home

IndieAuth and Micropub Login Steps

http://boghop.com/2017/05/06/indieweb-micropub-info.html

IndieAuth login

https://indieauth.com/developers

step 1: complete this form http://wren.soupmode.com/wren/login

<form action="https://indieauth.com/auth" method="get">
<strong>IndieAuth login</strong><br />
  <input id="indie_auth_url" type="text" name="me" />
  <br />
  <input class="submitbutton" type="submit" value="Login" />
  <input type="hidden" name="client_id" value="http://wren.soupmode.com" />
  <input type="hidden" name="redirect_uri" 
value="http://wren.soupmode.com/api/v1/users/auth/" />
</form>

after manually completing the above wren html form page, a GET request is made to the indieauth server, which verifies my login by accessing a social media account (github for me), and if necessary, i log into my github account manually in order for the indieauth server to complete this first step.

after my github login is verified, the indieauth authorization sever makes a POST request back to my wren site with the code info.

step 2:

then i with curl or my wren code makes the following POST request back to the indieauth server to confirm the code and login.

curl -i -d "code=1497989239.0Zb8c5-TlSCjdzYtC_U1Z8nSKYugRUfWTYIalwFhZSIkT0X4biuiCh--IoHuYABOiQQv1eyg1s7k8uiRJKdaK-Qaxev5mwk9k3fZ1IOagrqXi3RChdUoPWVmU710vKXC73I3s0TerpK5Xfky2Xel6UQp-2-VKn1lf70g6mQGdWr-6qo9dAp78rjTJDkonl7BLvLYIcmQOIsrFyrPLFZJ13BKt_rBvPitTCTixwU1uPmOuabnh9QHwzp5sKojmOAUWM2g5RADvGKliFdjbMJdLTVDIfi2jqQb4zJC_ixkxsxQNI2eBK4lGgDUyRLkdDdIeCNrFoEKwc1mU5qt4chS6erHpbr2fYD5F6LXFcoxm0R8Ue0l_7byYHJHYTediYnxH_ZCI1LB-7G2ZyfU3Gb8rTSsijwsrWPj3IC-grNL-LpgZXLh35EBDhzJN9MjggmUZdDhUTiIMJ-OPVxk0xoC_fqh7tk95OKQSBJV3colvQE=.yart6LWvoTp0OPAD4AydMw==&amp;redirect_uri=http://wren.soupmode.com/api/v1/users/auth/&amp;client_id=http://wren.soupmode.com" https://indieauth.com/auth

if successful, the indieauth authorization server returns:

HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Thu, 11 May 2017 20:54:47 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Connection: keep-alive
Cache-Control: no-store
X-Content-Type-Options: nosniff

me=http%3A%2F%2Fboghop.com%2F&amp;scope

Micropub Token

step 3: i don't think that my wren api sever code need to conduct this step. it's conducted by the client app, which could be my wren client code.

https://indieweb.org/token_endpoint

https://indieweb.org/obtaining-an-access-token

I use the code obtained above to make a POST request to the token server. include scope=post in the info below.

curl -i -d "code=1497989239.0Zb8c5-TlSCjdzYtC_U1Z8nSKYugRUfWTYIalwFhZSIkT0X4biuiCh--IoHuYABOiQQv1eyg1s7k8uiRJKdaK-Qaxev5mwk9k3fZ1IOagrqXi3RChdUoPWVmU710vKXC73I3s0TerpK5Xfky2Xel6UQp-2-VKn1lf70g6mQGdWr-6qo9dAp78rjTJDkonl7BLvLYIcmQOIsrFyrPLFZJ13BKt_rBvPitTCTixwU1uPmOuabnh9QHwzp5sKojmOAUWM2g5RADvGKliFdjbMJdLTVDIfi2jqQb4zJC_ixkxsxQNI2eBK4lGgDUyRLkdDdIeCNrFoEKwc1mU5qt4chS6erHpbr2fYD5F6LXFcoxm0R8Ue0l_7byYHJHYTediYnxH_ZCI1LB-7G2ZyfU3Gb8rTSsijwsrWPj3IC-grNL-LpgZXLh35EBDhzJN9MjggmUZdDhUTiIMJ-OPVxk0xoC_fqh7tk95OKQSBJV3colvQE=.yart6LWvoTp0OPAD4AydMw==&amp;redirect_uri=http://wren.soupmode.com/api/v1/users/auth/&amp;client_id=http://wren.soupmode.com&amp;me=http://boghop.com" https://tokens.indieauth.com/token

