distributed: verification request should include client_id

[kylewm]

Based on http://indiewebcamp.com/IndieAuthProtocol#6._Token_verification, I think the POST back to the distributed auth endpoint should include client_id in addition to the other three parameters:

      data = RestClient.post session[:attempted_profile], {
        :state => params[:state],
        :code => params[:code],
        :redirect_uri => "#{SiteConfig.root}/auth/indieauth/redirect"
      }

https://github.com/aaronpk/IndieAuth.com/blob/master/controllers/auth-web.rb#L481

[aaronpk]

I think you're right! I suppose this should be the client ID of the app that is using indieauth.com, so when signing in to the wiki you'd see https://indiewebcamp.com/ as the client ID.

[cweiske]

It has to be https://indieauth.com/ because auth servers will use the {{client_id}} to verify the {{request_uri}}.

If you'd send the web app URL as client ID, the web app would have to add the indieauth.com callback URI to its HTML headers - see https://indiewebcamp.com/IndieAuthProtocol#Redirect_URI_verification

[aaronpk]

I actually think it's reasonable to make the app include the indieauth.com redirect URI, since indieauth.com is acting as part of the app in that case. In the example of you signing in to the indiewebcamp.com wiki, you shouldn't even really care that it's indieauth.com doing the authentication. As far as you're concerned, you're signing in to the wiki and the authentication page just looks like a different style than the wiki does.

[aaronpk]

Here's the logs with tokens redacted:

Jun 16 19:16:00 45.79.83.22 --> https://github.com/cweiske rel=me
Jun 16 19:16:00 45.79.83.22 --> IndieAuth: http://indieauth.id.cweiske.de/ rel=authorization_endpoint
Jun 16 19:16:00 45.79.83.22 --> GPG Key: cweiske-24EAF823.pubkey.asc rel=pgpkey
Jun 16 19:16:01 45.79.83.22 Checking for existing profile: http://cweiske.de/, https://github.com/cweiske
Jun 16 19:16:01 45.79.83.22 Found existing: github
Jun 16 19:16:02 45.79.83.22 Checking for existing profile: http://cweiske.de/, http://indieauth.id.cweiske.de/
Jun 16 19:16:02 45.79.83.22 Found existing: indieauth
Jun 16 19:16:02 45.79.83.22 ===========
Jun 16 19:16:02 45.79.83.22 Page: http://indieauth.id.cweiske.de/
Jun 16 19:16:02 45.79.83.22 IndieAuth: authorization_endpoint
Jun 16 19:16:03 45.79.83.22 --> http://cweiske.de/ rel=nofollow me
Jun 16 19:16:03 45.79.83.22 ===========
Jun 16 19:16:03 45.79.83.22 Page: https://github.com/cweiske
Jun 16 19:16:03 45.79.83.22 Links to: ["http://cweiske.de/"]
Jun 16 19:16:03 45.79.83.22 Looking for: http://cweiske.de/ Redirects: []
Jun 16 19:16:03 45.79.83.22 Found it!
Jun 16 19:16:05 45.79.83.22 --> https://github.com/cweiske rel=me
Jun 16 19:16:05 45.79.83.22 --> IndieAuth: http://indieauth.id.cweiske.de/ rel=authorization_endpoint
Jun 16 19:16:05 45.79.83.22 --> GPG Key: cweiske-24EAF823.pubkey.asc rel=pgpkey
Jun 16 19:16:05 45.79.83.22 Checking for existing profile: http://cweiske.de/, http://indieauth.id.cweiske.de/
Jun 16 19:16:05 45.79.83.22 Found existing: indieauth
Jun 16 19:16:05 45.79.83.22 ===========
Jun 16 19:16:05 45.79.83.22 Page: http://indieauth.id.cweiske.de/
Jun 16 19:16:05 45.79.83.22 IndieAuth: authorization_endpoint
Jun 16 19:16:05 45.79.83.22 Attempting authentication for http://cweiske.de/ via indieauth (Expecting http://cweiske.de/)
Jun 16 19:16:06 45.79.83.22 {"code"=>"8u---------------RJo=", "me"=>"http://cweiske.de/", "state"=>""}
Jun 16 19:16:06 45.79.83.22 {"session_id"=>"-------------------", "response_type"=>"code", "attempted_uri"=>"http://cweiske.de/", "attempted_profile
"=>"http://indieauth.id.cweiske.de/", "attempted_provider"=>"indieauth", "attempted_username"=>"http://cweiske.de/", "redirect_uri"=>"https://indieauth.com/success"}
Jun 16 19:16:06 45.79.83.22 400 Bad Request: "client_id" parameter missing
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/abstract_response.rb:48:in `return!'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/request.rb:495:in `process_result'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/request.rb:421:in `block in transmit'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/2.2.0/net/http.rb:853:in `start'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/request.rb:413:in `transmit'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/2.2.0/net/http.rb:853:in `start'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/request.rb:413:in `transmit'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/request.rb:176:in `execute'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient/request.rb:41:in `execute'
Jun 16 19:16:06 45.79.83.22 /usr/local/lib/ruby/gems/2.2.0/gems/rest-client-1.7.3/lib/restclient.rb:69:in `post'
Jun 16 19:16:06 45.79.83.22 /web/sites/indieauth.com/controllers/auth-web.rb:481:in `block in <class:Controller>'