For example, tantek.com links to http://github.com/tantek, and github sends a 301 redirect to https://github.com/tantek. IndieAuth should follow the "http" link and resolve it to its final URL, "https" according to http://microformats.org/wiki/RelMeAuth#summary_algorithm

Currently if your site links to http://twitter.com/username it won't follow Twitter's redirect from http to https since that would introduce a potential security hole. Instead of showing this as an invalid link, the error should indicate that an insecure redirect is present and tell the user to update their link to https.

See http://indiewebcamp.com/login-brainstorming for more details

If the user signing in has included an authorization_endpoint link then the IndieAuth client should be able to offer that as an option in addition to any common OAuth providers found.

See discussion here: http://indiewebcamp.com/irc/2013-08-26#t1377522218

After fixing #13, a new problem surfaced:

Attempting to log in as dreev.es

http://dreev.es -> [301] -> http://ai.eecs.umich.edu/people/dreeves/ -> [rel-me] -> https://twitter.com/dreev

and

https://twitter.com/dreev -> [rel-me] -> http://t.co/PlBCqLVndT -> [301] -> http://dreev.es -> [301] -> http://ai.eecs.umich.edu/people/dreeves/

IndieAuth should accept dreev.es as the identity in this case, treating the umich.edu as delegated hosting for the content, not as the identity.

My https site is not being scanned by indieauth.com. it might be that the startssl.com certificate provider is not part of the trusted CA's on the indieauth.com server.

Since the provider list is cached, IndieAuth.com doesn't make a connection to your site until after clicking one of the buttons. At that point, it should better catch errors with your site such as if it's unable to reach the site due to DNS or timeout issues.

Set up indieauth.com as an OpenID delegate so you can use it to sign in to sites that use OpenID instead of delegating to sites like myopenid.com

Will be especially useful now that myopenid.com is shutting down.

http://meta.stackoverflow.com/questions/190442/myopenid-no-longer-supported-add-alternative-login-method-to-your-account

http://waterpigs.co.uk/notes/4RsEr7/

Add answer to the FAQ:

IndieAuth requests the minimum permissions from each OAuth provider. In some cases providers do not provide a scope that only verifies identity without also giving access to data such as public tweets.

Twitter modifies the links of some users' URL fields to use the t.co wrapper. IndieAuth should follow this redirect to the end and use the fully-unwrapped link when verifying profile links.

Per RelMeAuth: users with separate contact pages.

This is already mentioned on the IndieWebCamp wiki but it took me a long time to determine that this was a known limitation (having first tried to authenticate with my site where the homepage links to my about page). GitHub issues feels like a more natural place to capture this to me.

Current behaviour:

• My homepage links to my /contact page with a rel=me.
• Signing in to indiewebcamp.com using my homepage correctly finds a link to my GitHub profile on my /contact page.
• I choose to authenticate using GitHub.
• I see the following error:

https://github.com/chrisroos" was not found on the site "http://chrisroos.co.uk". Try re-scanning after checking your rel=me links on your site.

Trying to log into https://pypi.python.org/pypi gives the following error:

Cannot establish OpenID session: need more than 1 value to unpack

OpenID should be supported by IndieAuth and was at one point. Since OpenID can rely only on the domain itself, this is a perfect auth mechanism for IndieAuth.

We originally had OpenID support, however, there got to be too many cases of it failing with bizarre errors that we finally decided to disable it rather than confuse everyone trying to use it. It seemed to fail somewhere internally to the OmniAuth OpenID library. Pull requests welcome!

On the auth screen when the user chooses their OAuth provider, there should be a message at the top describing what site they are logging in to with IndieAuth.

This would be a similar UI as the OAuth authorization screen when the service shows the third party app requesting authorization.

To avoid registering apps like OAuth does, we could just use the domain of the redirect URI as the identity, and crawl that page looking for an h-card identifying the site.

Creating an issue here, although it would really be its own repository.

https://github.com/aaronpk/omniauth-indieauth

After successfully authenticating once, IndieAuth.com could keep a cookie so that future sign-in attempts don't require going out to an auth provider.

