IndieAuth for WordPress

Part of my own project for this week, while taking off for the holiday, was to complete work on an Indieauth endpoint for WordPress.

IndieAuth is a layer on top of OAuth 2.0, a standard that grants websites or applications access to their information on other websites but without providing passwords.

OAuth is already being used by a variety of services…Login with Facebook or Login with Google options on sites are usually OAuth based. The difference is that for IndieAuth, users and clients are all represented by URLs.

Authorization Prompt for Indieauth for WordPress

So, why did I want to build one? A few reasons. The most popular use for a IndieAuth server as authentication for Micropub clients. Micropub is a standard for creating posts using third-party clients.

WordPress is moving toward deprecating their post interface in favor of a totally new one called ‘Gutenberg’. As a long time WordPress user, the focus on this concerns me as it does not necessarily represent my needs or desires as a user of the platform. So, I want to have options.

Currently, OAuth servers for WordPress of all types are limited. The REST API, which was heralded with much optimism, lacks an OAuth authentication method. In fact, it lacks any built-in authentication options other than the WordPress login for external authentication.

There is an incomplete project for an OAuth2 server for WordPress I did get some useful ideas from, however. I also have to thank Aaron Parecki, who wrote a book on OAuth2 and wrote the Indieauth specification, for reviewing my work and giving lots of feedback.

What I’ve built, with help, is a working IndieAuth authentication method that works for the REST API, among other things.

Since I wanted this to be widely adoptable, I needed to make sure of a secure implementation, and I think the results are a good initial version. There is an opportunity for further refinements and improvements, but it means that WordPress users are no longer dependent on Indieauth.com, the reference implementation of the spec which uses OAuth providers like Github and Twitter to authenticate.

This leads to my hopes for the future. There are people working on Micropub clients for Android. And if any of them pans out, or my own mobile options, I could easily post notes to my site from wherever I am using tools that are much more flexible to my needs than are available now, the culmination of nearly 4 years of moving toward this point, on and off.

The success for me will be able to read something on my phone, and quickly share that to my site. Or have a thought and quickly share it to my site, without having to spend so much time setting it up I think better of it.

There are still pieces that need work to achieve that, but this is a major piece knocked off.

David Shanske

My day job is in training for an airline. I also develop Indieweb WordPress plugins so that others can take control of their online identity.

Leave a Reply

Your email address will not be published. Required fields are marked *