Identity Systems: IndieAuth vs Twitter

created May 20, 2019

IndieAuth is one of the services promoted by the IndieWeb.

If websites or web apps support IndieAuth, then users can log into the sites by entering the URLs to their personal websites.

Based upon the info contained within the HTML of my homepage, IndieAuth emails me a code that I enter into the IndieAuth login process to complete the login. My homepage contains the following HTML:

<a rel="me" href="mailto:jr@sawv.org">jr@sawv.org</a>

IndieAuth supports Twitter and Github too, meaning that I would need to be logged into one of those services at the same time that I'm trying to log into another website via IndieAuth. I prefer email, since I'm logged into my email on my phone and on my laptop/desktop computer.

I use GitHub, but I don't want to associate an identity system with GitHub. I'm not logged into GitHub through the web on my devices all of the time, like I am with email.

I have a test Twitter account, used to test IndieWeb concepts. I don't need Twitter. I definitely don't want my online identity to be associated with Twitter.

My online identity is my domain name: sawv.org.

In my opinion, using IndieAuth to log into a website is a simple process, but my tech-oriented view could be skewed. The advantage of IndieAuth is that I don't need to remember yet another username and password to access a new website.

Another advantage of IndieAuth is that I could download the IndieAuth code and host my own IndieAuth server, or I could build my own IndieAuth server. That's an open identity system.

For some reason, blogging, podcasting, and RSS pioneer Dave Winer prefers Twitter as the identity system for logging into his websites and web apps. He prefers his Twitter handle @davewiner, instead of scripting.com, which he has used for over 20 years. When I consider Winer's online identity, I think of scripting.com. I visit his website, like I have since around 2000. I don't read his Twitter posts.

DW's May 14, 2019 post:

Twitter is a great open identity server. I use it in all my apps. If they added simple storage, we'd be looking at a new world of networked apps. This was Jack Dorsey's original idea for Twitter as a platform, btw.

What if users do not have Twitter accounts, but they maintain their own personal websites? Being forced to create accounts with any of the silos to use other websites is anti-open web.

I'm guessing that the reason DW and others prefer to use a silo as a identity system is because more people use Twitter than maintain personal websites. Is that true? And even if it was true, promoting Twitter as an identity system does nothing to support the open web. It promotes silos and centralization.

IndieAuth could encourage users to buy their own domain names, and to create personal websites that they can use to log into IndieAuth-supported web services. Even if the users don't post content on their personal websites, they would have their own web presences for IndieAuth. Maybe later, they start posting content to their websites. It does not mean that the users stop using silos. It means that the open web gains a bit more activity.

Anything silo-related is centralization and anti-open web, regardless of DW's usage of the word "open", regarding Twitter.

From DW's May 15, 2019 post:

Yesterday Howard Weaver, a long-time friend, journalist, asked "What is an open identity server?" I was able to answer the question in a tweet. Briefly it's the part of Twitter that knows you're @howardweaver and I'm @davewiner. I need that in my software too. Rather than build my own, and make users establish a new "identity" for my apps, e.g. -- Little Outliner, I just use Twitter's. That's the open part.

DW would not need to build his own identity server. He could host his own IndieAuth server, or he could rely on a third-party IndieAuth server, like I do.

DW's users would not need to establish new identities (usernames and passwords) if the users maintained their own personal websites. They could log into Little Outliner by simply entering the URLs to their websites. That's the open web.

I can log into other websites that support IndieAuth, and I can log into my own website by using IndieAuth. I ensure that only I can log into my own website and not everyone.

For logging into sawv.org via IndieAuth, I rely on an IndieAuth server, maintained by an IndieWeb user. The HTML for my homepage contains the following:

<link rel="authorization_endpoint" href="https://indieauth.com/auth">

<link rel="token_endpoint"         href="https://tokens.indieauth.com/token" />

These are my June 2017 notes about supporting IndieAuth to log into my site.

To support logging into my website via IndieAuth, I used the following HTML for the login form:

<form action="https://indieauth.com/auth" method="get">
<strong>IndieAuth login</strong><br />
  <input id="indie_auth_url" type="text" name="me" />
  <br />
  <input class="submitbutton" type="submit" value="Login" />
  <input type="hidden" name="client_id" value="http://sawv.org" />
  <input type="hidden" name="redirect_uri" value="http://sawv.org/api/v1/users/auth/" />
</form>

I offer two password-less login systems for my website. First, I can login by entering my email address, and my CMS code emails me a login activation link. Second, I can log into my website by entering my domain name. IndieAuth emails me a code that I use to complete the login. I prefer to rely on email for both login methods.

For programmers who want to add an identity system, they should support IndieAuth instead of, or at least in addition to, supporting Twitter's identity system API.

Non-tech users don't have to worry about creating and supporting IndieAuth for logging into their personal websites. They can continue to log into their CMS apps as before.

Non-tech users only need to add the rel="me" line to their homepage's HTML in order to log into other websites that support IndieAuth. And then they need to be logged into another service, such as email, Twitter, GitHub, and whatever else IndieAuth supports to complete the login process.

More info ...

From https://indieweb.org/indieauth:

IndieAuth is a federated login protocol for Web sign-in, enabling users to use their own domain to sign in to other sites and services. IndieAuth can be used to implement OAuth2 login AKA OAuth-based login.

IndieAuth is built on ideas and technology from existing proven technologies like OAuth and OpenID but makes it easier for users as well as developers. It decentralizes much of the process so completely separate implementations and services can be used for each part.

By choosing your IndieAuth provider, you can tell applications where to send you to sign in. This gives you more control over the privacy and security of your logins.

IndieAuth is part of taking back control of your online identity. Instead of logging in to websites as “you on Twitter” or “you on Facebook”, you should be able to log in as just “you”. We should not be relying on silos to provide our authenticated identities, we should be able to use our own personal domains to log in to sites everywhere.

From https://indieauth.net:

IndieAuth is a decentralized identity protocol built on top of OAuth 2.0.

This allows individual websites like someone's WordPress, Mastodon, or Gitea server to become its own identity provider, and can be used to sign in to other instances. Both users and applications are identified by URLs, avoiding the need for getting API keys or making new accounts.

Aaron Parecki's Jul 7, 2018 post titled OAuth for the Open Web

https://indielogin.com/api

-30-