RSVPed Attending IndieAuth 1.1 Identity Protocol Standards Session

August 8, 2020 at 09:30AM - August 8, 2020 at 11:30AM

IndieAuth is the most implemented decentralized identity protocol, built on top of OAuth 2.0.

This popup IndieWebCamp session will focus on discussions to iterate and evolve the IndieAuth protocol.

Who Should Attend?

Anyone interested in IndieAuth is welcome! Specifically if you've built any IndieAuth clients or servers, we want your input!

Suggested Reading

If you're not already familiar with the IndieAuth spec, please give it a read. We will be starting this session with the assumption that people are familiar with the basics of the IndieAuth protocol.

Since IndieAuth is built on top of OAuth 2.0, it may be helpful to have some knowledge of OAuth 2.0 and its extensions, although this is not required reading.

One of the things driving this session is the recent adoption of the OAuth 2.1 draft by the OAuth Working Group. OAuth 2.1 incorporates the best practices of OAuth 2.0 and extensions into a new draft. We would like to consider upgrading IndieAuth to follow these best practices as well. You can find a summary of the changes in OAuth 2.1 in this blog post and in this video.

Rough Agenda

We've collected topics to discuss in the IndieAuth 1.1 Milestone on GitHub.

Read IndieAuth 3.5.0 for WordPress Released by David ShanskeDavid Shanske (david.shanske.com)
Earlier in the week, I noted the release of IndieAuth 3.5.0, but I didn’t explain the major under the hood changes that occurred here in a post, which I need to do as at least one person is experiencing issues(probably necessitating a 3.5.1 as soon as I figure out why.) I also noted I forgot to de...
Read Micropub 2.2.0 for WordPress Released by David ShanskeDavid Shanske (david.shanske.com)
Micropub 2.2.0 has one major change in it. IndieAuth client code was removed. This code now lives in the IndieAuth plugin. This means that Micropub does not check for scopes. It uses the built-in WordPress capability system to determine if an action should be performed. The IndieAuth plugin limits c...
Read People Seem Confused about IndieAuth by David ShanskeDavid Shanske (david.shanske.com)
When I first started in the IndieWeb community, IndieAuth confused me. It confused me up until I built an IndieAuth endpoint for WordPress. It may confuse you as well. And that has been a problem in its adoption. The biggest confusion seems to be conflating IndieAuth and IndieAuth.com. IndieAuth.com...
Read IndieAuth.com vs IndieAuth by Nathan DeGruchyNathan DeGruchy (Verily)

David Shanske is one of the authors of one of the core IndieWeb plugins for WordPress: IndieAuth. It looks like he is depricating the use of IndieAuth.com as a provider. Makes sense with WordPress as the idea is really to use the built-in authentication method in WordPress itself, not another provider.

So, going forward, I’ve decided that I’ll be disabling the code from the IndieWeb WordPress plugin that allows you to use IndieAuth.com in favor of the built-in solution. Those who want to use an external service will still be able to do so, but this will be an ‘expert’ feature. Because enabling a plugin and it just working is what most people want.

David Shanske on the future of the WordPress IndieAuth Plugin

Honestly, I didn’t even know you could use IndieAuth.com as a provider. I assumed when I set it up that the entire idea was to use your site as a sort of IAM or SSO provider. I guess this confirms that my assumption was correct.

Keep up the great work, guys!

Replied to a tweet by Ian BrownIan Brown (Twitter)
#IndieWeb interoperability FTW!
Read Using Your Site As Your Login (anaulin.org)
The most broadly useful technology I’ve encountered in the Indieweb world is the ability to use your personal site as your login on other sites. The idea is beautifully simple. A service that wants to authenticate you can look at your website, read any rel="me" links you’ve added to it, and use ...
FOUR

Some of these new W3C specs include Webmention, Micropub, WebSub, IndieAuth, and Microsub. Today I’ll talk abut Webmentions which are simply site-to-site @mentions or notifications which don’t involve corporate social media silos.

For those who’d like more information about webmentions and how they could be used, I’ve written a primer for A List Apart entitled Webmentions: Enabling Better Communication on the Internet.

 

IndieWeb idea for the extension of ThreadReaderApp

I’d love it if ThreadReaderApp had the ability to authenticate into my personal website and publish a copy of my own tweetstorms into my blog using Micropub

This would be a great way to leverage their existing infrastructure and to allow people to put their own Tweetstorms onto their blog and solve the perennial “Why didn’t you just blog about this” commentary. 

