGIN DIRECTORY is made available for information purposes only, and intended to serve as a resource to enable visitors to select a relevant theme or plugin. wpSocket gives no warranty of any kind, express or implied with regard to the information, including without limitation any warranty that the particular theme or plugin that you select is qualified on your situation.

The information in the individual theme or plugin displayed in the Directory is provided by the owners and contributors themselves. wpSocket gives no warranty as to the accuracy of the information and will not be liable to you for any loss or damage suffered by you as a consequence of your reliance on the information.

Links to respective sites are offered to assist in accessing additional information. The links may be outdated or broken. Connect to outside sites at your own risk. The Theme/Plugin Directory does not endorse the content or accuracy of any listing or external website.

While information is made available, no guarantee is given that the details provided are correct, complete or up-to-date.

wpSocket is not related to the theme or plugin, and also not responsible and expressly disclaims all liability for, damages of any kind, arising out of the use, reference to, or reliance on, any information or business listed throughout our site.

Keep Leading Your Followers!
Share it for them.