Represents the hosted IndieAuth service provided by
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.markdown 3.1KB


A distributed authentication and authorization service for the open Web.

This is the source code for the service that provides IndieAuth log-in support for your website to other services.


Handling RelMeAuth

When the user’s presented with a site that Fortress is capable of signing in with, it’ll navigate them to a page that’ll inform that Fortress will sign in with said site. We confirm that the user in question can sign into the account specified by the remote service. Once that occurs, we determine the correct profile information for the newly signed in service and confirms that it both points to the URI provided as a rel-me and that the URI points back to the user’s site (using rel=me).

  • Store information about.
    • me (user)
    • rel-me values held by me.
  • Update validity of rel-me value of me on sign-in flow.

Account Creation

People will submit a URL that’ll represent them on the Web (ideally). Ideally, this URL points to a freely accessible HTML page. The kind of things we’ll be looking for are:

  • IndieAuth authorization endpoint
  • rel=me links to
    • GitHub
    • Twitter
    • Mastodon
    • Pleroma

Accounts are designed to expire if they haven’t been checked on for more than a month. I’m thinking about making this an adjustable window but capping at once every three months. This is how we can insure some sort of account hygiene.

Client API

Fortress exposes a client API that’s used to provide out of band authentication. It follows the AcI structure of Micropub and Microsub.

Associating Device

C: Generate device pairing code (lives for ~10 minutes) M: Sends request to bind with public key provided C: Sends data that needs to be signed by said public key. M: Sends signed data and device information. C: Confirms that information is valid and returns authorization token.

Fetching Subscriptions

M: Makes authenticated request for q=subscriptions optionally with a protocol list. C: Sends back list of URLs with connection information.

Remote Authorization

The act of authorization of an action will be something like the following:

C: Pushes authorization request to subscription channels. M: Confirms it’s received request by signing + sending ack (optional) M: Sends signed response to remote server. C: Sends cancellation/expiration update of said request. M: Shows that request has been cancelled/expiration.