The micropub API and security

I’ve talked before about the IndieWeb. That it’s important to own your identity online. What is the point, however, if there is no social nature to all this? We need to interact with each other.

Webmentions to the rescue. These allow one website to “ping” another. A sort of notification system. This has been extended by snarfed to the major silos of social network with his excellent bridgy service. This is basically a shim that makes it look like the sites use mf2 + webmentions, and very nicely done to. I still need to implement this on my own site. I’m working on it.

What people are also working on is something called the micropub API. This would allow one site or service to post to another. You could log into my site, and post a note to your site. This obviously involves authentication, which is a well discussed problem. The indieweb community, and Aaron in particular, have developed a service called IndieAuth. This allows you to authenticate as yourself with your own domain, by linking bijectively with various silos.

To summarise the process, when you log into my site with your domain, I go to your domain and look for an authorisation endpoint, either in an HTTP Link header, or in a <link> element in the HTML. This endpoint is usually https://indieauth.com/auth. You authorise and get redirected back to my site, along with an auth code being sent over as well. I then look for a token endpoint, again on your site, and make a request for a token and send the auth code I received. Your site verifies this code with the authorisation endpoint and then generates its own OAuth token which is sent back to my site. I can then use this token when making API requests to your micropub endpoint.

Security is a concern here. The most important step I take is to store your token in an encrypted cookie. By not storing the token in my webapp, if my site becomes compromised, then your token isnt’t automatically compromised as well. The other talking point regarding security is the revocation of tokens. This isn’t an issue for micropub clients. This is an issue for our own sites, the micropub endpoints. We need a way of managing the OAuth tokens we have generated, so we can see and control which micropub clients we’ve authorised.

I wonder if this is something that can be incorporated into IndieAuth? Once authorisation has occured, the endpoint could request that IndieAuth generates an OAuth token, and that token gets sent back to the client. Then when the micropub client makes an API request, the endpoint checks the OAuth token with IndieAuth. Then we could see all our “active” tokens on IndieAuth and revoke those we no longer wish to be active. Further consideration would be needed as to how to implement this. Particularly details like which roles a token is valid for, or whether it has an expiration date. How would this information be associated with a token? It could be simply encoded into the token itself, this would probably be the easiest solution to initially implement. It’s how I generate the tokens on my site at the moment.

Maybe Aaron could chime in.