When attempting to login using https://willnorris.com IndieAuth states that it couldn't find any rel="me" links (example). The links are there, as doing discovery on http://willnorris.com works just fine (example).

I suspect that the problem is that I'm using SSL with SNI. Based on this stackoverflow discussion, it seems that a little extra work is necessary to have ruby support SNI.

RelParser::InsecureRedirectError at /auth/start
Insecure redirect error. http redirected to . To fix, link to / directly.

    file: relparser.rb
    location: load_page
    line: 66

Let me know if you need additional details, or a stack trace :)

It would be useful if indieauth.com could also serve as a token endpoint so people could create a micropub endpoint faster. Of course this can be replaced by your own token endpoint at any point in the future, this would just be there to jumpstart your own development.

It says I don't have a rel=me from my twitter to my website -- probably because the link on twitter is rel="nofollow me"

According to the dialog Flickr presents, this app's auth process seems to be requesting "write" permission instead of just "read".

I'm trying to sign in to the Indie Web Camp site [1] and I've followed the IndieAuth instructions at https://indieauth.com/setup

I added rel="me" to some of my social profile links (amirmc/amirmc.github.com@73e5815) and these are picked up during the site scan. My social profiles already have my homepage url. However, after I've authorised the app I end up back at IndieAuth with the following (confusing) message.

You just authenticated as 'https://twitter.com/amirmc' but your website linked to 'https://twitter.com/amirmc/'

I'm not sure how to proceed.

[1] http://indiewebcamp.com/Special:UserLogin

An entry with rel="pgpkey" does not suffice for log in (IndieAuth will return "No rel="me" links were found on your site!").

Also, I don't really understand which criteria the keys have to fulfill or how the "me" domain is in return related to the "pgpkey".

I have set up my website according to instructions at https://indieauth.com/setup and successfully tested it on at least three sites – http://indieauth.com/ ("Try it!"), http://waterpigs.co.uk/, and http://aaronparecki.com/.

However, the main IndieWebCamp website, http://indiewebcamp.com/, rejects it – when trying to log in, I get the message: "You have not specified a valid username." I was told on IRC that this is the right place to report it.

The "problem" seems to be that my website isn't at the domain root – i.e. it is not at http://example.com/ but at http://example.com/~grawity/. (I own the domain, however.)

The restriction should be removed, for consistency with other sites implementing this auth.

I am sure my OpenID is part of my bugs.python.org account, but it fails with this error:

When a rel-me scan comes back with none found, it should not cache that. This way the next time the person comes back and tries again it will automatically re-scan their website looking for the new rel-me link.

I will be changing domains here soon, and I began to think about how someone could potentially register my old domain after I let it expire and log into indiauth enabled websites.

How can I deal with this situation? Maybe there could be a way to indicate to indiauth that after a certain date, any logins for that domain should be considered a separate account?

I'm not worried about it actually being an issue at the moment, but long term this should probably be worked out.

My idea is to attempt to auto authenticate with the last successful provider when signing into indie auth after you have successfully authenticated previously.

Maybe it could be a checkbox option like: "Remember my auth provider choice"

This way, when you sign in, all you have to do is enter your URL (or auto populate with the browsers ability to remember forms), and click sign in. It cuts a step out of the sign in process once things are set up.

I changed my Flickr URL to point to my profile instead of my photos, and I still hit the case where it didn't think my login matches the actual_username of "Nathan Vander Wilt": https://github.com/aaronpk/IndieAuth/blob/master/controller.rb#L184

I don't am not a Rails expert and don't see any fixtures that contain the actual Flickr config data, so it's hard to guess what attempted_username it's trying to match against — perhaps "natevw" versus "Nathan Vander Wilt"?

When re-scanning, show the unsupported rel-me links (marked blue) at the bottom of the list to help avoid confusion.

When the IndieAuth server can't connect to a site like twitter.com due to SSL errors, it currently treats it as retrieving an empty page and says "no rel-me link found".

Instead, it should show an error specifically that the https verification failed so it couldn't retrieve the web page.