Read Your Website Is Your Passport by Desmond Rivet (Desmond Rivet)
One of the themes that crops up again and again in the IndieWeb community is that your personal domain, with its attendant website, should form the nexus of your online existence. Of course, people can and do maintain separate profiles on a variety of social media platforms, but these should be subordinate to the identity represented by your personal website, which remains everyone's one-stop-shop for all things you and the central hub out of which your other identities radiate.
Part of what this means in practice is that your domain should function as a kind of universal online passport, allowing you to sign in to various services and applications simply by entering your personal URL.
A nice little primer on authorization and authentication.

Using IFTTT to syndicate (PESOS) content from social services to WordPress using Micropub

Introduction

What follows may tend toward the jargon-y end of programming, but I’ll endeavor to explain it all and go step-by-step to allow those with little or no programming experience to follow along and use the tools I’m describing in a very powerful way.  I’ll do my best to link the jargon to definitions and examples for those who haven’t run across them before. Hopefully with a bit of explanation, the ability to cut and paste some code, or even make some basic modifications, you’ll be able to do what I and others have done, but without having to puzzle it all out from scratch.

Most readers are sure to be aware of the ubiquitous “share” buttons that appear all over the web. Some of the most common are “share to Facebook” or “share to Twitter”. In my examples that follow, I’m doing roughly the same thing, but I’m using technology called webhooks and micropub to be able to share not just a URL or web address, but a variety of other very specific data in a specific way to my website.

This “share”–while a little more complicated–gives me a lot more direct control over the data I’m sending and how it will be seen on my website. I would hope that one day more social websites will have built in share buttons that allow for direct micropub integration so that instead of only sharing to corporate sites like Facebook, Twitter, et al. they’ll let people share directly to their own personal websites where they can better control their online identity and data. What I’m describing below is hopefully a temporary band-aid that allows me to keep using common social services like Pocket, YouTube, Meetup, Goodreads, Letterboxd, Diigo, Huffduffer, Reading.am, Hypothes.is, and hundreds of others but to also post the content to my site so that I own and control more of my own online data.

An example using Pocket

Following in the footsteps of Charlotte Allen and Jan-Lukas Else, I’ve been tinkering around with improving some of my syndication workflows for a number of social silos including Pocket, a social silo that focuses on bookmarking material to read later.

I have long used IFTTT (aka If This, Then That), a free and relatively simple web service that allows one to create applets that tie a large number of web-based and social services together, to send data from my Pocket account to my WordPress-based website. I’d done this using my Pocket RSS feed to create WordPress draft posts that I could then modify if necessary and publish publicly if I desired. Since I regularly use a number of Micropub clients in conjunction with the WordPress Micropub plugin and IFTTT supports webhooks, I thought I’d try that out as a separate process to provide a bit less manual pain in mapping the data for posts to appear like I want them to on my website. 

Now I can use my Pocket account data and map most of it directly to the appropriate data fields on my website. Because Pocket has direct integration into IFTTT, I can actually get more data (particularly tags) out of it than I could before from the simple RSS feed.

Below, you’ll find what I’ve done with a quick walk through and some example code snippets. I’ll break some of it down into pieces as I go, and then provide a specific exemplar of some of the code properly strung together at the end. I’ll also note that this general procedure can be used with a variety of other silos (and either their integrated data or RSS feeds) within IFTTT to post data to your website. Those running platforms other than WordPress may be able to use the basic recipe presented here with some small modifications, to send similar data from their accounts to their sites that support Micropub as well. 

Directions for connecting IFTTT to publish to WordPress via Micropub

Preliminaries

Install and activate the Micropub plugin for WordPress. This will give your website a server endpoint that IFTTT will use to authenticate and send data to your website on your behalf.

If you don’t already have it, install the IndieAuth plugin for WordPress and activate it. This will allow you to generate an authorization token (think password) with the appropriate scopes (think permissions to do specific actions on your website) to allow IFTTT to securely post to your website. 

Within the WordPress administrative interface/dashboard go to Users >> Mange Tokens or go to the path /wp-admin/users.php?page=indieauth_user_token on your website. 

At the bottom of that page under the section “Add Token” add a convenient name for your new token. You’ll see in the following screencapture that I’ve used “IFTTT for Webhooks”. Next click the check boxes to add scopes for “create” and “media”. Finally click the “Add New Token” button.

