Approximate reading time: 3 minutes
Last week I started developing an RSS/Atom based news reader. I've been using Feedly[archived] to follow blogs, but also to follow music forums. Blogs have a good signal to noise ratio, but forums have too many posts, and I often wish I could "mute" a discussion thread, so that no more posts from a given discussion show up. I decided to create a small Flask[archived] app, using the Python feedparser[archived] library together with Celery[archived] to periodically fetch entries, and Svelte[archived] to display them on the frontend.
I started thinking about authentication, and since I didn't want to manage credentials I decided to use IndieAuth[archived]. IndieAuth is a protocol designed to allow authentication and authorization using only your website URL. It works the following way:
app.example.com
(the client), and type in your website URL (you.example.com
) to login.rel=authorization_endpoint
. This is something you should've set up, and corresponds to an endpoint that can represent you.app.example.com
.I decided to write a Flask application that worked as an authorization endpoint, so I could understand the protocol better while setting up my website for IndieAuth. One of the problems I had was that, if you look at step 3, the authorization endpoint needs to know who am I. This requires logging in to the authorization endpoint, which is the problem I originally wanted to solve. At some point I probably need to login with a username and a password, but I didn't want to manage that.
So I decided to punt the authentication problem one more step, and implemented RelMeAuth[archived] in my authorization backend. RelMeAuth delegates authentication to an OAuth provider, defined by a link with the rel=me
property. Basically this is how it works:
you.example.com
.you.example.com
. It fetches your website, looking for a link with the property rel=me
pointing to Github or Twitter (more providers could be added).rel=me
link.Basically, on your website you.example.com
you add a link <a href="https://github.com/betodealmeida" rel="me">Github</a>
. Then, if a website can confirm that you are indeed betodealmeida
on Github they know you own you.example.com
.
My identity provider is running on https://taoetc.org/[archived], hosting a simple h-card[archived] and declaring the authorization endpoint both in the HTTP header as well as in the HTML. If you run your own website you can use my IndieAuth service by adding the following lines to your HTML:
<head>
<link rel="authorization_endpoint" href="https://taoetc.org/auth">
<link rel="token_endpoint" href="https://taoetc.org/token">
</head>
<body>
<!-- one or the other is needed -->
<a href="https://github.com/$username" rel="me">Github</a>
<a href="https://twitter.com/$username" rel="me">Twitter</a>
</body>
I haven't tested the Twitter authorization yet, only Github. Also, only use this if you trust me. If you don't, you can run your own instance. I named the service este-sou-eu[archived], which means "this is me" in Portuguese. I'll be adding detailed instructions of how to run it in the next few days.
You can engage with this post on Twitter or Webmention.