barnacle

This is the IndieAuth endpoint for https://umbrella.sploot.com using barnacle.

Setup

To setup, you will need to add the following to the <head> of your website:

<link rel="indieauth-metadata" href="https://umbrella.sploot.com/.well-known/oauth-authorization-server">
<link rel="authorization_endpoint" href="https://umbrella.sploot.com/auth">
<link rel="token_endpoint" href="https://umbrella.sploot.com/token">

List of valid requests

GET /.well-known/oauth-authorization-server
Show IndieAuth Server Metadata.
GET /auth
Show login form to Authenticate.
POST /auth
Exchange code for Profile Information.
GET /token (legacy)
Check if token is valid.
POST /token
Exchange code for Access Token.
POST /introspect
Check if token is valid. Updated from GET /token on Feb 2022 1.
GET /userinfo
Get User Information.

Authenticate 2

GET https://umbrella.sploot.com/auth
Content-Type: application/x-www-form-urlencoded

response_type=code
client_id=https://client.example.com/
redirect_uri=https://client.example.com/redirect
state=1234567890
code_challenge=a21ad7a3adbf55e4a2ea8fb524f193a9f999efd0420b72b1311c4e1858172b35
code_challenge_method=S256
scope=profile+create+update+delete
me=https://umbrella.sploot.com

Response 3

If you successfully authorize the request, the authorization endpoint will send the authorization code to the redirect_uri.

HTTP/1.1 302 Found
Location: https://client.example.com/redirect?code=xxxxxxxx&
                                              state=1234567890&
                                              iss=https://umbrella.sploot.com

Profile Information

POST https://umbrella.sploot.com/auth
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=authorization_code
code=xxxxxxxx
client_id=https://app.example.com/
redirect_uri=https://app.example.com/redirect
code_verifier=746f6f6d616e7973656372657473

Response 4

You can exchange the code for the profile URL for the user 5. The response may optionally include the profile information if the code has the valid scopes.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "me": "https://umbrella.sploot.com",
  "profile": {
    "name": "Example User",
    "url": "https://www.example.com/",
    "photo": "https://www.example.com/photo.jpg",
    "email": "user@example.com"
  }
}

Verify Access Token

GET https://umbrella.sploot.com/token
Authorization: Bearer xxxxxxxx
or 
POST https://umbrella.sploot.com/introspect
Authorization: Bearer xxxxxxxx

Response 6

HTTP/1.1 200 OK
Content-Type: application/json

{
  "active": "true",
  "me": "https://www.example.com",
  "client_id": "https://client.example.com",
  "scope": "profile create update delete"
}

Redeem Access Token

POST https://umbrella.sploot.com/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=authorization_code
code=xxxxxxxx
client_id=https://app.example.com/
redirect_uri=https://app.example.com/redirect
code_verifier=746f6f6d616e7973656372657473

Response 7

HTTP/1.1 200 OK
Content-Type: application/json

{
  "access_token": "XXXXXX",
  "token_type": "Bearer",
  "scope": "profile create update delete",
  "me": "https://umbrella.sploot.com"
}

User Information 8

GET https://umbrella.sploot.com/userinfo
Authorization: Bearer xxxxxxxx

Response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "name": "Example User",
  "url": "https://www.example.com/",
  "photo": "https://www.example.com/photo.jpg",
  "email": "user@example.com"
}

References

  1. C.2 Changes from 26 November 2020 to 12 February 2022
  2. Section 5.2 Authorization Request
  3. Section 5.2.1 Authorization Response
  4. Section 5.3.4 Profile Information
  5. Section 5.3.2 Profile URL Response
  6. Section 5.3.3 Access Token Response
  7. Section 6.2 Access Token Verification Response
  8. Section 9 User Information