lemoncurry 1.5.0: now with indieauth!

yep, lemoncurry 1.5 can act as its own indieauth-powered authorisation server, which means i can log into various indieweb sites as 00dani.me! cool beans???

since you can’t log in as me (i hope!), you can’t actually see how the new indieauth support works, so i’ve taken a few screenshots to give you an idea! here’s me logging into two prominent indieauth-capable sites:

authenticating with IndieAuth.com

authenticating with Telegraph

the cute little ☑ and ? icons indicate whether the client has been verified!! indieauth uses a really simple approach to establish client trust, which is that the client id (for example, https://indieauth.com) should contain a publicly-visible reference to its redirect uri (for example, https://indieauth.com/auth/indieauth/redirect). then, indieauth servers can check whether that reference is present, which proves the redirect uri really “goes with” that client id

unfortunately doing this is still an experimental feature? so i’ve made verification optional and displayed cute little icons, rather than just rejecting unverified clients. the icons also have cute tooltips to explain what they mean:

indieauth.com is verified

telegraph.p3k.io is not verified