Using Kirby as an IndieAuth authentication endpoint

IndieAuth is based on the idea that, instead of using site-specific credentials or logging in with a third-party account – aka. “Log in with Google” – users keep control over their identity by linking login credentials to their personal website. I adapted an existing implementation to identify via IndieAuth by logging in to the CMS backend.

tl;drI adapted the open source Selfauth server into a Kirby 3 plugin, allowing to log in to IndieAuth-enabled websites using one’s own domain.kirby3-selfauthThe Indieweb wiki explains IndieAuth like this:

IndieAuth is a federated login protocol for Web sign-in, enabling users to use their own domain to sign in to other sites and services.

In essence, this means that a website owner can use their website URL to log in to other web services.

For example the Indieweb wiki itself can only be accessed with an IndieAuth-enabled URL: as a user logs in to the wiki, they provide their homepage URL and a verification process ensures they are the owners of that URL.

The easy third-party implementation

The Kirby cookbook contains a recipe for the most straightforward implementation that relies entirely on third party services: using rel="me" links, a website indicates what social media profiles they are connected to, and the authorisation service at indielogin.com then makes them log in with these credentials in order to authorise access to the target site.

This makes for a smooth experience and works reliably – all that is needed is for the site owner to indicate a suitable rel="me" and link back to their website from that social media profile (the indieauth.com website lists available options). The drawbacks are the reliance on a third party service, the need for having an account in a compatible social media silo, and potential risks for privacy as social media services are (in theory at least) able to monitor where a user logs in to.

Using Kirby as an indieauth server

In order to not having to rely on third party services, an individual would have to run their own IndieAuth authentication endpoint. That way, no links to social media profiles are needed, and instead of the external authentication service, the user’s own website takes care of authenticating to the target website.

Luckily, a wide range of existing implementations can be built upon. My long time favourite, Selfauth, is a simplistic authorisation endpoint server contained in a single PHP script and with no need for a database. It works incredibly well, but I wanted to see it integrated with my Kirby CMS, essentially logging in to other sites with my Kirby credentials.

kirby3-selfauth is a modified version of the original Selfauth, with a range of adaptations (details) to provide a frictionless login experience. Instead of setting a separate authentication password, the script checks that the user is logged in to the Kirby panel.

After installation and setup, the experience of logging in to the IndieWeb wiki consists of only three steps:

  1. The website (here: indielogin.com, on behalf of indieweb.org) asks the user to enter their website domain.
  2. Over at their own website, the user logs in to their Kirby CMS (unless already logged in, in which case this step is skipped).
  3. The user is asked by their own website to authorize identification to the original website using their site’s URL as their identity.
  4. After clicking on “Authenticate”, the user is fowarded back to the original site, now in a logged in status, based on their Kirby website as their identity.
Screenshots of the three screens described above
The login process only consists of three screens and does not involve any third parties – the authentication is negotiated between the target site and the user’s own Kirby backend.

The kirby3-selfauth plugin has been tested with the Kirby Starterkit (https://getkirby.com/try) and, if all setup steps from the instructions are followed, should work out of the box. I look forward to hearing about your experiences or problems. While I take the blame for any bugs this adaptation may have, major credit is due to Selfauth’s original contributors; adapting it was merely a design exercise.