Screencapture from the Add Token section of the User >> Manage Tokens page

On the resulting page, copy the entirety of the returned access token in a safe place. You’ll need this token later in the process and once you’ve navigated away from the page, there’s no way to retrieve the token again later. The same token can be used for multiple different recipes within IFTTT,  though one could create a different token for each different recipe if desired.

Sign up for an IFTTT account (if you don’t already have one). 

Register Pocket as a service you can use within IFTTT.

The IFTTT Applet

In your IFTTT.com account, create a new applet.

Screenshot of the "If This Then That" recipe start with "This" highlighted

For the “if” part of the applet, search for and choose the Pocket application.

Screenshot of a search for "Pocket"

Choose the trigger “Any new item” (other triggers could be chosen for different combinations of actions).

Click the “then” part of the applet, and search for and chose the Webhooks application.

Screenshot of the "That" portion with a search for Webhooks

Choose the “Make a web request” option (currently the only option on the page).

Next we’ll fill in the action fields.

Screencapture of the Complete Action Fields step

 

Fill in the four action fields with the following values, with the appropriate modifications as necessary:

URL: https://www.example.com/wp-json/micropub/1.0/endpoint

Be sure to change example.com to the appropriate URL for your website. If you’re using a platform that isn’t WordPress in combination with the Micropub plugin, you can quickly find your appropriate endpoint by looking at your homepage’s source for a <link> element with a rel="micropub" attribute.

Method: POST
Content Type: application/x-www-form-urlencoded

More advanced users might experiment with other content types, but this will naturally require different data and formatting in the Body section.

Body: 

The Body portion is one of the most complicated portions of the operation, because this is where you can get creative in how you fill this out and the end results you end up with on your website. You can use the available variables in the recipe to custom create almost anything you like and some services will give you a tremendous amount of flexibility. I’ll walk through a handful of the most common options and then tie them all together at the end. Ultimately the Body will be a string of various commands that indicate the data you want to send to your website and all of those commands will be strung together with an ampersand character (“&“) between each of them.

There are some small differences you may want to experiment with in terms of what you put in the Body field based on whether or not you’re using the Post Kinds plugin to create your posts and reply contexts or if you’re not. 

Depending on which pieces you choose, I recommend doing a few test runs for your applets to make sure that they work the way you expect them to. (The Micropub plugin has a setting to mark incoming posts automatically as drafts, so you’re not spamming your readers while you’re testing options if you’re testing this on a live site.) Sometimes formatting issues (particularly with setting a publish time) may cause the post to fail. In these cases, experiment to find and excise the offending code and see if you can get things working with minimal examples before adding additional data/details.

For those who would like to get into more advanced territory with the programming and methods, I recommend looking at the W3C’s Webmention specification

The first thing you’ll want in the Body will be your access token. This is similar to a password that allows the webhook to publish from IFTTT to your website. You’ll want a line that reads as follows with the AccessTokenHere replaced with the access token from your token provider which you created earlier and saved. You’ll want to keep this secret because it acts like a password for allowing remote applications to post to your website.

access_token=AcessTokenHere

Next will come the content you want to be published to your site.

&content=<<<{{EntryTitle}}<br>{{EntryPublished}}>>>

I’ll mention that the content snippet can include almost anything you’d like using the variables provided by IFTTT as well as a reasonable variety of HTML. I’ve used it to add things like <blockquotes> for annotations and even <audio> tags for making listen posts or bookmarking audio with Huffduffer!

The following snippet tells your site what kind of content it’s receiving. Unless you’re doing something more exotic than bookmarks, likes, favorites, replies, or most post kinds (except maybe events), you’ll want to use the h-entry snippet as follows:

&h=entry

If you’d like your post to contain a formal title, then you’ll want to include the following code snippet. Generally with shorter content like notes/status updates, bookmarks, reads, likes, etc., I follow the practice of publishing titleless posts when they’re not required, so I personally skip this piece in most of my posts, but some may wish to include it.

&name=<<<{{Title}}>>>

To have your website create or use the correct category or tag taxonomies on your posts, you’ll want to have something similar to the following snippet. If you want to specify more than one category, just string them together with ampersands. If your category/tag has a blank space in it you can replace the spaces with %20. The Micropub server on your site should automatically check to see if you have categories or tags that match what is sent, otherwise it will create a new tag(s).

&category[]=Bookmark&category[]=Social%20Stream

I’ve found that in practice, some silos that allow for multiple tags will actually publish them via micropub using something along the lines of the following if the  appropriate variables on IFTTT exist. In these cases, I append this to the other categories and tags I want to specify.

