IndieLogin.com

If you are building a website and need to sign people in, you can use IndieLogin.com to handle all the complicated parts.

Users will identify themselves with their website, and can authenticate using one of the download the source and run your own server.

me: (optional) The "me" parameter is the URL that the user enters. If you leave this out, then this website will prompt the user to enter their URL.

client_id: Set the client_id in a hidden field to let this site know the home page of the application the user is signing in to.

redirect_uri: Set the redirect_uri in a hidden field to let this site know where to redirect back to after authentication is complete. It must be on the same domain as the client_id.

state: You should generate a random value that you will check after the user is redirected back, in order to prevent certain attacks.

prompt=login: (optional) If this parameter is present in the request, this website will not remember the user's previous session and will require that they authenticate from scratch again.

2. The user logs in with their domain

After the user enters their domain in the sign-in form and submits, IndieLogin.com will scan their website looking for rel="me" links from providers it knows about (see

An example error response:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "invalid_request",
  "error_description": "The code provided was not valid"
}

You're Done!

At this point you know the website belonging to the authenticated user.

You can store the website in a secure session and log the user in as their website identity. You don't need to worry about whether they authenticated with Twitter or Github or email address, their identity is their website! You won't have to worry about merging duplicate accounts or handling error cases when Twitter is offline.

If you have any trouble using this service, please open an issue on GitHub.