Update to use the token endpoint

[anderspitman]

Seeing some weird behavior while trying to implement IndieAuth support for obligator. The token request is coming back to my authorization endpoint. I've triple checked that I'm setting them to different values in my s. I'm sure it's a typo somewhere, but wanted to check and make sure there's no chance it's on the IndieLogin side.

[anderspitman]

Here's an example HTML response return from the user profile:

<!DOCTYPE html>
<html>
  <head>
    <link rel="indieauth-metadata" href="https://anderspitman.com/.well-known/indieauth-metadata">
    <link rel="authorization_endpoint" href="https://anderspitman.com/indieauth/auth" />
    <link rel="token_endpoint" href="https://anderspitman.com/indieauth/token" />
  </head>
  <body>
    <h1>Hi there</h1>
  </body>
</html>

The token requests are going to https://anderspitman.com/indieauth/auth

[aaronpk]

Yeah I think this is IndieLogin.com doing the older behavior described in the first IndieAuth spec. I'll do a pass on this to update it to the latest spec this week. Sorry about that.

[anderspitman]

No worries just thought I was losing my mind for a minute. 99/100 times this is a typo somewhere in my brand new code.

[anderspitman]

Ohhh I see, this behavior indicates it only wants the profile and not an access token: https://indieauth.spec.indieweb.org/#profile-url-response. I actually quite like the simplicity of that.

[aaronpk]

Yeah, the only downside is it means it's not compatible with OAuth 2.0 then. The theory was that you could deploy a site with only an authorization endpoint and no token endpoint.