indieweb / wordpress-indieauth

IndieAuth for WordPress
https://wordpress.org/plugins/indieauth/
MIT License
31 stars 11 forks source link
indieauth indieweb plugin wordpress wordpress-plugin

IndieAuth

Contributors: indieweb, pfefferle, dshanske
Tags: IndieAuth, IndieWeb, IndieWebCamp, login
Requires at least: 4.9.9
Requires PHP: 7.2
Tested up to: 6.6
Stable tag: 4.5.2
License: MIT
License URI: http://opensource.org/licenses/MIT
Donate link: https://opencollective.com/indieweb

IndieAuth is a way to allow users to use their own domain to sign into other websites and services.

Description

The plugin turns WordPress into an IndieAuth endpoint. This can be used to act as an authentication mechanism for WordPress and its REST API, as well as an identity mechanism for other sites. It uses the URL from the profile page to identify the blog user or your author url. We recommend your site be served over https to use this.

You can also install this plugin to enable web sign-in for your site using your domain.

Installation

  1. Upload the indieauth directory to your /wp-content/plugins/ directory
  2. Activate the plugin through the 'Plugins' menu in WordPress
  3. That's it

Frequently Asked Questions

What is IndieAuth?

IndieAuth is a way for doing Web sign-in, where you use your own homepage or author post URL( usually /author/authorname ) to sign in to other places. It is built on top of OAuth 2.0, which is used by many websites.

Why IndieAuth?

IndieAuth is an extension to OAuth. If you are a developer, you have probably used OAuth to get access to APIs. As a user, if you have given an application access to your account on a service, you probably used OAuth. One advantage of IndieAuth is how easily it allows everyone's website to be their own OAuth Server without needing applications to register with each site.

How is IndieAuth different from OAuth?

IndieAuth was built on top of OAuth 2.0 and differs in that users and clients are represented by URLs. Clients can verify the identity of a user and obtain an OAuth 2.0 Bearer token that can be used to access user resources.

You can read the specification for implementation details.

How is Web Sign In different from OpenID?

The goals of OpenID and Web Sign In are similar. Both encourage you to sign in to a website using your own domain name. However, OpenID has failed to gain wide adoption. Web sign-in prompts a user to enter a URL to sign on. Upon submission, it tries to discover the URL's authorization endpoint, and authenticate to that. If none is found, it falls back on other options.

This plugin only supports searching an external site for an authorization endpoint, allowing you to log into one site with the credentials of another site if that site is listed as the website URL in your user profile.

What is IndieAuth.com?

Indieauth.com is the reference implementation of the IndieAuth Protocol. If you activate this plugin you do not need to use this site. IndieAuth.com uses rel-me links on your website to determine your identity for authentication, but this is not required to use this plugin which uses your WordPress login to verify your identity.

How does the application know my name and avatar?

As of version 3.2, the endpoints return the display name, avatar, and URL from your user profile.

Does this require each user to have their own unique domain name?

No. When you provide the URL of the WordPress site and authenticate to WordPress, it will return the URL of your author profile as your unique URL. Only one user may use the URL of the site itself. This setting is set in the plugin settings page, or if there is only a single user, it will default to them.

How do I authenticate myself to an Indieauth server?

That, as mentioned, depends on the server. By default, the built-in IndieAuth server uses the WordPress login.

By adding Indieauth support, you can log into sites simply by providing your URL.

How secure is this?

We recommend your site uses HTTPS to ensure your credentials are not sent in cleartext. As of Version 3.3, this plugin supports Proof Key for Code Exchange(PKCE), if the client supports it.

What is a token endpoint?

Once you have proven your identity, the token endpoint issues a token, which applications can use to authenticate as you to your site.

You can manage and revoke tokens under User->Manage Tokens. You will only see tokens for the currently logged in user.

How do I incorporate this into my plugin?

The WordPress function, get_current_user_id works to retrieve the current user ID if logged in via IndieAuth. The plugin offers the following functions to assist you in using IndieAuth for your service. We suggest you check on activation for the IndieAuth plugin by asking if ( class_exists( 'IndieAuth_Plugin') )

If any of these return null, the value was not set, and IndieAuth is not being used. Scopes and user permissions are not enforced by the IndieAuth plugin and must be enforced by whatever is using them. The plugin does contain a list of permission descriptions to display when authorizing, but this is solely to aid the user in understanding what the scope is for.

The scope description can be customized with the filter indieauth_scope_description( $description, $scope )

What if I just want to use the REST API without OAuth exchange?

The plugin allows you to generate a token under User->Manage Tokens with access. You can provide this to an application manually.

I keep getting the response that my request is Unauthorized

Many server configurations will not pass bearer tokens. The plugin attempts to work with this as best possible, but there may be cases we have not encountered. The first step is to try running the diagnostic script linked to in the settings page. It will tell you whether tokens can be passed.

Temporarily enable WP_DEBUG which will surface some errors in your logs.

