This site is currently in Beta. Please report any errors on GitHub.

IndieLogin.com

If you are building a website and need to sign people in, you can use IndieLogin.com to handle all the complicated parts.

Users will identify themselves with their website, and can authenticate using one of the supported authentication providers such as Twitter, GitHub, or email. The user ID returned to you will be their website, ensuring that you don't end up creating multiple accounts depending on how the user authenticates.

1. Create a Web Sign-In form

<form action="https://indielogin.com/auth" method="get">
  <label for="url">Web Address:</label>
  <input id="url" type="text" name="me" placeholder="yourdomain.com" />
  <p><button type="submit">Sign In</button></p>
  <input type="hidden" name="client_id" value="https://example.com/" />
  <input type="hidden" name="redirect_uri" value="https://example.com/redirect" />
  <input type="hidden" name="state" value="jwiusuerujs" />
</form>

Parameters

2. The user logs in with their domain

After the user enters their domain in the sign-in form and submits, IndieLogin.com will scan their website looking for rel="me" links from providers it knows about (see Supported Providers).

They will authenticate using one of the supported providers, such as authenticating with their own IndieAuth server, logging in on GitHub, or verifying a temporary code sent to their email address.

3. The user is redirected back to your site

https://example.com/callback?state=jwiusuerujs&code=gk7n4opsyuUxhvF4

If everything is successful, the user will be redirected back to the redirect_uri you specified in the form. You'll see two parameters in the query string, state and code. Check that the state matches the value you set originally before continuing.

4. Verify the authorization code with IndieLogin.com

At this point you need to verify the code which will also return the website of the authenticated user. Make a POST request to https://indielogin.com/auth with the code, client_id and redirect_uri, and you will get back the full website of the authenticated user.

POST https://indielogin.com/auth HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: application/json

code=gk7n4opsyuUxhvF4&
redirect_uri=https://example.com/callback&
client_id=https://example.com/

An example successful response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "me": "https://aaronparecki.com/"
}

An example error response:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "invalid_request",
  "error_description": "The code provided was not valid"
}

You're Done!

At this point you know the website belonging to the authenticated user.

You can store the website in a secure session and log the user in as their website identity. You don't need to worry about whether they authenticated with Twitter or Github or email address, their identity is their website! You won't have to worry about merging duplicate accounts or handling error cases when Twitter is offline.