loading...

Using Your Site As Your Login

anaulin profile image Ana Ulin 😻 Originally published at anaulin.org on ・2 min read

The most broadly useful technology I've encountered in the Indieweb world is the ability to use your personal site as your login on other sites.

An accessible way to do this is RelMeAuth. The idea is beautifully simple. A service that wants to authenticate you can look at your website, read any rel="me" links you've added to it, and use those to verify your identity.

For example, if you have a link to your email address, someone trying to authenticate you can send a one-time password to that email. You can then use that password on the sender's site to verify that you are in fact the person who owns that email. Similarly, if you have a link to your GitHub account, one can use GitHub's OAuth to verify that you are who you claim to be.

If you have a website, and want to be able to use it to log into other sites using RelMeAuth, you need to do two things:

  • Add a link on your site to whatever profiles you want to use for identifying yourself, with a rel="me" attribute on that link. For example, to use my GitHub account I'd do:
<a href="https://https://github.com/anaulin" rel="me">anaulin</a>
  • Make sure that those profiles link back to your site, also with a rel="me" attribute. (For the case of an email, you can't "link back", so in that case a one-time challenge method is used to verify ownership.)

A related, more complex idea is the IndieAuth protocol. IndieAuth extends the OAuth protocol by providing a way to discover authorization endpoints programmatically. In this way, a site doesn't have to implement a zillion "log in with X" flows, but instead can have one universal "log in with your own endpoint" flow.

Supporting IndieAuth requires you to run your own authentication endpoint, and so requires a bigger investment than RelMeAuth (the Indieweb Wordpress plugin seems to make this easy for Wordpress users). There are two services, IndieAuth.com and IndieLogin.com, which can help you get started supporting IndieAuth. IndieAuth.com gives you an IndieAuth authentication endpoint that you can advertise on your site, and IndieLogin.com lets you add sign-in to your site that supports IndieAuth. (IndieAuth.com implements its authentication by in turn relying on RelMeAuth, further muddying the waters of this IndieWhatever and SomethingAuth word soup.)

I enjoy how simple RelMeAuth is to implement on my site, and I appreciate that it saves me from having to create yet another username and password for indieweb services. Since it supports email, I can be free from having to rely exclusively on third parties to verify my identity. I like it.

Updated July 25 2020: Clarified distinction between RelMeAuth and IndieAuth.

Discussion

pic
Editor guide