The basic flow for a user signing in to an application is as follows.

• The user enters their personal URL in the sign-in form of the application.
• Discovery: The application fetches the URL and finds the user’s authorization endpoint.
• Authorization Request: The application directs the user’s browser to the authorization endpoint discovered, as a standard OAuth 2.0 Authorization Grant along with the user’s URL entered in the first step.
• Authentication/Approval: The user authenticates at their authorization endpoint and approves the login request. The authorization server generates an authorization code and redirects back to the application’s redirect URL.
• Verification: The application checks the code at the authorization endpoint, similar to exchanging the code for an access token, except no access token is returned since this is just a check for authentication. The authorization endpoint responds with the full URL of the user who authenticated.

You can read more about IndieAuth at indieauth.net.