Right-Click → View Page Source

Authenticate with IndieAuth.com using PGP and Keybase

IndieAuth.com is a public instance of IndieAuth, the decentralised identity protocol built on top of OAuth 2.0. In this article I'm going to explain how to authenticate yourself using your domain and a set of PGP keys handled by Keybase. Once you've successfully logged into IndieAuth.com you'll be able to use the same method to authenticate with any IndieAuth service.

There are many methods of authenticating with IndieAuth, but PGP feels the most "Indie". I manage my keys using Keybase which conveniently hosts your public PGP keys in ASCII format. I'd initially presumed that IndieAuth would require keys to be hosted on the domain being used to login, but thankfully that's not the case and so keys hosted remotely on services such as Keybase can be used directly too.

Generating a PGP Key Using Keybase

Once you have Keybase Desktop installed, open up a terminal of your choice and run the following command and follow the steps to generate a PGP key:-

> keybase pgp gen

If you've chosen to generate a new key, alongside an existing key, then you'll need to include the --multi flag.

Once that process is complete, you should now be able to access a hosted copy of your public PGP key at the following URL:-

# NOTE: replace `${YOUR_USERNAME}` with *your* Keybase username
https://keybase.io/${YOUR_USERNAME}/pgp_keys.asc

If you have multiple PGP keys associated with your Keybase account, you can select an individual key by setting the fingerprint parameter:-

# NOTE: run `keybase pgp list` to reveal additional information about existing keys
https://keybase.io/${YOUR_USERNAME}/pgp_keys.asc?fingerprint=${YOUR_KEY_FINGERPRINT}

Link to the Keys

Add the following <link> tag to the <head> of your HTML document:-

<!-- NOTE: replace `${YOUR_USERNAME}` with *your* Keybase username -->
<link
  rel="pgpkey"
  type="application/pgp-keys"
  href="https://keybase.io/${YOUR_USERNAME}/pgp_keys.asc"
/>

To verify that your configuration is working, and on each subsequent IndieAuth login,
you will be provided with a snippet of text that you're required to sign using your PGP key. Navigate to the IndieAuth.com site and enter and submit your domain name to the <input> in the "Try it!" section:-

A Screenshot of the 'Try It!' Form on IndieAuth.com

To do that with Keybase, open the command line and (after ensuring that you have Keybase Desktop installed) run the following command, replacing the placeholder text within the single quotes with the challenge text:-

> keybase pgp sign -m 'INSERT CHALLENGE TEXT HERE'

If you're on macOS, you can pipe the output to pbcopy so that you're ready to paste the signed text back into the <input>/<textarea> and submit right away, like so:-

> keybase pgp sign -m 'INSERT CHALLENGE TEXT HERE' | pbcopy

So there you have it, you should now able to authenticate with IndieAuth services using your very own domain and a set of PGP keys. If you have any questions or comments don't hesitate to send a Webmention to this URL.