A distributed authentication and authorization service for the open Web.
This is the source code for the service that provides IndieAuth log-in support for your website to other services.
rel-me authwhere possible.
When the user’s presented with a site that Fortress is capable of signing in
with, it’ll navigate them to a page that’ll inform that Fortress will sign in
with said site. We confirm that the user in question can sign into the account
specified by the remote service. Once that occurs, we determine the correct
profile information for the newly signed in service and confirms that it both
points to the URI provided as a rel-me and that the URI points back to the
user’s site (using
meon sign-in flow.
People will submit a URL that’ll represent them on the Web (ideally). Ideally, this URL points to a freely accessible HTML page. The kind of things we’ll be looking for are:
Accounts are designed to expire if they haven’t been checked on for more than a month. I’m thinking about making this an adjustable window but capping at once every three months. This is how we can insure some sort of account hygiene.
C: Generate device pairing code (lives for ~10 minutes) M: Sends request to bind with public key provided C: Sends data that needs to be signed by said public key. M: Sends signed data and device information. C: Confirms that information is valid and returns authorization token.
M: Makes authenticated request for
with a protocol list.
C: Sends back list of URLs with connection information.
The act of authorization of an action will be something like the following:
C: Pushes authorization request to subscription channels. M: Confirms it’s received request by signing + sending ack (optional) M: Sends signed response to remote server. C: Sends cancellation/expiration update of said request. M: Shows that request has been cancelled/expiration.