IndieAuth is a decentralized identity protocol built on OAuth 2.0, which works using URLs to identify users and applications. It allows people to use a domain under their control as their identity while signing in and authorizing applications using that identity. The spec can be found at https://www.w3.org/TR/indieauth/.
All user IDs are URLs, and apps are also identified by their URLs instead of by pre-registered client IDs. This makes it work great for situations where you don’t want to require that developers sign up for an account at each authorization server, such as writing apps that authenticate users at arbitrary WordPress installations.
IndieAuth separates the roles of the authorization server and issuing access tokens, so that completely separate implementations and services can be used for each part of the flow.
IndieAuth can be used as an authentication mechanism when an application just needs to identify users for login, or it can be used by an application to obtain an access token to use against the user’s website.
For example, IndieAuth is used by Micropub clients to obtain an access token that is then used to create content on the user’s website.
IndieAuth builds upon the OAuth 2.0 framework as follows:
- Specifies a mechanism and format for identifying users (a resolvable URL)
- Specifies a method of discoverinig the authorization and token endpoints given a profile URL
- Specifies a format for the Client ID (also as resolvable URL)
- All clients are public clients, as client secrets are not used
- Client registration is not necessary, since all clients must use a resolvable URL as their Client ID
- Redirect URI registration is accomplished by the application publicizing their valid redirect URLs on their website
- Specifies a mechanism for a token endpoint and authorization endpoint to communicate, similiar to token introspection but for authorization codes
More information and the spec can be found at indieauth.net. A brief overview of the two workflows follows.