Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for signing in via IndieAuth #34

Open
dmitshur opened this issue Nov 29, 2019 · 0 comments
Open

add support for signing in via IndieAuth #34

dmitshur opened this issue Nov 29, 2019 · 0 comments
Labels

Comments

@dmitshur
Copy link
Member

@dmitshur dmitshur commented Nov 29, 2019

Currently, it is possibly to sign in to home only via GitHub. While this has worked well and provides a simple user experience, it has some downsides:

  • requires having a GitHub account
  • doesn't work when github.com is down or unavailable

I want to make it so there isn't a single point of failure and so people can sign in without having a GitHub account, but I don't want to compromise on the user experience.

The following options are not good:

  • usernames and passwords - no one wants to create and remember those (especially for a small site they visit rarely)
  • additional sign in providers - it becomes hard to remember which of multiple sign in providers you used last time, leading to a bad user experience

Instead, I plan to resolve this by switching to a URL-based sign in flow, and adding support for signing in via the IndieAuth protocol. IndieAuth is a decentralized identity protocol built on top of OAuth 2.0. Its latest specification is available at https://indieauth.spec.indieweb.org.

To sign in, a user will enter a URL they control. If they want to continue to sign in via GitHub, they can enter a URL like https://github.com/dmitshur:

image

When entering a github.com user profile URL, GitHub will be used to authenticate as before.

Users will also be able to sign in with any other URL they control that supports IndieAuth, such as https://example.com. This URL can be short and memorable, like one's personal website.

dmitshur added a commit that referenced this issue Nov 29, 2019
This change is a first step towards implementing support for signing
in via IndieAuth on the site. It implements a new sign in flow that
is based on URLs.

For now, only URLs like "https://github.com/dmitshur" are supported.
As a result, there is no functional change; people can still sign in
via their GitHub accounts as before. They just need to enter their
GitHub profile URL as a first step.

Move authentication code into new auth.go file, and remove the legacy
ad-hoc sessionsHandler. That handler was created a long time ago, and
is now very different from all other handlers. It is quite inflexible.
It has now been replaced by more standard handlers.

Start keeping track of state in-memory, rather than via cookies.
This should be simpler overall. I didn't do this earlier because
I hadn't thought of this idea back when implementing the original
GitHub-based sign in flow.

Updates #34.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
You can’t perform that action at this time.