AutoAuth
AutoAuth is the working title of an extension to IndieAuth that allows clients to authorize to other servers in the name of their user, without the user being present to confirm each individual authorization flow. It can be found on GitHub.
It was first drafted in a session at IWC NΓΌrnberg. Martijn van der Ven and Sven Knebel demoed first basic implementations at IWC Berlin 2018.
Goals
Allow an application to access protected resources on a server it hasn't connected to before, without the user being present to confirm the usual, interactive, IndieAuth flow. The user and the user's authorization endpoint should still be in control of when this happens.
use cases
- readers accessing private posts and feeds
- verifying private webmentions
flow
draft at https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md
earlier history at https://indieweb.org/2018/Nuremberg/autoauth#Notes_from_Dinner
open questions
- discussion on GitHub! https://github.com/sknebel/AutoAuth/issues
Naming
'Auth' is ambiguous between identification and permission.
This is an extension to IndieAuth, similar to how the OAuth Device Grant is an extension to OAuth 2.0. As such it probably shouldn't have a name that makes it sound like a whole new spec.
Other suggestions:
- IndieConnect
- IndieAuth - Agent Flow
- β¦
IndieWebCamp Sessions
- 2018/Nuremberg/autoauth
- 2019/Online/autoauth
- 2020/West/AutoAuth
- 2019/Online/groups
- 2019/alltheauth
- 2021/Pop-ups/Very_Sensitive_Data_on_Your_Personal_Website
See Also
- a "post" that returns what user you obtained a token for: https://www.svenknebel.de/testing/autoauth/
- Reading a private post, less-technical flow.
- previous idea 'two-legged OAuth' https://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
- Diagram of the flow of AutoAuth: https://svgshare.com/i/BhB.svg
- Alternate diagram (may be different from spec) https://www.svenknebel.de/temp/autoauth_diagram.svg
- 2020/West/AutoAuth
- fluffy post Access token grants for feed readers
- IndieAuth Ticket Auth