IndieAuth as a Persona Identity Provider

Two weeks ago, I attended Indie Web Camp and had lots of interesting Persona conversations. As part of an Auth Jam session, a few of us explored the idea of adding non-OAuth-based authentication mechanisms to IndieAuth.

While Aaron and Austin got SMS and Persona working as IndieAuth providers during one of the Sunday hack sessions, I wanted to explore the idea of IndieAuth (an implementation of RelMeAuth) as a Persona identity provider.

Using IndieAuth on any Persona-enabled site

The goal of this effort was to allow Indie Web developers to use their preferred email address with Persona and have IndieAuth authenticate them using any supported IndieAuth provider (e.g. Twitter or Github).

This work will help bridge the gap between these two projects and allow IndieAuth developers to log into more website using their hard-earned credentials.

User setup

In order to take advantage of this, users have to:

  1. Serve a support document on their email domain declaring indieauth.com as the authority for their domain.
  2. Include a rel="me" link for their preferred email address on their personal domain.
  3. Advertise their personal domain on their email domain via WebFinger.

For example, Aaron would use the following support document at https://parecki.com/.well-known/browserid:

{
    "authority": "indieauth.com"
}

Then he would ensure that there is a rel="me" link on aaronparecki.com pointing to his preferred email address, aaron@parecki.com:

<a href="mailto:aaron@parecki.com" rel="me">Email me</a>

Finally, because his email domain (parecki.com) is different from his personal domain (aaronparecki.com), they would need to be linked together via WebFinger. Thankfully, he found a clever way to do this with a simple Apache rewrite rule and some static files:

<Directory /var/www/profile>
    Header set Access-Control-Allow-Origin: "*"
</Directory>

RewriteEngine on
RewriteMap unescape int:unescape
RewriteCond ${unescape:%{QUERY_STRING}} resource=acct:(.+)
RewriteRule ^/.well-known/webfinger /profile/${unescape:%1}.json? [last]

with the following in /var/www/profile/francois@fmarier.org.json:

{
  "subject": "acct:francois@fmarier.org",
  "links": [
    {
      "rel": "http://webfinger.net/rel/avatar",
      "href": "http://fmarier.org/img/francois_marier.jpg"
    },
    {
      "rel": "http://webfinger.net/rel/profile-page",
      "href": "http://fmarier.org/"
    },
    {
      "rel": "me",
      "href": "http://fmarier.org/"
    }
  ]
}

You can test that your setup is working using https://webfinger.net/.

Implementation

Aaron and I worked out the the details of how this will work and wrote a walkthrough to illustrate it.

The gist of it is that Persona will ask IndieAuth to certify an email address and IndieAuth will convert that email address to a personal domain (using WebFinger) before authenticating the user with one of the IndieAuth providers enabled on that domain.