See this thread: https://github.com/aaronpk/IndieAuth/issues/52

If example.com previously had a link to twitter.com/example, then when verifying that twitter.com/example links back to example.com, currently it displays the wrong error message. Instead it should display an error saying the link to twitter.com/example no longer exists.

E.G. When I try to do rel-me discovery for http://twitter.com/barnabywalters I see a HTTP 500 Internal Server Error for /auth/relme_links.json

I haven't changed anything on my end except for adding a phone number awhile back during IWC, but for some reason I can no longer auth in and am getting nasty Ruby errors.

Weird doubling of accounts on Step 1

Here are the two links for Twitter & Github

Twitter Auth Link
https://indieauth.com/auth/start?me=http%3A%2F%2Fbrennannovak.com&profile=https%3A%2F%2Ftwitter.com%2Fbrennannovak&redirect_uri=http%3A%2F%2Findiewebcamp.com%2Fwiki%2Findex.php%3Ftitle%3DSpecial%3AIndieAuth%26returnto%3DMain_Page

Github Auth Link
https://indieauth.com/auth/start?me=http%3A%2F%2Fbrennannovak.com&profile=https%3A%2F%2Fgithub.com%2Fbrennannovak&redirect_uri=http%3A%2F%2Findiewebcamp.com%2Fwiki%2Findex.php%3Ftitle%3DSpecial%3AIndieAuth%26returnto%3DMain_Page

I can clearly see it providing an HTTP instead of an HTTPS link which is really odd as I can HTTPS in my social profiles as well as in the REL=ME part of my site

Error from authing with Twitter

Error from authing Github

However, I was able to get authenticated by manually changing the HTTP to HTTPS in the query string before being redirected to Github

Not only <a> links should be discovered, but also <link> links in the HTML head.

It is probably worth pointing out to people (in the FAQ?) that GooglePlus profiles only put the rel="me" attribute on links for personal pages (not for business/brand/place/community pages). Also, the 'Links' section on the 'about' page of a GooglePlus profile contains several subsections including 'other profiles', 'contributor to', and 'links'. For IndieAuth to work with G+, the user must have the Links section open to the public, and the link back to their website must be in the 'other profiles' subsection, which must also be open to the public.

The first rel-me link on the newly-relaunched and indieweb-ified tommorris.org is to Github. But it fails for me. I have a sneaking suspicion it may have something to do HTTPS.

On my site, I link to the HTTPS version of Github. I also have HTTPS Everywhere installed in Firefox: I tried it with HTTPS turned off and it didn't work. Later, I'll try it with an HTTP link from my site.

Sometimes, http://bret.io sends a 301 redirect to / which means the schemes don't match and IndieAuth halts. Instead, the IndieAuth server should resolve the relative redirect location.

Twitter is hiding some people’s rel=me URIs behind t.co (e.g: https://twitter.com/rwentechaney). To give these people the best chance of being able to use indieauth, rel=me URIs should be resolved if there don’t seem to be any in the document which look like the submitted URI.

Relevant source code: https://github.com/aaronpk/IndieAuth/blob/master/lib/relparser.rb#L89

IndieAuth said there wasn't any rel-me links at my Facebook URL, but there was.

1. Go to indiewebcamp.com, logged out, select "Sign in with your domain"
2. Enter "upon2020.com", click "Log In"
3. This leads to this URL: https://indieauth.com/auth?me=upon2020.com&redirect_uri=http%3A%2F%2Findiewebcamp.com%2FSpecial%3AIndieAuth%3Freturnto%3D, which gives two choices for Twitter login, http://twitter.com/Johannes_Ernst and http://twitter.com/@Johannes_Ernst (neither of which have https)
4. Selecting either fails on the next screen: '"http://twitter.com/Johannes_Ernst" was not found on the site "http://upon2020.com".'

Note that http://upon2020.com/ redirects to http://upon2020.com/blog/, and that the latter page only has a single rel=me to Twitter, which is '

Attempts to log in using GitHub get through to the grant-access stage, then result in an "Invalid Credentials" error message (not sure @ what domain as I haven’t experienced this error myself).

