FEP-f9ec IndieAuth display handles

Source (manually imported from Hedgedoc)

Summary

[IndieAuth] provides a simple, standards-based way for websites to authenticate with a domain or web URL. To easily verify authenticity, we can let users show IndieAuth URLs as their username.

IndieAuth extensions

The following <link> HTML tags, <meta> tags, and HTTP headers MUST be used alongside the existing ones defined in the Discovery by Clients section of the IndieAuth spec.

Authenticity signature endpoint

This endpoint, which has no set path, MUST be queried as an IndieAuth token authenticated GET request. The server will introspect the token to determine the domain from the client ID and will sign a string made of the internationalized domain name [IDN], the ampersand &, and the original URL of the IndieAuth login. The server will respond with an appropriate error code and message should this fail for any reason, and a 200 OK response with the signature -- without the signed data -- in unprefixed hexadecimal.

# Example

(This section is non-normative.)

ActivityPub extension

(Note that this section depends on FEP-888d.)

The following fields are declared in the namespace https://w3id.org/fep/f9ec#, which MAY be referred to with the compact IRI indieauth:*. To implement this FEP, these MUST be used on Actors who have signed in with IndieAuth and opted in to displaying their login URL as their handle. If the ActivityPub server is a provider, it MUST NOT reference the server's provider.

Verification procedure

Before displaying the IndieAuth-based handle for the first time, servers MUST verify that the signature is valid against the currently advertised key. This is the procedure for doing so.

1. The verifying server looks up the login referenced in the preferredHandle of the Actor. * When the handle has not yet been verified, the authenticity_public_key meta value or equivalent header (see IndieAuth extensions section above) MUST be present and configured.

* If this handle has previously been verified but is now failing this check, the verifying server MAY choose to hide the handle and retry later, or it MAY choose to continue showing it until a few failed retries ("a few", in this case, is the maximum retries the server is configured for), after which it SHOULD consider the handle no longer verified and stop showing it.

2. The verifying server recomposes the signed data based on the known domain of the user and the preferredHandle.

3. The verifying server finally verifies the Ed25519 signature against the data and advertised public key.

* If this fails, the `preferredHandle` should stop being shown immediately and it MUST no longer be considered verified; instead, the server assumes that the use of the handle has been de-authorized. The server MAY notify the user (such as by email) that the signature is no longer valid and the user must sign in again to reauthorize it.

Display

(This section is non-normative.)

The handle, when verified, should be shown alongside an appropriate monotone IndieAuth icon, and in place of the handle or URL that the software already shows. Non-standard APIs, such as the Mastodon API, should put the IndieAuth display handle into a separate field.

References

[ActivityPub]

[IDN]

[IndieAuth]

Draft notes

(This section is non-normative.)

The original Gemtext version of this page can be accessed with a Gemini client: gemini://blakes.dev/hdoc/jAH62VKrQYa6R2kkr_X7Hg.gmi

Gemini request details:

Original URL
gemini://blakes.dev/hdoc/jAH62VKrQYa6R2kkr_X7Hg.gmi
Status code
Success
Meta
text/gemini
Proxied by
A modified version of kineto

Be advised that no attempt was made to verify the remote SSL certificate.