if successful, the token server returns:

HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Tue, 20 Jun 2017 20:13:28 GMT
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Connection: keep-alive

me=http%3A%2F%2Fboghop.com%2F&scope=&access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZSI6Imh0dHA6XC9cL2JvZ2hvcC5jb21cLyIsImlzc3VlZF9ieSI6Imh0dHBzOlwvXC90b2tlbnMuaW5kaWVhdXRoLmNvbVwvdG9rZW4iLCJjbGllbnRfaWQiOiJodHRwOlwvXC93cmVuLnNvdXBtb2RlLmNvbSIsImlzc3VlZF9hdCI6MTQ5Nzk4OTYwOCwic2NvcGUiOiIiLCJub25jZSI6ODI0ODQ1OTR9.gTQM9Xwfcb8npCqq7_OINtk4qbphRagjzOaIq3VIAE8

step 4:

https://indieweb.org/token_endpoint

https://tokens.indieauth.com/token

my micropub code ( doesn't exist yet) makes a GET request to the token server to confirm the access_token above. the token is included in the header with the name Bearer.

Your Micropub endpoint can query the token endpoint [server] to verify the access token given. To verify the access token, make a GET request to the token endpoint with the access token in the header:

GET https://tokens.indieauth.com/token
Content-type: application/x-www-form-urlencoded
Authorization: Bearer xxxxxxxx

curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZSI6Imh0dHA6XC9cL2JvZ2hvcC5jb21cLyIsImlzc3VlZF9ieSI6Imh0dHBzOlwvXC90b2tlbnMuaW5kaWVhdXRoLmNvbVwvdG9rZW4iLCJjbGllbnRfaWQiOiJodHRwOlwvXC93cmVuLnNvdXBtb2RlLmNvbSIsImlzc3VlZF9hdCI6MTQ5Nzk4OTYwOCwic2NvcGUiOiIiLCJub25jZSI6ODI0ODQ1OTR9.gTQM9Xwfcb8npCqq7_OINtk4qbphRagjzOaIq3VIAE8" https://tokens.indieauth.com/token

The token endpoint will verify the token and the response will include information about the user and scope of the token.

The scope value will be a space-separated list of strings representing all the scopes that were granted. It may also be blank or contain just one value.

response from indieauth server includes:

HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded

me=http%3A%2F%2Fboghop.com%2F&amp;
issued_by=https%3A%2F%2Ftokens.indieauth.com%2Ftoken&amp;
client_id=http%3A%2F%2Fwren.soupmode.com&amp;
issued_at=1497989608&amp;
scope=&amp;
nonce=82484594

the scope for me contains nothing. in the example at https://indieweb.org/token_endpoint scope=post. i need to specify scope=post at step 3 or maybe earlier

Your Micropub endpoint can inspect the values and use them to determine whether to proceed with processing the request. For example, for a Micropub endpoint for posting notes to your own site, you would likely only accept requests where the "me" value is your own site.

Micropub clients

i guess the client is responsible for the token. i don't know. still trying to figure out the flow process.

https://www.w3.org/TR/micropub/#response

https://indieweb.org/Micropub/Clients

tested posting to Wren's Micropub server endpoint from the following clients:

my Micropub.pm receive urlencoded form data for a post. i'm using it in debug mode. i return error in application/json format. i wanted to see what token info was provided, if any. and yes, the client at micropublish.net sent the token to my wren app. therefore, it's the responsibility of the client to obtain the token. but i can verify the user login session by checking the token provided against the token server.

here's my debug error code returned. i checked the environment variable for Authorization, and I returned the result, which was the Bearer and access token, provided by the client app.

