Written by Jamie Tanna
on October 15, 2021
CC-BY-NC-SA-4.0 Apache-2.0
2 mins

Implementing IndieAuth Server Metadata

Something that can make interacting with services quite straightforward is being able to dynamically discover configuration.

For instance, Open Banking's standards are built on top of OpenID Connect, and provide the very handy OpenID Connect Discovery, allowing a client to retrieve information about i.e. what authentication methods are supported for the token endpoint.

With the IndieAuth standard, we're building on top of OAuth2 to provide a means to decentralise identity.

Currently, we provide two endpoints in IndieAuth, the authorization_endpoint and token_endpoint, which can be discovered in either a Link HTTP Header, or a <link> element in the HTML of a page.

As we move to adding more endpoints, the need to add further links out to these endpoints gets more cumbersome, and so we've started to look at options. As IndieAuth is built on top of OAuth2, we can use the OAuth 2.0 Authorization Server Metadata standard for this means, opposed to OpenID Connect Discovery.

We've been discussing this on the IndieAuth spec repo and are hoping to discuss it a little bit more tomorrow at the IndieAuth Popup Session.

Ahead of the conversation, I've added support for this, producing information about all supported functionality the server provides, so clients can start to consume it.

You can see the configuration at https://indieauth.jvt.me/.well-known/oauth-authorization-server, which currently resolves to:

{
  "authorization_endpoint": "https://indieauth.jvt.me/authorize",
  "code_challenge_methods_supported": [
    "S256"
  ],
  "grant_types_supported": [
    "refresh_token",
    "authorization_code"
  ],
  "introspection_endpoint": "https://indieauth.jvt.me/token_info",
  "issuer": "https://indieauth.jvt.me",
  "response_modes_supported": [
    "query"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "read",
    "profile",
    "update",
    "mute",
    "media",
    "follow",
    "delete",
    "notify",
    "channels",
    "draft",
    "undelete",
    "create",
    "block"
  ],
  "token_endpoint": "https://indieauth.jvt.me/token"
}

I've also started to advertise a <link rel=indieauth> and a <link rel=indieauth_metadata> on my site, so clients can discover this metadata endpoint.

Written by Jamie Tanna on Fri, 15 Oct 2021 22:35:50+01:00, and last updated on Sat, 16 Oct 2021 16:10:28+01:00.

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#www.jvt.me #indieauth.jvt.me #indieauth #oauth2 #oidc.

Also on:

This post was filed under articles.

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.

← → Top