Saul Hardman
Posted on January 9, 2020
IndieAuth.com is a public instance of IndieAuth, the decentralised identity protocol built on top of OAuth 2.0. In this article I'm going to explain how to authenticate yourself using your domain and a set of PGP keys handled by Keybase. Once you've successfully logged into IndieAuth.com you'll be able to use the same method to authenticate with any IndieAuth service.
There are many methods of authenticating with IndieAuth, but PGP feels the most "Indie". I manage my keys using Keybase which conveniently hosts your public PGP keys in ASCII format. I'd initially presumed that IndieAuth would require keys to be hosted on the domain being used to login, but thankfully that's not the case and so keys hosted remotely on services such as Keybase can be used directly too.
Generating a PGP Key Using Keybase
Once you have Keybase Desktop installed, open up a terminal of your choice and run the following command and follow the steps to generate a PGP key:-
> keybase pgp gen
If you've chosen to generate a new key, alongside an existing key, then you'll need to include the --multi
flag.
Once that process is complete, you should now be able to access a hosted copy of your public PGP key at the following URL:-
# NOTE: replace `${YOUR_USERNAME}` with *your* Keybase username
https://keybase.io/${YOUR_USERNAME}/pgp_keys.asc
If you have multiple PGP keys associated with your Keybase account, you can select an individual key by setting the fingerprint
parameter:-
# NOTE: run `keybase pgp list` to reveal additional information about existing keys
https://keybase.io/${YOUR_USERNAME}/pgp_keys.asc?fingerprint=${YOUR_KEY_FINGERPRINT}
Link to the Keys
Add the following <link>
tag to the <head>
of your HTML document:-
<!-- NOTE: replace `${YOUR_USERNAME}` with *your* Keybase username -->
<link
rel="pgpkey"
type="application/pgp-keys"
href="https://keybase.io/${YOUR_USERNAME}/pgp_keys.asc"
/>
To verify that your configuration is working, and on each subsequent IndieAuth login, you will be provided with a snippet of text that you're required to sign using your PGP key. Navigate to the IndieAuth.com site and enter and submit your domain name to the <input>
in the "Try it!" section:-
To do that with Keybase, open the command line and (after ensuring that you have Keybase Desktop installed) run the following command, replacing the placeholder text within the single quotes with the challenge text:-
> keybase pgp sign -m 'INSERT CHALLENGE TEXT HERE'
If you're on macOS, you can pipe the output to pbcopy
so that you're ready to paste the signed text back into the <input>
/<textarea>
and submit right away, like so:-
> keybase pgp sign -m 'INSERT CHALLENGE TEXT HERE' | pbcopy
So there you have it, you should now able to authenticate with IndieAuth services using your very own domain and a set of PGP keys.
Posted on January 9, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.