barnacle

This is the IndieAuth endpoint for https://auth.benji.dog using barnacle.

Setup

To setup, you will need to add the following to the <head> of your website:

<link rel="authorization_endpoint" href="https://auth.benji.dog/auth">
<link rel="token_endpoint" href="https://auth.benji.dog/token">

List of valid requests

GET /auth
Show login form to Authenticate
POST /auth
Exchange code for Profile Information.
GET /token
Check if token is valid.
POST /token
Exchange code for Access Token.

Authenticate 1

GET https://auth.benji.dog/auth
Content-Type: application/x-www-form-urlencoded

response_type=code
client_id=https://client.example.com/
redirect_uri=https://client.example.com/redirect
state=1234567890
code_challenge=a21ad7a3adbf55e4a2ea8fb524f193a9f999efd0420b72b1311c4e1858172b35
code_challenge_method=S256
scope=profile+create+update+delete
me=https://auth.benji.dog

Response 2

If you successfully authorize the request, the authorization endpoint will send the authorization code to the redirect_uri.

HTTP/1.1 302 Found
Location: https://client.example.com/redirect?code=xxxxxxxx&
                                              state=1234567890&
                                              iss=https://auth.benji.dog

Profile Information

POST https://auth.benji.dog/auth
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=authorization_code
code=xxxxxxxx
client_id=https://app.example.com/
redirect_uri=https://app.example.com/redirect
code_verifier=746f6f6d616e7973656372657473

Response 3

You can exchange the code for the profile URL for the user 4. The response may optionally include the profile information if the code has the valid scopes.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "me": "https://auth.benji.dog",
  "profile": {
    "name": "Example User",
    "url": "https://www.example.com/",
    "photo": "https://www.example.com/photo.jpg",
    "email": "user@example.com"
  }
}

Verify Access Token

GET https://auth.benji.dog/token
Authorization: Bearer xxxxxxxx

Response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "me": "https://www.example.com",
  "client_id": "https://client.example.com",
  "scope": "profile create update delete"
}
or 
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded

me=https://www.example.com/&
client_id=https://client.example.com/&
scope=profile create update delete

Redeem Access Token

POST https://auth.benji.dog/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=authorization_code
code=xxxxxxxx
client_id=https://app.example.com/
redirect_uri=https://app.example.com/redirect
code_verifier=746f6f6d616e7973656372657473

Response 5

HTTP/1.1 200 OK
Content-Type: application/json

{
  "access_token": "XXXXXX",
  "token_type": "Bearer",
  "scope": "profile create update delete",
  "me": "https://auth.benji.dog"
}

References

  1. IndieAuth Spec - Section 5.2 - Authorization Request
  2. IndieAuth Spec - Section 5.2.1 - Authorization Response
  3. IndieAuth Spec - Section 5.3.4 - Profile Information
  4. IndieAuth Spec - Section 5.3.2 - Profile URL Response
  5. IndieAuth Spec - Section 5.3.3 - Access Token Response