Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to use the token endpoint #121

Open
anderspitman opened this issue May 31, 2024 · 6 comments
Open

Update to use the token endpoint #121

anderspitman opened this issue May 31, 2024 · 6 comments

Comments

@anderspitman
Copy link

Seeing some weird behavior while trying to implement IndieAuth support for obligator. The token request is coming back to my authorization endpoint. I've triple checked that I'm setting them to different values in my s. I'm sure it's a typo somewhere, but wanted to check and make sure there's no chance it's on the IndieLogin side.
@anderspitman
Copy link
Author

anderspitman commented May 31, 2024
edited
Loading

Here's an example HTML response return from the user profile:

<!DOCTYPE html>
<html>
  <head>
    <link rel="indieauth-metadata" href="https://anderspitman.com/.well-known/indieauth-metadata">
    <link rel="authorization_endpoint" href="https://anderspitman.com/indieauth/auth" />
    <link rel="token_endpoint" href="https://anderspitman.com/indieauth/token" />
  </head>
  <body>
    <h1>Hi there</h1>
  </body>
</html>

The token requests are going to https://anderspitman.com/indieauth/auth

@aaronpk
Copy link
Owner

aaronpk commented May 31, 2024

Yeah I think this is IndieLogin.com doing the older behavior described in the first IndieAuth spec. I'll do a pass on this to update it to the latest spec this week. Sorry about that.

@aaronpk aaronpk changed the title Does IndieLogin.com force use the authorization endpoint for the token endpoint by chance? Update to use the token endpoint May 31, 2024
@anderspitman
Copy link
Author

No worries just thought I was losing my mind for a minute. 99/100 times this is a typo somewhere in my brand new code.

@anderspitman anderspitman reopened this May 31, 2024
@anderspitman
Copy link
Author

anderspitman commented May 31, 2024
edited
Loading

Ohhh I see, this behavior indicates it only wants the profile and not an access token: https://indieauth.spec.indieweb.org/#profile-url-response. I actually quite like the simplicity of that.

@aaronpk
Copy link
Owner

aaronpk commented May 31, 2024

Yeah, the only downside is it means it's not compatible with OAuth 2.0 then. The theory was that you could deploy a site with only an authorization endpoint and no token endpoint.

@janboddez
Copy link

janboddez commented Nov 15, 2024
edited
Loading

Just ran into this too. Was previously able to use my custom IndieAuth server to log in to the wiki, but not the other day.

Turns out I'd stuck my authorization endpoint behind Laravel's auth "middleware," (unaware a remote client might ever have to access it, too). Fixed by ensuring a user's authenticated inside the controller instead, and CSRF prevention applied, only when an authorization form is being submitted.

Bit confusing the same URL is being used for both "API" and "web" (or "authenticated user") requests ... Then again, I do understand that we should not design protocols around the tools we have access to (even if it'd make things quite a bit simpler, at least in this case, haha).

That said, what would it take to instead use the token endpoint? Is it a matter of simply storing also $rels['token_endpoint'] in the provider details and then using that URL later on? Or would that break a ton of other things?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aaronpk @anderspitman @janboddez