{"error_description":"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZSI6Imh0dHA6XC9cL3dyZW4uc291cG1vZGUuY29tXC8iLCJpc3N1ZWRfYnkiOiJodHRwczpcL1wvdG9rZW5zLmluZGllYXV0aC5jb21cL3Rva2VuIiwiY2xpZW50X2lkIjoiaHR0cHM6XC9cL21pY3JvcHVibGlzaC5uZXQiLCJpc3N1ZWRfYXQiOjE0OTgwMTA5MDEsInNjb3BlIjoicG9zdCIsIm5vbmNlIjoxMDI1MzI5MTkzfQ.rC9MKjW-omV1WIIuIjcL0jfO7rraaHytuxssiQDJ7Nw","error":"invalid_request"}

instead of verifying a login with my own Auth module that checks cookie data that was sent to the api server against a text file, blah, blah, blah, i think that i verify the login against the token server like this:

curl -i -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZSI6Imh0dHA6XC9cL3dyZW4uc291cG1vZGUuY29tXC8iLCJpc3N1ZWRfYnkiOiJodHRwczpcL1wvdG9rZW5zLmluZGllYXV0aC5jb21cL3Rva2VuIiwiY2xpZW50X2lkIjoiaHR0cHM6XC9cL21pY3JvcHVibGlzaC5uZXQiLCJpc3N1ZWRfYXQiOjE0OTgwMTA5MDEsInNjb3BlIjoicG9zdCIsIm5vbmNlIjoxMDI1MzI5MTkzfQ.rC9MKjW-omV1WIIuIjcL0jfO7rraaHytuxssiQDJ7Nw" https://tokens.indieauth.com/token

the return from the token server was:

HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Wed, 21 Jun 2017 02:33:46 GMT
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Connection: keep-alive

me=http%3A%2F%2Fwren.soupmode.com%2F&issued_by=https%3A%2F%2Ftokens.indieauth.com%2Ftoken&client_id=https%3A%2F%2Fmicropublish.net&issued_at=1498010901&scope=post&nonce=1025329193

if 200 ok, then i guess it means it's a valid login. i suppose that i could determine if it's an old login by checking the issued_at, assuming that's epoch seconds.

if a bad token was sent to the token server for verification, the token server returns:

HTTP/1.1 400 Bad Request
Server: nginx/1.12.0
Date: Wed, 21 Jun 2017 02:40:51 GMT
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Connection: keep-alive

error=unauthorized&error_description=The+token+provided+was+malformed

Jun 21, 2017

Successful day implementing parts of Micropub in my Wren API server code.

I can create a post from the micropublish.net using that micropub client's note posting form. The article posting form sends HTML and not raw text. That's nuts. I don't want that HTML coming from the client, unless I typed the HTML.

I can also accept a "reply" type of post from micropublish.net and through the woodwind.xyz feed reader web app, which is pretty cool.

A reply post is a note post in the IndieWeb world, which means raw text is sent to the server.

A reply type of post tells my Wren code to the Webmention (reply) to the in-reply-to URL that is entered into the micropub client. Excellent.

I cannot make update work at micropublish.net. The site displays Internal Server Error.

https://www.w3.org/TR/micropub/#source-content

micropub client json

using the preview within client web app micropublish.net to show the json that the client would send to my server code.

using the client's article post form

my code ignores the name field (title), since my i store titles within the entire markup.

the "article" form includes the extra field called "html".