If you feel comfortable with command line entries, you can request a token under Users->Manage Tokens and use curl or similar to test logins. Replace example.com with your site and TOKEN with your bearer token.

curl -i -H 'Authorization: Bearer TOKEN' 'https://example.com/wp-json/indieauth/1.0/test
curl -i -H 'Authorization: Bearer test' 'https://tiny.n9n.us/wp-json/indieauth/1.0/test?access_token=TOKEN'

This will quickly test your ability to authenticate to the server. Additional diagnostic tools may be available in future.

If this does not work, you can add define( 'INDIEAUTH_TOKEN_ERROR', true ); to your wp-config.php file. The INDIEAUTH_TOKEN_ERROR flag will return an error if there is not a token passed allowing you to troubleshoot this issue, however it will require authentication for all REST API functions even those that do not require them, therefore this is off by default.

If your Micropub client includes an Authorization HTTP request header but you still get an HTTP 401 response with body missing access token, your server may be stripping the Authorization header. If you're on Apache, try adding this line to your .htaccess file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

If you are not running the latest version of WordPress, try this line. It is added automatically as of 5.6:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

You can also try:

CGIPassAuth On

If that doesn't work either, you may need to ask your hosting provider to whitelist the Authorization header for your account. If they refuse, you can pass it through Apache with an alternate name. The plugin searches for the header in REDIRECT_HTTP_AUTHORIZATION, as some FastCGI implementations store the header in this location.

I get an error that parameter redirect_uri is missing but I see it in the URL

Some hosting providers filter this out using mod_security. For one user, they needed Rule 340162 whitelisted as it detects the use of a URL as an argument.

What is the Ticketing extension and how do I enable it?

Ticketing for IndieAuth is a developing extension to OAuth2/IndieAuth. It creates a ticket endpoint on your site where other sites can send you a ticket, which can be redeemed for a token to access private resources on that other site. You can enable the experimental endpoint functionality by adding the below to your wp-config.php. If this becomes more established, it will be added in the settings page.

define( 'INDIEAUTH_TICKET_ENDPOINT', true );

At this time, the functionality is limited to the receiving of tickets, not the sending of same. It enables a new tab under the User called Manage External Tokens, which allows you to see which external tokens are stored. Tokens are stored per user.

Since the extension is developing, there is currently not a specified way to transfer this token to a client to be used.

Upgrade Notice

4.5.0

4.5.0 removes support for client discovery using a manifest file. This was never part of the official specification and has been superseded by the newly added client json metadata option.

4.4.0

4.4.0 removes the remote endpoint functionality, which will be archived as a separate plugin in future. It was already disabled by default. It also removes the ability to login via URL and password. Websignin login is the only login enhancement.

4.3.0

4.3.0 changes the storage of client application data from being embedded in every token to being stored in a hidden taxonomy. Older tokens will not be automatically updated. It also sideloads the application icon

4.2.0

Changes in the 4.2.0 branch implement future breaking changes to IndieAuth. Backward compatibility will be maintained for the foreseeable future, but clients are advised to update to the latest version of the standard to take advantage of the latest opportunities. Old methods will remain until adoption of the metadata endpoint is sufficient.

4.1.0

Introduces experimental Ticket Auth Endpoint, which allows the receipt of tickets and the storage of external tokens. This is disabled by default and can only be enabled through a flag.

4.0.0

This version enables expiring tokens. All existing tokens will remain as they were. New tokens will expire in 14 days by default. You can change this in settings.

3.6.0

Due to the fact that this upgrades the spec adherence to address the changes in the IndieAuth Living Standard as of November 26, 2020, there may be unanticipated issues with clients not meeting the changes. Until such a time as more IndieAuth clients adopt the changes, some elements of the changes will not be mandatory, such as PKCE compliance.

3.4.0

Due to the possibility of someone setting the url in their user profile to the same as another account, you will no longer be able to save the exact same url into two accounts. If you already set two accounts to the same URL one will be wiped the next time you save a conflicting user profile.

3.3.2

Due to issues people have experienced with their hosting provider stripping Authorization headers. The plugin will now nag you to run the test for this.

3.0.0

In version 2.0, we added an IndieAuth endpoint to this plugin, which previously only supported IndieAuth for web sign-in. Version 3.0.0 separates the endpoint code from the web sign-in code and removes the ability to use a third-party IndieAuth endpoint with your site. If you use the sign-in feature, it will look for the IndieAuth endpoint for the URL you provide. If you use Micropub for WordPress, enabling the plugin will use the built-in endpoint for WordPress. If you wish to use Indieauth.com or another endpoint, you can disable this plugin and Micropub will use Indieauth.com by default.

Changelog

Project and support maintained on github at indieweb/wordpress-indieauth.

4.5.2

4.5.1

4.5.0

4.4.2

4.4.1

4.4.0

4.3.0

4.2.1

4.2.0

4.1.1

4.1.0

4.0.0

3.6.2

3.6.1

3.6.0

3.5.1

3.5.0

3.4.2

3.4.1

3.4.0

3.3.2

3.3.1

3.3

3.2

3.1.11

3.1.10

3.1.9

3.1.8

3.1.7

3.1.6

3.1.5

3.1.4

3.1.3

3.1.2

3.1.1

3.1.0

3.0.4

3.0.3

3.0.2

3.0.1

3.0.0

2.1.1

2.1.0

2.0.3

2.0.2

2.0.1

2.0.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0