New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
distributed: verification request should include client_id #95
Comments
I think you're right! I suppose this should be the client ID of the app that is using indieauth.com, so when signing in to the wiki you'd see |
It has to be https://indieauth.com/ because auth servers will use the {{client_id}} to verify the {{request_uri}}. If you'd send the web app URL as client ID, the web app would have to add the indieauth.com callback URI to its HTML headers - see https://indiewebcamp.com/IndieAuthProtocol#Redirect_URI_verification |
I actually think it's reasonable to make the app include the indieauth.com redirect URI, since indieauth.com is acting as part of the app in that case. In the example of you signing in to the indiewebcamp.com wiki, you shouldn't even really care that it's indieauth.com doing the authentication. As far as you're concerned, you're signing in to the wiki and the authentication page just looks like a different style than the wiki does. |
Here's the logs with tokens redacted:
|
Based on http://indiewebcamp.com/IndieAuthProtocol#6._Token_verification, I think the POST back to the distributed auth endpoint should include client_id in addition to the other three parameters:
https://github.com/aaronpk/IndieAuth.com/blob/master/controllers/auth-web.rb#L481
The text was updated successfully, but these errors were encountered: