IndieAuth for WordPress

Part of my own project for this week, while taking off for the holiday, was to complete work on an Indieauth endpoint for WordPress.

IndieAuth is a layer on top of OAuth 2.0, a standard that grants websites or applications access to their information on other websites but without providing passwords.

OAuth is already being used by a variety of services…Login with Facebook or Login with Google options on sites are usually OAuth based. The difference is that for IndieAuth, users and clients are all represented by URLs.

Authorization Prompt for Indieauth for WordPress

So, why did I want to build one? A few reasons. The most popular use for a IndieAuth server as authentication for Micropub clients. Micropub is a standard for creating posts using third-party clients.

WordPress is moving toward deprecating their post interface in favor of a totally new one called ‘Gutenberg’. As a long time WordPress user, the focus on this concerns me as it does not necessarily represent my needs or desires as a user of the platform. So, I want to have options.

Currently, OAuth servers for WordPress of all types are limited. The REST API, which was heralded with much optimism, lacks an OAuth authentication method. In fact, it lacks any built-in authentication options other than the WordPress login for external authentication.

There is an incomplete project for an OAuth2 server for WordPress I did get some useful ideas from, however. I also have to thank Aaron Parecki, who wrote a book on OAuth2 and wrote the Indieauth specification, for reviewing my work and giving lots of feedback.

What I’ve built, with help, is a working IndieAuth authentication method that works for the REST API, among other things.

Since I wanted this to be widely adoptable, I needed to make sure of a secure implementation, and I think the results are a good initial version. There is an opportunity for further refinements and improvements, but it means that WordPress users are no longer dependent on Indieauth.com, the reference implementation of the spec which uses OAuth providers like Github and Twitter to authenticate.

This leads to my hopes for the future. There are people working on Micropub clients for Android. And if any of them pans out, or my own mobile options, I could easily post notes to my site from wherever I am using tools that are much more flexible to my needs than are available now, the culmination of nearly 4 years of moving toward this point, on and off.

The success for me will be able to read something on my phone, and quickly share that to my site. Or have a thought and quickly share it to my site, without having to spend so much time setting it up I think better of it.

There are still pieces that need work to achieve that, but this is a major piece knocked off.

David Shanske

My day job is in training for an airline. I also develop Indieweb WordPress plugins so that others can take control of their online identity.

14 Responses

  3. IndieAuth for WordPress by David Shanske (David Shanske)

    Part of my own project for this week, while taking off for the holiday, was to complete work on an Indieauth endpoint for WordPress.
    IndieAuth is layer on top of OAuth 2.0, a standard that grants websites or applications access to their information on other websites but without providing passwords.
    OAuth is already being used by a variety of services…Login with Facebook or Login with Google options on sites are usually OAuth based. The difference is that for IndieAuth, users and clients are all represented by URLs.

    This is awesome! I can’t wait to use my own website to authenticate myself.
    Syndicated copies to:

    Also on:

    Reply

  4. It’s already been a year since IndieAuth was published as a W3C Note! A lot has happened in that time! There’s been several new plugins and services launch support for IndieAuth, and it’s even made appearances at several events around the world!

    Micro.blog added native support for IndieAuth, so your hosted micro.blog account is now also an IndieAuth provider

    Dobrado launched native support for IndieAuth
    The IndieAuth Plugin for Drupal launched in the beginning of the year, and has had several releases since then
    The IndieAuth Plugin for Grav adds support to your Grav site by delegating to indieauth.com
    The IndieAuth Plugin for WordPress had a major rewrite and supports IndieAuth natively now

    I presented IndieAuth at the W3C Workshop on Strong Authentication & Identity in December, and even published a video of the talk afterwards!

    photo by Karen Myers

    At API Days Global, oauth.io presented a session including IndieAuth.

    Josh Hawxwell gave a talk at NottsJS called Indie What? where he covered several IndieWeb building blocks including IndieAuth.

    photo by @NottsJS

    In July, I wrote a blog post called OAuth for the Open Web, where I detailed the technical solutions IndieAuth provides on top of OAuth to enable it to work in a more open and less corporate environment.
    In October, I published Dweb: Identity for the Decentralized Web with IndieAuth on the Mozilla Hacks Blog.
    So here’s to a productive year for IndieAuth in 2018! Looking forward to seeing what new developments come up in 2019!

    Reply

Mentions

Likes

Bookmarks

Leave a Reply

Your email address will not be published. Required fields are marked *

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)