{
  "type": [
    "h-entry"
  ],
  "properties": {
    "name": [
      "a"
    ],
    "content": [
      {
        "html": "# test post 22jun2017 0835\r\n\r\nhere is some content."
      }
    ]
  }
}

using the client's note post form

{
  "type": [
    "h-entry"
  ],
  "properties": {
    "content": [
      "# test post 22jun2017 0835\r\n\r\nhere is some content."
    ]
  }
}

Jun 22, 2017

https://github.com/barryf/micropublish

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

c .. 9
jr .. g

https://barryfmicropublish.herokuapp.com/

Quill

https://quill.p3k.io/

slick, but it only creates posts. it does not perform updates.

Trying to update

Jun 22, 2017

at the moment, the only micropub client available to me that can perform updates is micropublish.net, but it fails when i try to edit.

i enter the url of the page to edit as requested, and then the app blows up on the server because the web server returns internal server error.

i may have to install the app on my owner server to debug it. is it a problem with my code?

in order to update a post, the client must retrieve the original content and display it within a textarea box or something similar to permit me to make changes.

i assume this is the request to retrieve the original source of the post:
https://www.w3.org/TR/micropub/#source-content

in my code for a get request that sends the appropriate query string, i have my code set to send back fixed data.

the GET request, which i assume is what is submitted by the client. i want to update info.html.

curl -i http://wren.soupmode.com/api/v1/micropub?q=source\&url=http://wren.soupmode.com/info.html

my wren micropub code and the nginx server return the following:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Thu, 22 Jun 2017 15:22:56 GMT
Content-Type: application/json; charset=ISO-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding

{
  "type": ["h-entry"],
  "properties": {
    "published": ["2016-02-21T12:50:53-08:00"],
    "content": ["Hello World"],
    "category": [
      "foo", 
      "bar"
    ]
  }
}

that appears to match what exists in the micropub spec, but the micropublish client bombs, making the server return the 500 error to my browser.

micropub testing

https://micropub.rocks

on july 3, 2017, my wren code passed the following tests:

That's all I need at this point. I don't need to support categories, photo uploads, etc.

For the 602 source query test, Wren does not support categories.

And for a source query GET request, I'm not returning the published date of the post, although it's unneeded in the returned JSON anyway.

https://www.w3.org/TR/micropub/#source-content

The example request and returned info shown in the above doc looked like this:

GET /micropub?q=source&url=https://aaronpk.example/post/1000
Authorization: Bearer xxxxxxxxx
Accept: application/json

HTTP/1.1 200 OK
Content-type: application/json

{
  "type": ["h-entry"],
  "properties": {
    "published": ["2016-02-21T12:50:53-08:00"],
    "content": ["Hello World"],
    "category": [
      "foo", 
      "bar"
    ]
  }
}

Uploading photos

Someday, I might enable Wren to support image uploading, assuming that I want to store images on my hosted server, like I do now with my Waxwing code at http://waxwing.soupmode.com.

I could install Waxwing and run it as a separate app, like I do now at Soupmode. If all I want is a place to store images to be embedded into Wren posts, then I could use Waxwing, but I would change a couple things.

I would add an option to Waxwing to support uploading the large, original image. Currently, client-side JavaScript reduces the size and quality of the image to make uploading over a cellular connection faster. This permits a good-enough image, but it's definitely lower quality.

Currently, Waxwing only uploads one image at a time. I might add the option to upload multiple images, especially if a fast internet connection exists.

But Waxwing uses CouchDB and Elasticsearch, and maybe I don't want to install those servers. I could modify Waxwing to store info in text files. In a modified Waxwing, would I still permit adding a note to the image upload? Probably. But I wouldn't worry about auto-linking hashtags, like Waxwing does now.

It wouldn't be Waxwing then. It would be modified app based upon Waxwing. I could operate it at a sub-domain. But would I want to have a separate app?

Another Micropub client

on july 7, 2017, i installed the omnibear chrome browser extension that is a micropub client. it worked. interesting.

http://boghop.com/on-july-7-2017-i-installed-the-chrome-browser-extension-called-omnibear-t.html

http://indieweb.org/Omnibear

home - info - search