&category[]=<<<{{Tags}}>>>

If you’re using your Pocket account to send your bookmarked articles to read later, you’ll want to create a bookmark with the following line:

&bookmark-of=<<<{{EntryUrl}}>>>

Alternatively, if you were using your Pocket account to archive your articles once you’ve actually read them, you could have IFTTT post these archived items as “reads” to your site by choosing the “New Item Archived” element in the Pocket portion of the IF set up process. Here you’d replace the above bookmark-of line with the following:

&read-of=<<<{{EntryUrl}}>>>

If you were creating different sorts of posts you might also use the appropriate alternate verbiage: like-of, watch-of, listen-of, rsvp, etc. (find details for the appropriate mark up on the IndieWeb wiki or the correct microformats v2 property within the code for the Post Kinds plugin). If you are using the Post Kinds plugin, this is the piece of data that it receives to specify the correct post kind and create the reply context for your post and will likely preclude you from needing to send any data in the content portion (above) unless the services applet will let you send additional commentary or notes that you want to appear in the body of your post.

Next, if your site supports syndication links with a plugin like Syndication Links for WordPress, you would use the following line of code so that those are set and saved properly. (This presumes that the URL specified is the permalink of the content on the social silo. I’ll note that Pocket doesn’t provide these (easily) as most of their links are canonical ones for the original content, so I don’t use this on my IFTTT recipe for my Pocket workflow, but I do use it for others like Huffduffer and Reading.am. It conveniently allows me to find copies of my content elsewhere on the web.)

&syndication=<<<{{EntryUrl}}>>>

If you’d like to have the timestamp on your post match the time when you actually bookmarked the item in Pocket, you’ll need to add the following line of code. Without this line, the publication time will match the time of the Webhook action, which for most IFTTT things can be a delay of a minute or two up to an hour or more afterwards. In practice, I’ve noticed that most content posts to my website within about 10-15 minutes of the original, and this is based on the polling lag within IFTTT checking your triggers. (Sadly, I’ll report that I’ve never gotten this code snippet to work for me in practice, and I suspect it may be because the time format from IFTTT doesn’t match what is expected by the Micropub server on my website. Perhaps David Shanske or Ryan Barrett may have a more specific idea about what’s causing this or suggest a fix? I’ll try to dig into it shortly if I can. As a result, I generally have left this snippet of code off of my triggers and they’ve worked fine as a result. Until this issue might be fixed, if you want to have the exact timestamp, you could alternately include the data, if provided, in the content section instead and then copy it over manually after-the-fact.)

&published=<<<{{EntryPublished}}>>>

If you’ve got syndication endpoints set up properly with something like the Syndication Links plugin, you can use the following sort of code snippet. I generally eschew this and prefer to save my posts as drafts for potential modification prior to publishing publicly, but others may have different needs, so I’m including the option for relative completeness so people can experiment with it if they like.

&mp-syndicate-to[]=twitter-bridgy

This concludes the list of things that might commonly be included in the Body portion of the IFTTT applet. Tying these all together for combination in the Post Kinds Plugin one would want something along the lines of :

Body: access_token=AccessTokenHere&content=<<<{{EntryTitle}}<br> {{EntryPublished}}>>>&h=entry&category[]=Bookmark&category[]=Social%20Stream&bookmark-of=<<<{{EntryUrl}}>>>

Here’s another example of the code I use in conjunction with a similar applet for Diigo, a bookmarking service. The “Description” portion allows me to add a note or comment on the bookmark when I make it and that note is transported over to the post on my website as well.

Body: access_token=AccessTokenHere&content=<<<{{Description}}>>>&h=entry&category[]=Bookmark&category[]=Social%20Stream&category[]=<<<{{Tags}}>>>&bookmark-of=<<<{{Url}}>>>

Note that when the string of commands is done, you do not need to have a trailing ampersand. Most of the examples I’ve used are from the Pocket set up within IFTTT, but keep in mind that other services on the platform may use alternate variable names (the portion in the braces {{}}). The differences may be subtle, but they are important so be careful not to use {{EntryTitle}} if your specific recipe expects {{Title}}.

To finish off making your new applet, click on the “Create Action” button. (If necessary, you can test the applet and come back to modify it later.)

Finally, give your applet an appropriate tile and click the “Finish” button. For my Pocket applet I’ve used the name “Pocket bookmark PESOS Micropub to WordPress”.

Screencapture of the Review and Finish page on IFTTT

Now that your applet is finished, give it a whirl and see if it works the way you expect! Don’t feel discouraged if you run into issues, but try experimenting a bit to see if you can get the results you’d like to see on your website. You can always go back to your applet recipe and modify it if necessary.