People having these problems:

• http://indiewebcamp.com/irc/2013-01-19#t1358621384
• http://indiewebcamp.com/irc/2013-01-16#t1358356761

Server: nginx/1.7.1
SSL: OpenSSL 1.0.1e-2+deb7u10

Current configuration, this is a mixture of settings from html5 boilerplate, and a gist by Eric Mill (@konklone)

nginx.conf (part of):

  # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
  # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
  # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
  # also see konklone's gist
  ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers  on;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

  # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
  # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
  # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
  # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
  ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
  ssl_session_timeout  10m;
  keepalive_timeout 70;

  # Tell browsers to require SSL (warning: difficult to change your mind)
  add_header Strict-Transport-Security max-age=31536000;

  # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
  # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
  ssl_certificate      /etc/ssl/private/jbnet.unified.crt; #these are the certs for jonnybarnes.net
  ssl_certificate_key  /etc/ssl/private/jbnet.decrypted.key;

  # more from konklone's gist
  # Buffer size of 1400 bytes fits in one MTU.
  # nginx 1.5.9+ ONLY
  ssl_buffer_size 1400;

  # SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6.
  #
  # BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
  # Disable with 0, until using a version of nginx with SPDY 4.
  spdy_headers_comp 0;

  # Now let's really get fancy, and pre-generate a 2048 bit random parameter
  # for DH elliptic curves. If not created and specified, default is only 1024 bits.
  #
  # Generated by OpenSSL with the following command:
  # openssl dhparam -outform pem -out dhparam2048.pem 2048
  #
  # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
  ssl_dhparam /home/jonny/dhparam2048.pem;

  # OCSP stapling
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #resolver 8.8.8.8;
  #ssl_trusted_certificate /etc/ssl/jbnet.fullchain.crt;

  include /usr/local/nginx/sites-enabled/*;

As you see, I've defined some default certs, though it isn't working as expected, the sites-enabled folder has various vhosts, if it doesn't know which to pick then its simply using the first one that "matches".

It appears that when IndieAuth is sending a request it doesn't use SNI correctly. To fix this I've renamed my vhost files to 00-jonnybarnes.net and 01-jmb.so. Thus my server is now replying with the cert for jonnybarnes.net by default. Before the request to jonnybarnes.net was being replied to by my jmb.so vhost and thus the cert for jmb.so.

@veganstraightedge mentioned this might already be known, but seems reasonable to file anyways.

While I had my domain setup as a redirect (from http://rkn.la/ to http://rknla.github.io/), IndieAuth failed to complete the process.

IIRC, the issue popped up at the last step (i.e. the first rel link was found on my domain, but the rel=me from my github profile didn't manage to propagate back to my domain).

I suspect this is probably an issue with following redirects?

Changing my DNS from redirect-to-github to being properly hosted fixed the issue, and the issue didn't come up at all when I submitted http://rknla.github.io/ as my auth domain.

Geoloqi results in a "Redirect Error", see http://indiewebcamp.com/irc/2013-01-19#t1358621411

Google results in an Internal Server Error, not sure at what domain: http://indiewebcamp.com/irc/2013-01-19#t1358621400

When the indieauth server is unable to connect to the user's site, it currently fails with "No rel="me" links were found on your site!" Instead, it should display a more specific error saying that the server was unable to connect.

On my twitter profile, I'm linking back to my identity. However, twitter uses their url shortening service to change url to http://t.co/HTXQVoh3jq

I'm guessing this is why twitter auth currently fails (but I could well be wrong).

some (most?) providers serve the same content for profile URLs both with and without trailing slashes instead of 30x redirecting, e.g. https://github.com/bradfitz and https://github.com/bradfitz/ , which makes indieauth fail when the rel-me and provider links don't match. the providers should redirect, but they don't, so we might want to consider treating them as equal, probably with a provider whitelist or blacklist.

so far, it looks like at least twitter and github do this.

discussion: http://indiewebcamp.com/irc/2014-04-08/line/1396976046

cc @bradfitz

…to minimise chances of collision. Default to ?token, but perhaps add a hidden input allowing consumers to choose what the callback param should be.