My quirky IndieAuth server
PermalinkBy Den McHenry
Wherein I turn a relic of my past into an IndieAuth server thanks two plugins.
I had been using Aaron Parecki's indieauth dot com as my IndieAuth server, but hadn't been doing much of anything with it. When I recently tried to sign in to An IndieWeb Webring, I received an error indicating some cryptic problem with the issuer. I reached out to Marty McGuire on the IndieWeb chat, and he pointed me in the right direction, correctly surmising that it was a disconnect related to the evolving spec.
It seemed best to seek out a new IndieAuth server, and I first tried Benji Encalada Mora's serverless-indieuth project. It worked well enough, but I wasn't a fan of the interface and realized I had a pretty good solution staring me in the face. Or staring daggers at me in the rearview mirror, since I hadn't noticed it in the backseat for a really, really long time.
The IndieAuth plugin for WordPress (WP) doesn't seem like the right solution for a static site built with Eleventy and deployed to Netlify, but I ran a popular blog many years ago in my former life as a classicist. You know, talking about ancient languages, analyzing poetry, making niche jokes about philosophers and mythological figures, gushing over your favorite dead scholars and how mean they could be about each other's work. Good times.
I continue to pay for hosting as an ode to another time. What? No, not antiquity. My own past. An ode to my younger self. I'm not that old. Stop giggling.
The IndieAuth plugin for WP is dead simple, with very little in the way of settings. This is kind of great, because there's nothing to mess up, no code to customize, no Netlify functions to deploy and break, etc. But it raises an important question: How do you use it to authenticate yourself on a different site?
The plugin works by treating your WP author page as your personal page, and thus your canonical identity. After installing the plugin, you place three links in the head of your personal site, where example dot com is your WP site.:
<link rel="indieauth-metadata" href="https://example.com/wp-json/indieauth/1.0/metadata" />
<link rel="authorization_endpoint" href="https://example.com/wp-json/indieauth/1.0/auth" />
<link rel="token_endpoint" href="https://example.com/wp-json/indieauth/1.0/token" />
The problem is that when you try to use IndieAuth to sign in anywhere, you'll find yourself instead signed in as your WP user, e.g., https://example.com/author/name.
But don't despair! If you're like me, you don't want a WP author page. You'd prefer your author link to take folks to your personal site.
To solve this problem, I turned to another plugin: WP Custom Author URL. Once installed, you'll find two things at the bottom of your author page:
- Checkbox: "Use a custom author URL?"
- Input: "Custom Author URL"
Check the box, add your personal site, and you're done. Now when you use your personal site to sign in, you will be authenticated as expected.
The Users section in WP-Admin will now also include a section called Manage Tokens. This is the one bit that could be a dealbreaker for someone else, but I'm okay with it. The reporting here is broken now, so that each token shows as never having been accessed, and these can proliferate each time you login, based on the client. E.g., if set to never expire, Indie Book Club appears to automatically refresh the existing token, while another service like Micropublish or a test site like IndieLogin will create a new token each time. You'll want to clean these up occasionally.
This is admittedly a quirky, niche solution, and I'll likely work out a non-WP solution later. But this is perfect for me right now because it's allowing me to experiment with some IndieWeb stuff more than I've been able to in a long time.