Conclusion

Hopefully everyone has as much fun as I’ve had using this workflow to post to their websites. It may take some patience and experimentation to get things the way you’d like to have them, but you’re likely to be able to post more easily in the future. This will also let you own your data as you create it while still interacting with your friends and colleagues online.

I know that it may be possible to use other services like Zapier, Integromat, Automate.io, or other similar services instead of IFTTT though some of these may require paid accounts. I’d love to see what sorts of things people come up with for using this method for owning their own data. Can you think of other services that provide webhooks for potential use in combination with Micropub? (Incidentally, if this is your first foray into the Micropub space, be sure to check out the wealth of free Micropub clients you can use to publish directly to your website without all of the set up and code I’ve outlined above!)

Currently I’m using similar workflows to own my data from social services including Pocket, Diigo, Huffduffer, Reading.am, YouTube, Meetup/Google Calendar, and Hypothes.is. I’ve got several more planned shortly as well.

Thanks once again to Charlotte Allen and subsequently Jan-Lukas Else for the idea of using Micropub this way. Their initial documentation was invaluable to me and others are sure to find it useful. Charlotte has some examples for use with Facebook and Instagram and Jan-Lukas’ example may be especially helpful for those not using WordPress-specific solutions.

And as always, a big thank you to the entire IndieWeb community for continuing to hack away at making the web such a fun and vibrant space by making the small building blocks that make all of the above and so much more possible.

Bookmarked Gimme a token (gimme-a-token.5eb.nl)

This page helps you to obtain an access token or IndieAuth, that you can use with home-made Micropub clients in IFTTT, Workflow and the like.
This page looks hacky on purpose, use at your own risk. Needs javascript, because it works on your own computer.
You can also save this HTML page to your own computer first, if that makes you feel safer. See the code or file an issue.

A cool looking IndieAuth token service.
Liked a post by Henrique DiasHenrique Dias (Henrique Dias (@hacdias))

Just published two minimal packages to help building micropub applications!

The first one is called micropub-parser and it's basically a port from @aaronpk's pk3-micropub package to JavaScript.

The second one is a small IndieAuth middleware that can be easily plugged into an Express.js app!

Replied to IFTTT Recipes for PESOS by Charlotte AllenCharlotte Allen (charlotteallen.info)
So, I spend a long time trying to set up PESOS for individual silos on IFTTT, specifically Facebook and Instagram, because they are terrible. I’ve got it currently set up to publish my initial post, but no back feed support yet. Also, this is going to wordpress, but it shouldn’t matter (in theor...
This is some brilliant work. Thanks for puzzling it all out.

I do have a few questions/clarifications though so as not to be confused since there are a few pieces you’ve left out.

For the IndieAuth token, which is created at /wp-admin/users.php?page=indieauth_user_token one only needs to give it a title and the “create” scope?

For the “then” portion that uses IFTTT.com’s Webhooks service are the following correct?

  • The URL is (when used with WordPress) of the form: https://example.com/wp-json/micropub/1.0/endpoint
  • The Method is: POST
  • The Content Type I’m guessing based on the Body field you’ve included is: application/x-www-form-urlencoded

For your Pocket example, it looks like you’re using the Post Kinds Plugin, so I’m guessing that you could have gotten away without the {{Excerpt}} and {{Title}} portions and just have sent the URL which Post Kinds picks up and parses to give you your context portion with a title and an excerpt anyway?

It looks like part of the trouble of this PESOS set up is that you’re too reliant in the long run of relying on Pocket (or other services) being around in the long term. If Pocket disappears, then really, so does most of your bookmark, which ideally should point to the canonical URL of the content you’re bookmarking. Of course perhaps IFTTT may not give you that URL in many cases. It looks to me like the URL you’re bookmarking would make a more appropriate syndication link URL.

For most of my bookmarks, likes, reads, etc. I use a plugin that scrapes my post and saves a copy of the contents of all the URLs on my page to the Internet Archive so that even in the event of a site death, a copy of the content is saved for me for a later date.

In any case, I do like this method if one can get it working. For some PESOS sources, I’ve used IFTTT before, though typically with RSS feeds if the silo provides them. Even then I’m often saving them directly to WordPress as drafts for later modification if the data that IFTTT is providing is less than ideal. Sometimes worse, using RSS doesn’t allow one to use Post Kinds URL field and parsing functionality the way your webhook method does.