#[aaronpk]It looks like it fetches the url the user enters, which is right, but if that's the case then they shouldn't ever end up on indielogin.com because you can't use that to get an access token or do the IndieAuth flow
#[aaronpk]I also can't figure out what library "require('indieauth-helper')" is
#[aaronpk]There's no need to run both verifyCode and getToken. That's probably where the problem is
#[aaronpk]If you want an access token the run only getToken because that'll return both the token and the "me" value at the same time
#[aaronpk]The authorization code is meant to be one time use, so that's probably why the getToken is failing, because it's already been used to verify the code
[schmarty], krychu and paulrobertlloyd joined the channel
#aaronpkpaulrobertlloyd: what are you trying to do exactly?
#aaronpkare you trying to identify the user and then issue your own session cookie to get them logged in to this express app?
#paulrobertlloydEssentially, I have some configuration/settings pages on a (Micropub) server that I want behind auth. I will later need an access token so that the user can post from that server to their own site.
#aaronpkif you need an access token to post to a user's own site, then that access token has to come from their own authorization endpoint, and indielogin.com can't help you with that
#aaronpkso that form should post back to your express app, where you use the URL they enter to discover their own authorization endpoint, and then go send them off to that URL to log in
#cweiskeI'm getting more and more pingback spam in the last weeks from sites that scrape my site and embed my images.
#aaronpkyou'll need to drop the verifyCode() method you have, because that's using up the authorization code and the getToken() method is failing because the code has already been used
#paulrobertlloydSo it is possible to authenticate and request a token using that one step (possibly), but I need to pass the user’s token endpoint to that function?
#aaronpkwhen you get an access token you also get back the user's identifier (URL)
#aaronpkand in order to do that you have to interact with their own authorization endpoint and token endpoint
#aaronpkso you don't hard-code indielogin.com or indieauth.com at all
#paulrobertlloydSo I auth user via IndieLogin, then after that I can use the verified URL in the getToken method to request an access token, correct?
#paulrobertlloydSo where should my sign in form point to? (I’ve read the specs plenty of times, but authentication/authorisation, similarly named tokens… it’s all quite opaque to the uninitiated, sadly!)
#aaronpkyour sign-in form should point back to a route in your express app
#paulrobertlloydOkay. Well sounds like using IndieLogin has thrown me off course! I need to handle it all on my side of things, using the helper library (hopefully!)
#paulrobertlloydThat’s really useful to know, thanks! What is IndieLogin for then, out of interest?
#aaronpkyep! indielogin.com is *only* for the case where you want to identify the user
#aaronpkfor example the wiki uses it to log people in. the wiki doesn't need an access token because it doesn't try to post to their website
#paulrobertlloydOkay, thanks for your help. Will have a second crack at this later this week, and hopefully get it working.
#[Lewis_Cowles]It seems to be a network-application-level service to enable you to login using google, twitter, etc without cluttering your apps with many client codes
#aaronpk[Lewis_Cowles]: yes, tho specifically while identifying the user by their own URL rather tan by twitter/github/etc
#[Lewis_Cowles]would their own URL be a public or private resource?
#[Lewis_Cowles]Then lets ignore it as I was trying to understand “identifying the user by their own URL”
#aaronpkthe user types in their own URL (e.g. aaronpk.com) and then indielogin.com authenticates them by getting them to log in via twitter/github/indieauth/email/etc based on what profiles they link to from their website
#[Lewis_Cowles]given lewiscowles.co.uk indielogin.com would use my github to say “this is Lewis<User:734637348>“?
#aaronpkthe result of indielogin.com is "yes the person at the computer is aaronpk.com"
#[Lewis_Cowles]I’m sure the language used makes sense to all that are not me. The sequence diagram linked makes sense of the timings of things
#[Lewis_Cowles]the description that a URL can be an identifying URL makes sense
#[Lewis_Cowles]The bit I’m stuck on is how my login via GitHub would relate to the indieweb or any other page / app. I’ve looked for the content and all I have found is an sso link which sends me to indielogin with a code (perhaps the code is a token)
#LoqiRelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site.
RelMeAuth is the technology behind web-sign-in.
Editor
Tantek Çelik (http://tante...
#[Lewis_Cowles]😂 so that is my confusion Tonz wiki page has no rel=“me” links.
#[Lewis_Cowles]hmmm I got invalid session state from indielogin after adding rel=“me” to all my links. IndieLogin worked perfectly and even auto-picked a source of truth for authorizing with a third party (GitHub)